diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 4658a2f02b..dca5878bff 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -119,5 +119,7 @@
"git_repository_branch_open_to_public_contributors": "master",
"skip_source_output_uploading": false,
"dependent_repositories": [],
- "need_generate_pdf_url_template": false
-}
\ No newline at end of file
+ "need_generate_pdf_url_template": false,
+ "need_preview_pull_request": true
+}
+
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 18e4f74620..6edf0bae08 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -56,31 +56,6 @@
"redirect_document_id": true
},
{
-"source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md",
-"redirect_url": "/itpro/surface-hub/finishing-your-surface-hub-meeting",
-"redirect_document_id": true
-},
-{
-"source_path": "devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md",
-"redirect_url": "/itpro/surface-hub/provisioning-packages-for-surface-hub",
-"redirect_document_id": true
-},
-{
-"source_path": "devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md",
-"redirect_url": "/itpro/surface-hub/admin-group-management-for-surface-hub",
-"redirect_document_id": true
-},
-{
-"source_path": "devices/surface-hub/surface-hub-administrators-guide.md",
-"redirect_url": "/itpro/surface-hub/index",
-"redirect_document_id": true
-},
-{
-"source_path": "devices/surface-hub/intro-to-surface-hub.md",
-"redirect_url": "/itpro/surface-hub/index",
-"redirect_document_id": false
-},
-{
"source_path": "windows/manage/waas-quick-start.md",
"redirect_url": "/itpro/windows/update/waas-quick-start",
"redirect_document_id": true
@@ -646,6 +621,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/manage/cortana-at-work-overview.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-overview",
+"redirect_document_id": false
+},
+{
"source_path": "windows/manage/manage-inventory-windows-store-for-business.md",
"redirect_url": "/itpro/windows/manage/app-inventory-managemement-windows-store-for-business",
"redirect_document_id": true
@@ -1139,6 +1119,6 @@
"source_path": "windows/whats-new/security.md",
"redirect_url": "/itpro/windows/keep-secure/overview-of-threat-mitigations-in-windows-10",
"redirect_document_id": false
-},
+}
]
}
\ No newline at end of file
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index fb6c3024d1..e360930f75 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -20,7 +20,7 @@ We've tried to make editing an existing, public file as simple as possible.
1. Go to the page on TechNet that you want to update, and then click **Contribute**.
- 
+ 
2. Log into (or sign up for) a GitHub account.
@@ -28,7 +28,7 @@ We've tried to make editing an existing, public file as simple as possible.
3. Click the **Pencil** icon (in the red box) to edit the content.
- 
+ 
4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
- **If you're linked to the Microsoft organization in GitHub:** [Windows Open Publishing Guide Home](http://aka.ms/windows-op-guide)
@@ -37,7 +37,7 @@ We've tried to make editing an existing, public file as simple as possible.
5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct.
- 
+ 
6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account.
@@ -48,7 +48,7 @@ We've tried to make editing an existing, public file as simple as possible.
7. On the **Comparing changes** screen, you’ll see if there are any problems with the file you’re checking in.
If there are no problems, you’ll see the message, **Able to merge**.
-
+
8. Click **Create pull request**.
diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index c52a45bbad..8c8984005a 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -5,11 +5,11 @@ author: eross-msft
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
-title: Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge (Microsoft Edge for IT Pros)
+title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros)
localizationpriority: high
---
-# Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge
+# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge
**Applies to:**
@@ -272,7 +272,10 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
### Keep favorites in sync between Internet Explorer and Microsoft Edge
- **Supported versions:** Windows 10, version 1703
-- **Description:** This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge.
+- **Description:** This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge, including additions, deletions, changes, and position.
+
+ >[!Note]
+ >Enabling this setting stops Edge favorites from syncing between connected Windows 10 devices.
- If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge.
@@ -367,7 +370,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
- If you disable or don’t configure this setting (default), the default app behavior occurs and no additional page appears.
-## Using Microsoft Intune to manage your Mobile Data Management (MDM) settings for Microsoft Edge
+## Using Microsoft Intune to manage your Mobile Device Management (MDM) settings for Microsoft Edge
If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=722885) page.
> [!NOTE]
@@ -954,8 +957,10 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **0 (default).** Synchronization is turned off.
- - **1.** Synchronization is turned on.
+ - **1.** Synchronization is turned on.
+ >[!Note]
+ >Enabling this setting stops Edge favorites from syncing between connected Windows 10 devices.
## Microsoft Edge and Windows 10-specific Group Policy settings
These are additional Windows 10-specific Group Policy settings that work with Microsoft Edge.
@@ -1026,4 +1031,4 @@ These are additional Windows 10-specific MDM policy settings that work with Mic
## Related topics
* [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514)
-* [Mobile Data Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)
\ No newline at end of file
+* [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)
\ No newline at end of file
diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md
index ce750be2f7..0ce06c2d4f 100644
--- a/browsers/edge/change-history-for-microsoft-edge.md
+++ b/browsers/edge/change-history-for-microsoft-edge.md
@@ -15,7 +15,7 @@ For a detailed feature list of what's in the current Microsoft Edge releases, th
## February 2017
|New or changed topic | Description |
|----------------------|-------------|
-|[Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. Reformatted for easier readability outside of scrolling table. |
+|[Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. Reformatted for easier readability outside of scrolling table. |
## November 2016
|New or changed topic | Description |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
index a923c7b2dd..9660d3d146 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
@@ -82,7 +82,7 @@ To make sure your site list is up-to-date; wait 65 seconds after opening IE and
## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1)
After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1).
-  **To add multiple sites**
+ **To add multiple sites**
1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
index 4770a4ffb0..327a105fef 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
@@ -92,7 +92,7 @@ To make sure your site list is up-to-date; wait 65 seconds after opening IE and
## Add multiple sites to the Enterprise Mode Site List Manager (schema v.2)
After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.2).
-  **To add multiple sites**
+ **To add multiple sites**
1. In the Enterprise Mode Site List Manager (schema v.2), click **Bulk add from file**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
index 7e8c3c6910..1140d08486 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
@@ -27,7 +27,7 @@ Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, lett
You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
**Note**
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md).
-  **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
+ **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
index b18fa646cd..3ee1358e16 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -27,7 +27,7 @@ Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, lett
You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
**Note**
If you're using the v.1 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the WEnterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
-  **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.2)**
+ **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.2)**
1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
index a64b645896..3ab6081d7c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
@@ -26,7 +26,7 @@ If you experience issues while setting up your proxy server, you can try these t
- Check that the browser is pointing to the right automatic configuration script location.
-  **To check your proxy server address**
+ **To check your proxy server address**
1. On the **Tools** menu, click **Internet Options**, and then **Connections**.
@@ -34,7 +34,7 @@ If you experience issues while setting up your proxy server, you can try these t
3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.
**Note**
If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652).
-  **To check that you've turned on the correct settings**
+ **To check that you've turned on the correct settings**
1. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
@@ -42,7 +42,7 @@ If you experience issues while setting up your proxy server, you can try these t
3. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.
**Note**
If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again.
-  **To check that you're pointing to the correct automatic configuration script location**
+ **To check that you're pointing to the correct automatic configuration script location**
1. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
index f49ab30704..5b02b0d37f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
@@ -17,7 +17,7 @@ Automatic configuration lets you apply custom branding and graphics to your inte
## Adding the automatic configuration registry key
For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry key to your IE installation package.
**Important**
Follow these directions carefully because serious problems can occur if you update your registry incorrectly. For added protection, back up your registry so you can restore it if a problem occurs.
-  **To add the registry key**
+ **To add the registry key**
1. On the **Start** screen, type **regedit**, and then click **Regedit.exe**.
@@ -39,7 +39,7 @@ For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry
After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding.
**Important**
Your branding changes won't be added or updated if you've previously chosen the **Disable external branding of IE** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514).
-  **To update your settings**
+ **To update your settings**
1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
index b93b60f816..c454b9eb42 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
@@ -23,7 +23,7 @@ Automatic detection works even if the browser wasn't originally set up or instal
## Updating your automatic detection settings
To use automatic detection, you have to set up your DHCP and DNS servers.
**Note**
Your DHCP servers must support the `DHCPINFORM` message, to obtain the DHCP options.
-  **To turn on automatic detection for DHCP servers**
+ **To turn on automatic detection for DHCP servers**
1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page.
@@ -31,7 +31,7 @@ To use automatic detection, you have to set up your DHCP and DNS servers.
**No
3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
-  **To turn on automatic detection for DNS servers**
+ **To turn on automatic detection for DNS servers**
1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
index 119052b438..a9ac089edf 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
@@ -17,7 +17,7 @@ Configure and maintain your proxy settings, like pointing your users' browsers t
## Updating your auto-proxy settings
You can use your Internet settings (.ins) files to set up your standard proxy settings. You can also specify script files (.js, .jvs, or .pac) to configure and maintain your advanced proxy settings. IE uses your auto-proxy script files to dynamically determine whether to connect to a host or use a proxy server. If a proxy server connection fails, Internet Explorer 11 automatically attempts to connect to another proxy server that you have specified.
-  **To update your settings**
+ **To update your settings**
1. Create a script file with your proxy information, copying it to a server location.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
index cf90d5c6b3..9c4a55c2bd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
@@ -21,7 +21,7 @@ Before you install Internet Explorer 11, you should:
- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation.
- - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://go.microsoft.com/fwlink/p/?linkid=276667).
+ - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune).
- **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
index 1d2df29b8f..51f61a1b66 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
@@ -19,7 +19,7 @@ You'll create multiple versions of your custom browser package if:
- You have custom installation packages with only minor differences. Like, having a different phone number.
-  **To create a new package**
+ **To create a new package**
1. Create an installation package using the Internet Explorer Customization Wizard 11, as described in the [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](../ie11-ieak/ieak11-wizard-custom-options.md) topic.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 360620938d..267c606f8b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -22,7 +22,7 @@ ms.sitesec: library
- Windows Server 2008 R2 with Service Pack 1 (SP1)
-  **To delete a single site from your global Enterprise Mode site list**
+ **To delete a single site from your global Enterprise Mode site list**
- From the Enterprise Mode Site List Manager, pick the site you want to delete, and then click **Delete**.
The site is permanently removed from your list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
index affd42d162..708fccaaa2 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
@@ -45,7 +45,7 @@ To follow the examples in this topic, you’ll need to pin the Bing (http://www.
### Step 1: Creating .website files
The first step is to create a .website file for each website that you want to pin to the Windows 8.1 taskbar during deployment. A .website file is like a shortcut, except it’s a plain text file that describes not only the website’s URL but also how the icon looks.
-  **To create each .website file**
+ **To create each .website file**
1. Open the website in IE11.
@@ -56,7 +56,7 @@ The first step is to create a .website file for each website that you want to pi
### Step 2: Copying the .website files to the deployment share
Next, you must enable your deployment share to copy the bing.website and msn.website files to the **Start** menu on each target computer.
-  **To copy .website files to the deployment share**
+ **To copy .website files to the deployment share**
1. Open your MDT 2013 deployment share in Windows Explorer.
@@ -67,7 +67,7 @@ Next, you must enable your deployment share to copy the bing.website and msn.web
### Step 3: Copying .website files to target computers
After your operating system is installed on the target computer, you need to copy the .website files over so they can be pinned to the taskbar.
-  **To copy .website files to target computers**
+ **To copy .website files to target computers**
1. In the **Deployment Workbench** of MDT 2013, open the deployment share containing the task sequence during which you want to deploy pinned websites, and then click **Task Sequences**.
@@ -84,7 +84,7 @@ After your operating system is installed on the target computer, you need to cop
### Step 4: Pinning .website files to the Taskbar
With the .website files ready to copy to the **Public Links** folder on target computers for all users, the last step is to edit the Unattend.xml answer files to pin those .website files to the taskbar. You will need to complete the following steps for each task sequence during which you want to pin these websites to the taskbar.
-  **To pin .website files to the Taskbar**
+ **To pin .website files to the Taskbar**
1. Open the Windows System Image Manager (Windows SIM).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
index 7ebacccb8b..004a42cb19 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
@@ -25,7 +25,7 @@ You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to c
If you need to edit a lot of websites, you probably don’t want to do it one at a time. Instead, you can edit your saved XML or TXT file and add the sites back again. For information about how to do this, depending on your operating system and schema version, see [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md).
-  **To change how your page renders**
+ **To change how your page renders**
1. In the Enterprise Mode Site List Manager, double-click the site you want to change.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
index 4a7966faaa..68b09c2320 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
@@ -27,7 +27,7 @@ There are 4 types of add-ons:
## Using the Local Group Policy Editor to manage group policy objects
You can use the Local Group Policy Editor to change how add-ons work in your organization.
-  **To manage add-ons**
+ **To manage add-ons**
1. In the Local Group Policy Editor, go to `Computer Configuration\Administrative Templates\Windows Components\Internet Explorer`.
@@ -58,7 +58,7 @@ You can use the Local Group Policy Editor to change how add-ons work in your org
## Using the CLSID and Administrative Templates to manage group policy objects
Because every add-on has a Class ID (CLSID), you can use it to enable and disable specific add-ons, using Group Policy and Administrative Templates.
-  **To manage add-ons**
+ **To manage add-ons**
1. Get the CLSID for the add-on you want to enable or disable:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index e78df6c4c1..16c87cb775 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -224,75 +224,9 @@ In this example, `contoso.com/about/careers` will use the default version of Int
## How to target specific sites
If you want to target specific sites in your organization.
-
-
-
-
-
-
-| You can specify subdomains in the domain tag |
-
-
-<docMode>
- <domain docMode="5">contoso.com</domain>
- <domain docMode="9">info.contoso.com</domain>
-<docMode> |
-
-
- - contoso.com uses document mode 5.
- - info.contoso.com uses document mode 9.
- - test.contoso.com also uses document mode 5.
-
- |
-
-| You can specify exact URLs by listing the full path |
-
-
-<emie>
- <domain exclude="false">bing.com</domain>
- <domain exclude="false" forceCompatView="true">contoso.com</domain>
-<emie> |
-
-
- - bing.com uses IE8 Enterprise Mode.
- - contoso.com uses IE7 Enterprise Mode.
-
- |
-
-| You can nest paths underneath domains |
-
-
-<emie>
- <domain exclude="true">contoso.com
- <path exclude="false">/about</path>
- <path exclude="true">/about/business</path>
- </domain>
-</emie> |
-
-
-- contoso.com will use the default version of IE.
-- contoso.com/about and everything underneath that node will load in Enterprise Mode, except contoso.com/about/business, which will load in the default version of IE.
-
- |
-
-| You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored |
-
-
-<emie>
- <domain exclude="true">contoso.com
- <path>/about
- <path exclude="true">/business</path>
- </path>
- </domain>
-</emie> |
-
-
-- contoso.com will use the default version of IE.
-- contoso.com/about and everything underneath that node will load in Enterprise Mode, including contoso.com/about/business because the last rule is ignored.
-
- |
-
\ No newline at end of file
+|Targeted site |Example |Explanation |
+|--------------|--------|------------|
+|You can specify subdomains in the domain tag. |<docMode>
<domain docMode="5">contoso.com</domain>
<domain docMode="9">info.contoso.com</domain>
<docMode> |- contoso.com uses document mode 5.
- info.contoso.com uses document mode 9.
- test.contoso.com also uses document mode 5.
|
+|You can specify exact URLs by listing the full path. |<emie>
<domain exclude="false">bing.com</domain>
<domain exclude="false" forceCompatView="true">contoso.com</domain>
<emie>|- bing.com uses IE8 Enterprise Mode.
- contoso.com uses IE7 Enterprise Mode.
|
+|You can nest paths underneath domains. |<emie>
<domain exclude="true">contoso.com
<path exclude="false">/about</path>
<path exclude="true">
/about/business</path>
</domain>
</emie> |- contoso.com will use the default version of IE.
- contoso.com/about and everything underneath that node will load in Enterprise Mode, except contoso.com/about/business, which will load in the default version of IE.
|
+|You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<emie>
<domain exclude="true">contoso.com
<path>/about
<path exclude="true">/business</path>
</path>
</domain>
</emie> |- contoso.com will use the default version of IE.
- contoso.com/about and everything underneath that node will load in Enterprise Mode, including contoso.com/about/business because the last rule is ignored.
|
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
index b45f274bcc..6cbc411a30 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
@@ -26,7 +26,7 @@ After you create your Enterprise Mode site list in the Enterprise Mode Site List
**Important**
This file is not intended for distribution to your managed devices. Instead, it is only for transferring data and comments from one manager to another. For example, if one administrator leaves and passes the existing data to another administrator. Internet Explorer doesn’t read this file.
-  **To export your compatibility list**
+ **To export your compatibility list**
1. On the **File** menu of the Enterprise Mode Site List Manager, click **Export**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index 94e5e4a1da..c8d09c6157 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -50,7 +50,7 @@ After you’ve figured out the document mode that fixes your compatibility probl
**Note**
There are two versions of the Enterprise Mode site list schema and the Enterprise Mode Site List Manager, based on your operating system. For more info about the schemas, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) or [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). For more info about the different site list management tools, see [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md).
-  **To add your site to the site list**
+ **To add your site to the site list**
1. Open the Enterprise Mode Site List Manager, and click **Add**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
index 3ae9e11aab..eed0b6ac55 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
@@ -29,7 +29,7 @@ From AGPM you can:
- **Manage your GPO lifecycle with change control features.** You can use the available version-control, history, and auditing features to help you manage your GPOs while moving through your archive, to your editing process, and finally to your GPO deployment.
**Note**
-For more information about AGPM, and to get the license, see [Microsoft Advanced Group Policy Management 4.0 SP1 Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=294916).
+For more information about AGPM, and to get the license, see [Advanced Group Policy Management 4.0 Documents](https://www.microsoft.com/en-us/download/details.aspx?id=13975).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
index a5c8385649..f30e991051 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
@@ -23,7 +23,7 @@ Group Policy includes the Shortcuts preference extension, which lets you configu
## How do I configure shortcuts?
You can create and configure shortcuts for any domain-based Group Policy Object (GPO) in the Group Policy Management Console (GPMC).
-  **To create a new Shortcut preference item**
+ **To create a new Shortcut preference item**
1. Open GPMC, right-click the Group Policy object that needs the new shortcut extension, and click **Edit**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
index a52315fec5..a896a41f84 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
@@ -26,7 +26,7 @@ If you need to replace your entire site list because of errors, or simply becaus
**Important**
Importing your file overwrites everything that’s currently in the tool, so make sure it’s what you really mean to do.
-  **To import your compatibility list**
+ **To import your compatibility list**
1. On the **File** menu of the Enterprise Mode Site List Manager, click **Import**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index 37a5a38754..94b6be9b40 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -16,7 +16,7 @@ Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft I
## Adding and deploying the IE11 package
You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune.
-  **To add the IE11 package**
+ **To add the IE11 package**
1. From the Microsoft Intune administrator console, start the Microsoft Intune Software Publisher.
@@ -24,7 +24,7 @@ You can add and then deploy the IE11 package to any computer that's managed by M
For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
-  **To automatically deploy and install the IE11 package**
+ **To automatically deploy and install the IE11 package**
1. From the Microsoft Intune administrator console, start and run through the Deploy Software wizard.
@@ -34,7 +34,7 @@ For more info about how to decide which one to use, and how to use it, see [Depl
For more info about this, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
-  **To let your employees install the IE11 package**
+ **To let your employees install the IE11 package**
1. Install the package on your company's Microsoft Intune site, marking it as **Available** for the appropriate groups.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
index 88f8a3c2f5..63cbd88f37 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
@@ -26,7 +26,7 @@ After you install the .msu file updates, you'll need to add them to your MDT dep
MDT adds IE11 to your Windows images, regardless whether you are creating or deploying a customized or non-customized image. MDT also lets you perform offline servicing during the System Center 2012 R2 Configuration Manager task sequence, letting you add IE11 before starting Windows. For info, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?linkid=331148).
-  **To add IE11 to a MDT deployment share**
+ **To add IE11 to a MDT deployment share**
1. Right-click **Packages** from each **Deployment Shares** location, and then click **Import OS Packages**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
index 3e5c532158..8a65258e74 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
@@ -14,7 +14,7 @@ ms.sitesec: library
# Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager
You can install Internet Explorer 11 (IE11) by using [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?linkid=276664). Complete these steps for each operating system and platform combination.
-  **To install IE11**
+ **To install IE11**
1. Download and approve the [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
index 90d10b49a1..7c9f00ad35 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
@@ -15,11 +15,11 @@ You can install Internet Explorer 11 (IE11) over your network by putting your c
**Note**
If you support multiple architectures and operating systems, create a subfolder for each combination. If you support multiple languages, create a subfolder for each localized installation file.
-  **To manually create the folder structure**
+ **To manually create the folder structure**
- Copy your custom IE11 installation file into a folder on your network, making sure it's available to your employees.
-  **To create the folder structure using IEAK 11**
+ **To create the folder structure using IEAK 11**
- Run the Internet Explorer Customization Wizard 11 in IEAK 11, using the **Full Installation Package** option.
The wizard automatically puts your custom installation files in your `\\Flat` folder. Where the `` is the location of your other build files.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
index d3d5a75fb7..a06e7ae728 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS)
Windows Server Update Services (WSUS) lets you download a single copy of the Microsoft product update and cache it on your local WSUS servers. You can then configure your computers to get the update from your local servers instead of Windows Update. For more information about WSUS, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790).
-  **To import from Windows Update to WSUS**
+ **To import from Windows Update to WSUS**
1. Open your WSUS admin site. For example, `http:///WSUSAdmin/`.
Where `` is the name of your WSUS server.
@@ -28,7 +28,7 @@ Where `` is the name of your WSUS server.
You can also download the updates without importing them by unchecking the **Import directly into Windows Server Update Services** box.
-  **To approve Internet Explorer in WSUS for installation**
+ **To approve Internet Explorer in WSUS for installation**
1. Open your WSUS admin site and check the **Review synchronization settings** box from the **To Do** list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
index b077e4a853..0469d85cb3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
@@ -30,7 +30,7 @@ If you do, you can:
## Internet Explorer didn't finish installing
If Internet Explorer doesn't finish installing, it might mean that Windows Update wasn't able to install an associated update, that you have a previous, unsupported version of IE installed, or that there's a problem with your copy of IE. We recommend you try this:
-  **To fix this issue**
+ **To fix this issue**
1. Uninstall IE:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
index c51449c0b6..c3ddb1943c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
@@ -22,7 +22,7 @@ IE11 works differently with search, based on whether your organization is domain
To explicitly go to an intranet site, regardless of the environment, users can type either a trailing slash like ` contoso/` or the `http://` prefix. Either of these will cause IE11 to treat the entry as an intranet search. You can also change the default behavior so that IE11 treats your single word entry in the address bar as an intranet site, regardless of your environment.
-  **To enable single-word intranet search**
+ **To enable single-word intranet search**
1. Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
index 7bb84e0a16..d25450aae1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
@@ -32,7 +32,7 @@ There might be extenuating circumstances in your company, which require you to c
**Important**
This functionality is only available in Internet Explorer for the desktop.
-  **To change your Compatibility View settings**
+ **To change your Compatibility View settings**
1. Open Internet Explorer for the desktop, click **Tools**, and then click **Compatibility View settings**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
index 93d825a26b..75d0ad1469 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# .NET Framework problems with Internet Explorer 11
If you’re having problems launching your legacy apps while running Internet Explorer 11, it’s most likely because Internet Explorer no longer starts apps that use managed browser hosting controls, like in .NET Framework 1.1 and 2.0.
-  **To turn managed browser hosting controls back on**
+ **To turn managed browser hosting controls back on**
1. **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 8baab504ad..04b5f82c88 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -67,7 +67,7 @@ Out-of-date ActiveX control blocking also gives you a security warning that tell
## How do I fix an outdated ActiveX control or app?
From the notification about the outdated ActiveX control, you can go to the control’s website to download its latest version.
-  **To get the updated ActiveX control**
+ **To get the updated ActiveX control**
1. From the notification bar, tap or click **Update**.
IE opens the ActiveX control’s website.
@@ -76,7 +76,7 @@ IE opens the ActiveX control’s website.
**Security Note:**
If you don’t fully trust a site, you shouldn’t allow it to load an outdated ActiveX control. However, although we don’t recommend it, you can view the missing webpage content by tapping or clicking **Run this time**. This option runs the ActiveX control without updating or fixing the problem. The next time you visit a webpage running the same outdated ActiveX control, you’ll get the notification again.
-  **To get the updated app**
+ **To get the updated app**
1. From the security warning, tap or click **Update** link.
IE opens the app’s website.
@@ -184,7 +184,7 @@ Before you can use WMI to inventory your ActiveX controls, you need to [download
Before running the PowerShell script, you must copy both the .ps1 and .mof file to the same directory location, on the client computer.
-  **To configure IE to use WMI logging**
+ **To configure IE to use WMI logging**
1. Open your Group Policy editor and turn on the `Administrative Templates\Windows Components\Internet Explorer\Turn on ActiveX control logging in IE` setting.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index 544daf207b..8a1618533a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -39,7 +39,7 @@ RIES turns off all custom toolbars, browser extensions, and customizations insta
## IE is crashing or seems slow
If you notice that CPU usage is running higher than normal, or that IE is frequently crashing or slowing down, you should check your browser add-ons and video card. By default, IE11 uses graphics processing unit (GPU) rendering mode. However, some outdated video cards and video drivers don't support GPU hardware acceleration. If IE11 determines that your current video card or video driver doesn't support GPU hardware acceleration, it'll use Software Rendering mode.
-  **To check your browser add-ons**
+ **To check your browser add-ons**
1. Start IE11 in **No Add-ons mode** by running the **Run** command from the **Start** menu, and then typing `iexplore.exe -extoff` into the box.
@@ -51,7 +51,7 @@ If the browser doesn't crash, open Internet Explorer for the desktop, click the
4. Restart IE11. Go back to the **Manage Add-Ons** window and turn on each item, one-by-one.
After you turn each item back on, see if IE crashes or slows down. Doing it this way will help you identify the add-on that's causing IE to crash. After you've figured out which add-on was causing the problem, turn it off until you have an update from the manufacturer.
-  **To check for Software Rendering mode**
+ **To check for Software Rendering mode**
1. Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 017f71560c..72143e9cb1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -26,7 +26,7 @@ You can clear all of the sites from your global Enterprise Mode site list.
**Important**
This is a permanent removal and erases everything. However, if you determine it was a mistake, and you saved an XML copy of your list, you can add the file again by following the steps in the [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md), depending on your operating system.
-  **To clear your compatibility list**
+ **To clear your compatibility list**
1. On the **File** menu of the Enterprise Mode Site List Manager, click **Clear list**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
index 4972cd8ee7..cf988c785a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
@@ -23,7 +23,7 @@ ms.sitesec: library
Remove websites that were added to a local compatibility view list by mistake or because they no longer have compatibility problems.
-  **To remove sites from a local compatibility view list**
+ **To remove sites from a local compatibility view list**
1. Open Internet Explorer 11, click **Tools**, and then click **Compatibility View Settings**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
index 1e353200e8..9712b3448d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
@@ -25,7 +25,7 @@ Remove websites that were added to a local Enterprise Mode site list by mistake
**Note**
The changes described in this topic only impact sites added to a local Enterprise Mode site list and not the list of sites deployed to all employees by an administrator. Employees can't delete sites added to the list by an administrator.
-  **To remove single sites from a local Enterprise Mode site list**
+ **To remove single sites from a local Enterprise Mode site list**
1. Open Internet Explorer 11 and go to the site you want to remove.
@@ -34,7 +34,7 @@ The checkmark disappears from next to Enterprise Mode and the site is removed fr
**Note**
If the site is removed by mistake, it can be added back by clicking **Enterprise Mode** again.
-  **To remove all sites from a local Enterprise Mode site list**
+ **To remove all sites from a local Enterprise Mode site list**
1. Open IE11, click **Tools**, and then click **Internet options**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
index 98e002f0ea..c13d249a8a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
@@ -23,7 +23,7 @@ ms.sitesec: library
You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems.
-  **To save your list as XML**
+ **To save your list as XML**
1. On the **File** menu of the Enterprise Mode Site List Manager, click **Save to XML**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index b45e7b3744..a26554c11b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -23,7 +23,7 @@ ms.sitesec: library
You can search to see if a specific site already appears in your global Enterprise Mode site list so you don’t try to add it again.
-  **To search your compatibility list**
+ **To search your compatibility list**
- From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.
The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index 7f11bf5d7f..66d13bed09 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -14,7 +14,7 @@ ms.sitesec: library
# Set the default browser using Group Policy
You can use the Group Policy setting, **Set a default associations configuration file**, to set the default browser for your company devices running Windows 10.
-  **To set the default browser as Internet Explorer 11**
+ **To set the default browser as Internet Explorer 11**
1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.
Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index 7a8ec67cc5..32d0ba628a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -34,7 +34,7 @@ Getting these reports lets you find out about sites that aren’t working right,
## Using ASP to collect your data
When you turn logging on, you need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu.
-  **To set up an endpoint server**
+ **To set up an endpoint server**
1. Configure an IIS server to work with your Enterprise Mode data collection process. If you’re unsure how to set up IIS, see the [IIS installation webpage](https://go.microsoft.com/fwlink/p/?LinkId=507609).
@@ -80,7 +80,7 @@ This sample starts with you turning on Enterprise Mode and logging (either throu
### Setting up, collecting, and viewing reports
For logging, you’re going to need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. These POST messages go into your database, aggregating the report data by URL, giving you the total number of reports where users turned on Enterprise Mode, the total number of reports where users turned off Enterprise Mode, and the date of the last report.
-  **To set up the sample**
+ **To set up the sample**
1. Set up a server to collect your Enterprise Mode information from your users.
@@ -91,7 +91,7 @@ For logging, you’re going to need a valid URL that points to a server that can
4. On the **Build** menu, tap or click **Build Solution**.
The required packages are automatically downloaded and included in the solution.
-  **To set up your endpoint server**
+ **To set up your endpoint server**
1. Right-click on the name, PhoneHomeSample, and click **Publish**.
@@ -106,7 +106,7 @@ The required packages are automatically downloaded and included in the solution.
After you finish the publishing process, you need to test to make sure the app deployed successfully.
-  **To test, deploy, and use the app**
+ **To test, deploy, and use the app**
1. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to:
@@ -122,7 +122,7 @@ The required packages are automatically downloaded and included in the solution.
3. Get your users to visit websites, turning Enterprise Mode on or off locally, as necessary.
-  **To view the report results**
+ **To view the report results**
- Go to `http:///List` to see the report results.
If you’re already on the webpage, you’ll need to refresh the page to see the results.
@@ -133,7 +133,7 @@ If you’re already on the webpage, you’ll need to refresh the page to see the
### Troubleshooting publishing errors
If you have errors while you’re publishing your project, you should try to update your packages.
-  **To update your packages**
+ **To update your packages**
1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
index 25e253872a..cd25d1df05 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
@@ -28,14 +28,14 @@ In addition, if you no longer want your users to be able to turn Enterprise Mode
**Important**
Turning off both of these features turns off Enterprise Mode for your company. Turning off Enterprise Mode also causes any websites included in your employee’s manual site lists to not appear in Enterprise Mode.
-  **To turn off the site list using Group Policy**
+ **To turn off the site list using Group Policy**
1. Open your Group Policy editor, like Group Policy Management Console (GPMC).
2. Go to the **Use the Enterprise Mode IE website list** setting, and then click **Disabled**.
Enterprise Mode will no longer look for the site list, effectively turning off Enterprise Mode. However, if you previously turned on local control for your employees, Enterprise Mode will still be available from the **Tools** menu. You need to turn that part of the functionality off separately.
-  **To turn off local control using Group Policy**
+ **To turn off local control using Group Policy**
1. Open your Group Policy editor, like Group Policy Management Console (GPMC).
@@ -43,7 +43,7 @@ Enterprise Mode will no longer look for the site list, effectively turning off E
3. Enterprise Mode no longer shows up on the **Tools** menu for your employees. However, if you are still using an Enterprise Mode site list, all of the globally listed sites will still appear in Enterprise Mode. If you want to turn off all of Enterprise Mode, you will need to also turn off the site list functionality.
-  **To turn off the site list using the registry**
+ **To turn off the site list using the registry**
1. Open a registry editor, such as regedit.exe.
@@ -53,7 +53,7 @@ You can also use HKEY_LOCAL_MACHINE, depending whether you want to turn off the
3. Close all and restart all instances of Internet Explorer.
IE11 stops looking at the site list for rendering instructions. However, Enterprise Mode is still available to your users locally (if it was turned on).
-  **To turn off local control using the registry**
+ **To turn off local control using the registry**
1. Open a registry editor, such as regedit.exe.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
index 16525df353..49f803662c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
@@ -15,7 +15,7 @@ By default, Internet Explorer 11 uses “natural metrics”. Natural metrics us
However, you might find that many intranet sites need you to use Windows Graphics Device Interface (GDI) metrics. To avoid potential compatibility issues, you must turn off natural metrics for those sites.
-  **To turn off natural metrics**
+ **To turn off natural metrics**
- Add the following HTTP header to each site: `X-UA-TextLayoutMetrics: gdi`
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index abdbbc4db2..ef3ed29d52 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -26,7 +26,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi
**Note**
We recommend that you store and download your website list from a secure web sever (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employee’s computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
-  **To turn on Enterprise Mode using Group Policy**
+ **To turn on Enterprise Mode using Group Policy**
1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.
Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
@@ -35,7 +35,7 @@ Turning this setting on also requires you to create and store a site list. For m
2. Click **Enabled**, and then in the **Options** area, type the location to your site list.
-  **To turn on Enterprise Mode using the registry**
+ **To turn on Enterprise Mode using the registry**
1. **For only the local user:** Open a registry editor, like regedit.exe and go to `HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`.
-OR-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index e816e64698..04edbdc3b7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -25,7 +25,7 @@ You can turn on local control of Enterprise Mode so that your users can turn Ent
Besides turning on this feature, you also have the option to provide a URL for Enterprise Mode logging. If you turn logging on, Internet Explorer initiates a simple POST back to the supplied address, including the URL and a specification that **EnterpriseMode** was turned on or off through the **Tools** menu.
-  **To turn on local control of Enterprise Mode using Group Policy**
+ **To turn on local control of Enterprise Mode using Group Policy**
1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting.
@@ -33,7 +33,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu.
-  **To turn on local control of Enterprise Mode using the registry**
+ **To turn on local control of Enterprise Mode using the registry**
1. Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
index a4a2db0dae..86929579b2 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
@@ -26,7 +26,7 @@ You can see your security zone settings by opening Internet Explorer for the des
## Where did the Favorites, Command, and Status bars go?
For IE11, the UI has been changed to provide just the controls needed to support essential functionality, hiding anything considered non-essential, such as the **Favorites Bar**, **Command Bar**, **Menu Bar**, and **Status Bar**. This is intended to help focus users on the content of the page, rather than the browser itself. However, if you want these bars to appear, you can turn them back on using Group Policy settings.
-  **To turn the toolbars back on**
+ **To turn the toolbars back on**
- Right click in the IE toolbar heading and choose to turn on the **Command bar**, **Favorites bar**, and **Status bar** from the menu.
-OR-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
index aeeb37ff4b..7e15a06d41 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Using Setup Information (.inf) files to create install packages
IEAK 11 uses Setup information (.inf) files to provide uninstallation instructions. Uninstallation instructions let your employees remove components, like files, registry entries, or shortcuts, through the **Uninstall or change a program** box. For details about .inf files, see [INF File Sections and Directives](https://go.microsoft.com/fwlink/p/?LinkId=327959).
-  **To add uninstallation instructions to the .inf files**
+ **To add uninstallation instructions to the .inf files**
- Open the Registry Editor (regedit.exe) and add these registry keys:
```
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
index 5fb6495a74..443fee4ab1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
@@ -26,7 +26,7 @@ The Internet Explorer 11 Blocker Toolkit lets you turn off the automatic delive
**Important**
The IE11 Blocker Toolkit doesn't stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you've installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11.
-  **To install the toolkit**
+ **To install the toolkit**
1. Download the IE11 Blocker Toolkit from [Toolkit to Disable Automatic Delivery of Internet Explorer 11](https://go.microsoft.com/fwlink/p/?LinkId=327745).
diff --git a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
index 4e54434a53..e44077d74d 100644
--- a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
@@ -16,7 +16,7 @@ The **Accelerators** page of the Internet Explorer Administration Kit (IEAK 11)
**Note**
The customizations you make on this page apply only to Internet Explorer for the desktop.
- **To use the Accelerators page**
+ **To use the Accelerators page**
1. Click **Import** to automatically import your existing accelerators from your current version of IE into this list.
diff --git a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
index 133e7f4411..0a2f864dce 100644
--- a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
@@ -21,7 +21,7 @@ While you might not care about your employees using ActiveX controls while on yo
For example, your employees need to access an important Internet site, such as for a business partner or service provider, but there are ActiveX controls on their page. To make sure the site is accessible and functions the way it should, you can visit the site to review the controls, adding them as new entries to your `\Windows\Downloaded Program Files` folder. Then, as part of your browser package, you can enable and approve these ActiveX controls to run on this specific site; while all additional controls are blocked.
- **To add and approve ActiveX controls**
+**To add and approve ActiveX controls**
1. In IE, click **Tools**, and then **Internet Options**.
diff --git a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
index ef6c2ef932..f8749f2d50 100644
--- a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
@@ -19,7 +19,7 @@ You can store your user settings in a central location so your employees that lo
You’ll only see this page if you are running the **Internal** version of the IE Customization Wizard 11.
- **To use the Additional Settings page**
+**To use the Additional Settings page**
1. Double-click **Custom Settings**, **Corporate Settings**, or **Internet Settings**, and review the included policy or restriction settings.
diff --git a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
index 35814166ac..2147e5ba34 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
@@ -20,13 +20,13 @@ You can set your proxy settings using Internet setting (.ins) files. You can als
You can use the Domain Name System (DNS) and the Dynamic Host Configuration Protocol (DHCP) naming systems to detect and change a browser’s settings automatically when the employee first starts IE on the network. For more info, see [Set up auto detection for DHCP or DNS servers using IEAK 11](auto-detection-dhcp-or-dns-servers-ieak11.md), or refer to the product documentation for your DNS and DHCP software packages.
- **To check the existing settings on your employee’s devices**
+**To check the existing settings on your employee’s devices**
1. Open IE, click **Tools**, click **Internet Options**, and then click the **Connections** tab.
2. Click **LAN Settings** and make sure that the **Use automatic configuration script** box is selected, confirming the path and name of the file in the **Address** box.
- **To use the Automatic Configuration page**
+**To use the Automatic Configuration page**
1. Check the **Automatically detect configuration settings** box to automatically detect browser settings.
diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
index 65baf63d4b..16ee9d90bb 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
@@ -15,7 +15,7 @@ Set up your network to automatically detect and customize Internet Explorer 11
Before you can set up your environment to use automatic detection, you need to turn the feature on.
- **To turn on the automatic detection feature**
+**To turn on the automatic detection feature**
- Open Internet Explorer Administration Kit 11 (IEAK 11), run the IE Customization Wizard 11 and on the **Automatic Configuration** page, check **Automatically detect configuration settings**. For more information, see [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md).
@@ -30,7 +30,7 @@ Your DHCP servers must support the DHCPINFORM message, to obtain the DHCP option
**Note**
DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen.
- **To set up automatic detection for DHCP servers**
+**To set up automatic detection for DHCP servers**
- Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
@@ -40,7 +40,7 @@ DHCP has a higher priority than DNS for automatic configuration. If DHCP provide
`http://123.4.567.8/account.pac`
For more detailed info about how to set up your DHCP server, see your server documentation.
- **To set up automatic detection for DNS servers**
+**To set up automatic detection for DNS servers**
1. In your DNS database file, the file that’s used to associate your host (computer) names to static IP addresses in a zone, you need to create a host record named, **WPAD**. This record contains entries for all of the hosts that require static mappings, such as workstations, name servers, and mail servers. It also has the IP address to the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.
The syntax is:
` IN A `
diff --git a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
index ee3c61b17f..a348c82fd6 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
@@ -27,7 +27,7 @@ The **Automatic Version Synchronization** page tells you:
- **Disk space available**. The amount of hard drive space available on the computer that’s running the IE Customization Wizard 11.
- **To use the Automatic Version Synchronization page**
+**To use the Automatic Version Synchronization page**
1. Click **Synchronize**.
You might receive a security warning before downloading your Setup file, asking if you want to continue. Click **Run** to continue.
diff --git a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
index 08004bb0a9..de3cd4ccb5 100644
--- a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Browser User Interface** page of the Internet Explorer Customization Wizar
**Note**
The customizations you make on this page apply only to Internet Explorer for the desktop.
-  **To use the Browser User Interface page**
+ **To use the Browser User Interface page**
1. Check the **Customize Title Bars** box so you can add your custom text to the **Title Bar Text** box.
The text shows up in the title bar as **IE provided by** <*your_custom_text*>.
diff --git a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
index f4bab58e1e..3f600fbdde 100644
--- a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Browsing Options** page of the Internet Explorer Administration Kit (IEAK
The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page.
- **To use the Browsing Options page**
+**To use the Browsing Options page**
1. Decide how you want to manage links that are already installed on your employee’s computer:
diff --git a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
index 0d7cf5093e..ffc214c941 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
@@ -15,13 +15,13 @@ The **Connection Settings** page of the Internet Explorer Administration Kit (IE
**Note**
Using the options on the **Additional Settings** page of the wizard, you can let your employees change their connection settings. For more information see the [Additional Settings](additional-settings-ieak11-wizard.md) page. You can also customize additional connection settings using the **Automatic Configuration** page in the wizard. For more information see the [Automatic Configuration](auto-config-ieak11-wizard.md) page.
- **To view your current connection settings**
+**To view your current connection settings**
1. Open IE, click the **Tools** menu, click **Internet Options**, and then click the **Connections** tab.
2. Click **Settings** to view your dial-up settings and click **LAN Settings** to view your network settings.
- **To use the Connection Settings page**
+**To use the Connection Settings page**
1. Decide if you want to customize your connection settings. You can pick:
diff --git a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
index 568dfaaa3d..947b9febe9 100644
--- a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
@@ -21,7 +21,7 @@ You'll need to create multiple versions of your custom browser package if:
The Internet Explorer Customization Wizard 11 stores your original settings in the Install.ins file and will show them each time you re-open the wizard. For more info about .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md).
- **To create multiple versions of your browser package**
+**To create multiple versions of your browser package**
1. Use the Internet Explorer Customization Wizard 11 to create a custom browser package. For more info about how to run the wizard, start with the [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md) topic.
diff --git a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
index bcc88868ed..1715dfaa58 100644
--- a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
+++ b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Use uninstallation .INF files to uninstall custom components
The Internet Explorer Administration Kit 11 (IEAK 11) uses Setup information (.inf) files to provide installation instructions for your custom browser packages. You can also use this file to uninstall your custom components by removing the files, registry entries, and shortcuts, and adding your custom component to the list of programs that can be uninstalled from **Uninstall or change a program**.
- **To uninstall your custom components**
+**To uninstall your custom components**
1. Open the Registry Editor and add a new key and value to:
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"DisplayName",,"description"`
Where *description* is the string that’s shown in the **Uninstall or change a program** box.
diff --git a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
index ca0125b893..86c289b22d 100644
--- a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Custom Components** page of the Internet Explorer Customization Wizard 11
**Important**
You should sign any custom code that’s being downloaded over the Internet. The default settings of Internet Explorer 11 will automatically reject any unsigned code. For more info about digitally signing custom components, see [Security features and IEAK 11](security-and-ieak11.md).
- **To use the Custom Component page**
+**To use the Custom Component page**
1. Click **Add**.
The **Add a Custom Component** box appears.
diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
index ba2b7e4076..7f915b87aa 100644
--- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
+++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
@@ -18,7 +18,7 @@ Using the **Administrative Templates** section of Group Policy, you can prevent
## Automatic Search Configuration
You can customize Automatic Search so that your employees can type a single word into the **Address** box to search for frequently used pages. For example, you can let a commonly used webpage about invoices appear if an employee types *invoice* into the **Address** box, even if the URL doesn’t include the term. If a website can’t be associated with the term, or if there are multiple matches, a webpage appears showing the top search results.
- **To set up Automatic Search**
+**To set up Automatic Search**
1. Create a script (.asp) file that conditionally looks for search terms, and post it to an intranet server here: http://ieautosearch/response.asp?MT=%1&srch=%2.
For info about the acceptable values for the *%1* and *%2* parameters, see the [Automatic Search parameters](#automatic-search-parameters). For an example of the script file, see the [Sample Automatic Search script](#sample-automatic-search-script).
@@ -28,11 +28,11 @@ For info about the acceptable values for the *%1* and *%2* parameters, see the [
3. Go to the section labeled **Searching** and type *intranet* into the **Search Provider Keyword** box.
- **To redirect to a different site than the one provided by the search results**
+**To redirect to a different site than the one provided by the search results**
- In the **Advanced Settings** section, go to the section labeled **Searching** and change the **When searching from the address bar** setting to **Just go to the most likely site**.
- **To disable Automatic Search**
+**To disable Automatic Search**
- In the **Advanced Settings** section, go to the section labeled **Searching** and change the **When searching from the address bar** setting to **Do not search from the address bar**.
diff --git a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
index fc1ffdd687..44dcbe0155 100644
--- a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
@@ -21,7 +21,7 @@ The **Favorites, Favorites Bar, and Feeds** page of the Internet Explorer Admini
Although we provide default items in the **Favorites, Favorites Bar, and Feeds** area, you can remove any of the items, add more items, or add new folders and links as part of your custom package. The customizations you make on this page only apply to Internet Explorer for the desktop.
- **To work with Favorites**
+**To work with Favorites**
1. To import your existing folder of links, pick **Favorites**, and then click **Import**.
@@ -52,7 +52,7 @@ The **Details** box appears.
13. Continue with the next procedures in this topic to add additional **Favorites Bar** or **RSS Feeds** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page.
- **To work with the Favorites Bar**
+**To work with the Favorites Bar**
1. To import your existing folder of links, pick **Favorites Bar**, and then click **Import**.
@@ -78,7 +78,7 @@ The **Details** box appears.
11. Continue with the next procedures in this topic to add additional **Favorites** or **RSS Feeds** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page.
- **To work with RSS Feeds**
+**To work with RSS Feeds**
1. To add a new link to the **RSS Feeds**, pick **Favorites Bar**, and then click **Add URL**.
The **Details** box appears.
diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
index 6c37c85e24..f7861e2e5c 100644
--- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
@@ -43,7 +43,7 @@ The **Feature Selection** page of the Internet Explorer Customization Wizard 11
**Note**
Your choices on this page determine what wizard pages appear.
- **To use the Feature Selection page**
+**To use the Feature Selection page**
1. Check the box next to each feature you want to include in your custom installation package.
You can also click **Select All** to add, or **Clear All** to remove, all of the features.
diff --git a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
index 9081a2c20e..548ad0016d 100644
--- a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
@@ -20,7 +20,7 @@ The **File Locations** page of the Internet Explorer Customization Wizard 11 let
**Important**
You can create a custom installation package on your hard drive and move it to an Internet or intranet server, or you can create it directly on a server. If you create the package on a web server that’s running from your hard drive, use the path to the web server as the destination folder location. Whatever location you choose, it must be protected by appropriate access control lists (ACLs). If the location is not protected, the custom package may be tampered with.
- **To use the File Locations page**
+**To use the File Locations page**
1. Browse to the location where you’ll store your finished custom IE installation package and the related subfolders.
**Note**
Subfolders are created for each language version, based on operating system and media type. For example, if your destination folder is `C:\Inetpub\Wwwroot\Cie\Dist`, then the English-language version is created as `C:\Inetpub\Wwwroot\Cie\Dist\Flat\Win32\En` subfolders.
diff --git a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
index c3ae5a99f1..27fc79e06b 100644
--- a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
@@ -17,7 +17,7 @@ The **First Run Wizard and Welcome Page Options** page of the Internet Explorer
- **Windows 7 SP1.** You can disable the first run page for Windows 7 SP1 and then pick a custom **Welcome** page to show instead. If you don’t customize the settings on this page, your employees will see the default IE **Welcome** page.
- **To use the First Run Wizard and Welcome Page Options page**
+**To use the First Run Wizard and Welcome Page Options page**
1. Check the **Use IE11 First Run wizard (recommended)** box to use the default First Run wizard in IE.
Clearing this box lets you use the IE11 **Welcome** page or your custom **Welcome** page.
diff --git a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
index 7d15c80a0e..74acabee72 100644
--- a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard
The **Important URLS – Home Page and Support** page of the Internet Explorer Customization Wizard 11 lets you choose one or more **Home** pages and an online support page for your customized version of IE.
- **To use the Important URLS – Home Page and Support page**
+**To use the Important URLS – Home Page and Support page**
1. In the **Add a homepage URL** box, type the URL to the page your employees go to when they click the **Home** button, and then click **Add**.
If you add multiple **Home** pages, each page appears on a separate tab in the browser. If you don’t add a custom **Home** page, IE uses http://www.msn.com by default. If you want to delete an existing page, click the URL and then click **Remove**.
diff --git a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
index f96568d6ab..22e16c2e81 100644
--- a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Internal Install** page of the Internet Explorer Customization Wizard 11 l
**Note**
The customizations made on this page only apply to Internet Explorer for the desktop on Windows 7.
- **To use the Internal Install page**
+**To use the Internal Install page**
1. Pick either:
diff --git a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
index cbd3082236..625df35a75 100644
--- a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Language Selection** page of the Internet Explorer Customization Wizard 11
**Important**
Make sure that the language of your IEAK 11 installation matches the language of your custom IE11 package. If the languages don’t match, IEAK 11 won’t work properly.
- **To use the Language Selection page**
+**To use the Language Selection page**
1. Pick the language you want your custom IE11 installation package to use.
You can support as many languages as you want, but each localized version must be in its own install package.
diff --git a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
index 02429b575c..83b0d79dd5 100644
--- a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Package Type Selection** page of the Internet Explorer Customization Wizar
**Important**
You can't create a full installation package for deployment to Windows 10 computers. That option only works for computers running Windows 7 or Windows 8.1.
- **To use the File Locations page**
+**To use the File Locations page**
1. Check the **Full Installation Package** box if you’re going to build your package on, or move your package to, a local area network (LAN). This media package includes the Internet Explorer 11 installation files, and is named **IE11-Setup-Full.exe**, in the `\\FLAT\\` folder.-OR-
diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
index f6b5085ea3..0edf5578ef 100644
--- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Use the Platform Selection page in the IEAK 11 Wizard
The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package.
- **To use the Platform Selection page**
+**To use the Platform Selection page**
1. Pick the operating system and architecture for the devices on which you’re going to install the custom package.
You must create individual packages for each supported operating system.
diff --git a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
index cf4de55861..5b0a24fd55 100644
--- a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Before you install your package over your network using IEAK 11
Employees can install the custom browser package using a network server. However, you must either lower the intranet security level or make the server a trusted site.
- **To lower your intranet security**
+**To lower your intranet security**
1. In Internet Explorer 11, click **Tools**, **Internet Options**, and then the **Security** tab.
@@ -21,7 +21,7 @@ Employees can install the custom browser package using a network server. However
3. Uncheck **Automatically detect intranet network**, uncheck **Include all network paths (UNC)**, and then click **OK**.
- **To make your server a trusted site**
+**To make your server a trusted site**
1. From the **Security** tab, click **Trusted sites**, and then **Sites**.
diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
index 947b670ab7..5cc0312c67 100644
--- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Programs** page of the Internet Explorer Customization Wizard 11 lets you
**Important**
The customizations you make on this page only apply to Internet Explorer for the desktop.
- **To use the Programs page**
+**To use the Programs page**
1. Determine whether you want to customize your connection settings. You can pick:
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
index c758d7acbf..3a1e0162be 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Proxy Settings** page of the Internet Explorer Customization Wizard 11 let
Using a proxy server lets you limit access to the Internet. You can also use the **Additional Settings** page of the wizard to further restrict your employees from changing the proxy settings.
- **To use the Proxy Settings page**
+**To use the Proxy Settings page**
1. Check the **Enable proxy settings** box if you want to use proxy servers for any of your services.
diff --git a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
index 0760b36184..c8c82c121b 100644
--- a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Using the Resultant Set of Policy (RSoP) snap-in to review policy settings
After you’ve deployed your custom Internet Explorer package to your employees, you can use the Resultant Set of Policy (RSoP) snap-in to view your created policy settings. The RSoP snap-in is a two-step process. First, you run the RSoP wizard to determine what information should be viewed. Second, you open the specific items in the console window to view the settings. For complete instructions about how to use RSoP, see [Resultant Set of Policy](https://go.microsoft.com/fwlink/p/?LinkId=259479).
- **To add the RSoP snap-in**
+**To add the RSoP snap-in**
1. On the **Start** screen, type *MMC*.
The Microsoft Management Console opens.
@@ -23,7 +23,7 @@ The Microsoft Management Console opens.
3. In the **Available snap-ins** window, go down to the **Resultant Set of Policy** snap-in option, click **Add**, and then click **OK**.
You’re now ready to use the RSoP snap-in from the console.
- **To use the RSoP snap-in**
+**To use the RSoP snap-in**
1. Right-click **Resultant Set of Policy** and then click **Generate RSoP Data**.
You’ll only need to go through the resulting RSoP Wizard first time you run the snap-in.
diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
index d58f446135..f8816f6d9a 100644
--- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Search Providers** page of the Internet Explorer Customization Wizard 11 l
**Note**
The Internet Explorer Customization Wizard 11 offers improved and extended search settings. However, you can still optionally include support for Search Suggestions and Favicons, as well as Accelerator previews by using an .ins file from a previous version of IEAK.
- **To use the Search Providers page**
+**To use the Search Providers page**
1. Click **Import** to automatically import your existing search providers from your current version of IE into this list.
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
index a59c87f2d8..d88993dbe2 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Use the Security and Privacy Settings page in the IEAK 11 Wizard
The **Security and Privacy Settings** page of the Internet Explorer Customization Wizard 11 lets you manage your security zones, privacy settings, and content ratings. These settings help restrict the types of content your employees can access from the Internet, including any content that might be considered offensive or otherwise inappropriate in a corporate setting.
- **To use the Security and Privacy Settings page**
+**To use the Security and Privacy Settings page**
1. Decide if you want to customize your security zones and privacy settings. You can pick:
diff --git a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
index 11278110c1..2417baf652 100644
--- a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **User Experience** page of the Internet Explorer Customization Wizard 11 le
**Note**
You’ll only see this page if you are running the **Internal** version of the Internet Explorer Customization Wizard 11.
The customizations you make on this page only apply to Internet Explorer for the desktop on Windows 7.
- **To use the User Experience page**
+**To use the User Experience page**
1. Choose how your employee should interact with Setup, including:
diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md
index ddd3a6d6b5..7bdd9bd3f8 100644
--- a/devices/hololens/hololens-install-apps.md
+++ b/devices/hololens/hololens-install-apps.md
@@ -62,15 +62,14 @@ Using Intune, you can also [monitor your app deployment](https://docs.microsoft.
## Use the Windows Device Portal to install apps on HoloLens.
+1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
-1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/holographic/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
+2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_usb).
-2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_usb).
-
-3. [Create a user name and password](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
+3. [Create a user name and password](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
>[!TIP]
- >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#security_certificate).
+ >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#security_certificate).
4. In the Windows Device Portal, click **Apps**.
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index 54d65e5489..4674584a48 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -15,17 +15,17 @@ localizationpriority: medium
Kiosk mode limits the user's ability to launch new apps or change the running app. When kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings.
-1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/holographic/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
+1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
>[!IMPORTANT]
>When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
-2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_usb).
+2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_usb).
-3. [Create a user name and password](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
+3. [Create a user name and password](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
>[!TIP]
- >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#security_certificate).
+ >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#security_certificate).
4. In the Windows Device Portal, click **Kiosk Mode**.
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index c077292864..0b887cc940 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -47,7 +47,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
7. Expand **Runtime settings** and customize the package with any of the settings [described below](#what-you-can-configure).
>[!IMPORTANT]
- >If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/holographic/reset_or_recover_your_hololens#perform_a_full_device_recovery).
+ >If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens#perform_a_full_device_recovery).
8. On the **File** menu, click **Save**.
@@ -107,7 +107,7 @@ In Windows ICD, when you create a provisioning package for Windows Holographic,
| Setting | Description |
| --- | --- |
-| **Accounts** | Create a local account. HoloLens currently supports a single user only. Creating multiple local accounts in a provisioning package is not supported.
**IMPORTANT**
If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/holographic/reset_or_recover_your_hololens#perform_a_full_device_recovery). |
+| **Accounts** | Create a local account. HoloLens currently supports a single user only. Creating multiple local accounts in a provisioning package is not supported.
**IMPORTANT**
If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens#perform_a_full_device_recovery). |
| **Certificates** | Deploy a certificate to HoloLens. |
| **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens. |
| **EditionUpgrade** | [Upgrade to Windows Holographic for Business.](hololens-upgrade-enterprise.md) |
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index d8a1c1b901..11331b62f4 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -11,7 +11,7 @@ localizationpriority: medium
# Microsoft HoloLens in the enterprise: requirements
-When you develop for HoloLens, there are [system requirements and tools](https://developer.microsoft.com/windows/holographic/install_the_tools) that you need. In an enterprise environment, there are also a few requirements to use and manage HoloLens which are listed below.
+When you develop for HoloLens, there are [system requirements and tools](https://developer.microsoft.com/windows/mixed-reality/install_the_tools) that you need. In an enterprise environment, there are also a few requirements to use and manage HoloLens which are listed below.
## General use
- Microsoft account or Azure Active Directory (Azure AD) account
diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md
index bcc472ca43..8963cea7f3 100644
--- a/devices/hololens/hololens-upgrade-enterprise.md
+++ b/devices/hololens/hololens-upgrade-enterprise.md
@@ -11,7 +11,7 @@ localizationpriority: medium
# Unlock Windows Holographic for Business features
-Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/holographic/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business.
+Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/mixed-reality/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business.
When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index b57a42f178..698a2db7c4 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -33,8 +33,8 @@ localizationpriority: medium
- [Help for using HoloLens](https://support.microsoft.com/products/hololens)
-- [Documentation for Holographic app development](https://developer.microsoft.com/windows/holographic/documentation)
+- [Documentation for Holographic app development](https://developer.microsoft.com/windows/mixed-reality/documentation)
- [HoloLens Commercial Suite](https://www.microsoft.com/microsoft-hololens/hololens-commercial)
-- [HoloLens release notes](https://developer.microsoft.com/en-us/windows/holographic/release_notes)
\ No newline at end of file
+- [HoloLens release notes](https://developer.microsoft.com/en-us/windows/mixed-reality/release_notes)
\ No newline at end of file
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index 5d807a4e97..a9cde81f15 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -1,41 +1,42 @@
# [Microsoft Surface Hub](index.md)
-## [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md)
-## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
-## [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)
-### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
-### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
-#### [Online deployment](online-deployment-surface-hub-device-accounts.md)
-#### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md)
-#### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md)
-#### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)
-#### [Create a device account using UI](create-a-device-account-using-office-365.md)
-#### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)
-#### [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md)
-#### [Password management](password-management-for-surface-hub-device-accounts.md)
-### [Create provisioning packages](provisioning-packages-for-surface-hub.md)
-### [Admin group management](admin-group-management-for-surface-hub.md)
-## [Set up Microsoft Surface Hub](set-up-your-surface-hub.md)
-### [Setup worksheet](setup-worksheet-surface-hub.md)
-### [First-run program](first-run-program-surface-hub.md)
-## [Manage Microsoft Surface Hub](manage-surface-hub.md)
-### [Remote Surface Hub management](remote-surface-hub-management.md)
-#### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)
-#### [Monitor your Surface Hub](monitor-surface-hub.md)
-#### [Windows updates](manage-windows-updates-for-surface-hub.md)
-### [Manage Surface Hub settings](manage-surface-hub-settings.md)
-#### [Local management for Surface Hub settings](local-management-surface-hub-settings.md)
-#### [Accessibility](accessibility-surface-hub.md)
-#### [Change the Surface Hub device account](change-surface-hub-device-account.md)
-#### [Device reset](device-reset-surface-hub.md)
-#### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
-#### [Wireless network management](wireless-network-management-for-surface-hub.md)
-### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
-### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md)
-### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
-### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
-### [Using a room control system](use-room-control-system-with-surface-hub.md)
-## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md)
-## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
-## [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
+## [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
+### [Intro to Microsoft Surface Hub](intro-to-surface-hub.md)
+### [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)
+#### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
+#### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
+##### [Online deployment](online-deployment-surface-hub-device-accounts.md)
+##### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md)
+##### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md)
+##### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)
+##### [Create a device account using UI](create-a-device-account-using-office-365.md)
+##### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)
+##### [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md)
+##### [Password management](password-management-for-surface-hub-device-accounts.md)
+#### [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md)
+#### [Admin group management](admin-group-management-for-surface-hub.md)
+### [Set up Microsoft Surface Hub](set-up-your-surface-hub.md)
+#### [Setup worksheet](setup-worksheet-surface-hub.md)
+#### [First-run program](first-run-program-surface-hub.md)
+### [Manage Microsoft Surface Hub](manage-surface-hub.md)
+#### [Remote Surface Hub management](remote-surface-hub-management.md)
+##### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)
+##### [Monitor your Surface Hub](monitor-surface-hub.md)
+##### [Windows updates](manage-windows-updates-for-surface-hub.md)
+#### [Manage Surface Hub settings](manage-surface-hub-settings.md)
+##### [Local management for Surface Hub settings](local-management-surface-hub-settings.md)
+##### [Accessibility](accessibility-surface-hub.md)
+##### [Change the Surface Hub device account](change-surface-hub-device-account.md)
+##### [Device reset](device-reset-surface-hub.md)
+##### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
+##### [Wireless network management](wireless-network-management-for-surface-hub.md)
+#### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
+#### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your-surface-hub-meeting.md)
+#### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
+#### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
+#### [Using a room control system](use-room-control-system-with-surface-hub.md)
+### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
+### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)
## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md)
+## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
+## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
## [Change history for Surface Hub](change-history-surface-hub.md)
\ No newline at end of file
diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md
index 7ea46504e4..46348c087d 100644
--- a/devices/surface-hub/accessibility-surface-hub.md
+++ b/devices/surface-hub/accessibility-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surfacehub
ms.sitesec: library
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -30,7 +30,7 @@ The full list of accessibility settings are available to IT admins in the **Sett
| Mouse | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. |
| Other options | Defaults selected for **Visual options** and **Touch feedback**. |
-Additionally, these accessibility features and apps are returned to default settings when users press [End session](finishing-your-surface-hub-meeting.md):
+Additionally, these accessibility features and apps are returned to default settings when users press [I'm Done](i-am-done-finishing-your-surface-hub-meeting.md):
- Narrator
- Magnifier
- High contrast
diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md
index 2abc8df009..7607199209 100644
--- a/devices/surface-hub/admin-group-management-for-surface-hub.md
+++ b/devices/surface-hub/admin-group-management-for-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub, security
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
index b04dd91222..76275e3ec8 100644
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@@ -1,5 +1,5 @@
---
-title: PowerShell for Surface Hub (Surface Hub)
+title: Appendix PowerShell (Surface Hub)
description: PowerShell scripts to help set up and manage your Microsoft Surface Hub .
ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784
keywords: PowerShell, set up Surface Hub, manage Surface Hub
@@ -7,14 +7,14 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
-# PowerShell for Surface Hub
+# Appendix: PowerShell (Surface Hub)
-PowerShell scripts to help set up and manage your Microsoft Surface Hub.
+PowerShell scripts to help set up and manage your Microsoft Surface Hub .
- [PowerShell scripts for Surface Hub admins](#scripts-for-admins)
- [Create an on-premise account](#create-on-premise-ps-scripts)
@@ -43,8 +43,7 @@ What do you need in order to run the scripts?
- Remote PowerShell access to your organization's domain or tenant, Exchange servers, and Skype for Business servers.
- Admin credentials for your organization's domain or tenant, Exchange servers, and Skype for Business servers.
->[!NOTE]
->Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub.
+>**Note** Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub.
diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
index e49731d001..f6cad56654 100644
--- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index d8d69bb450..74ee57c2f5 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -14,10 +14,6 @@ localizationpriority: medium
This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
-## RELEASE: Windows 10, version 1703
-
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update).
-
## February 2017
| New or changed topic | Description |
diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md
index 2ad7a30571..6dc6bf7016 100644
--- a/devices/surface-hub/change-surface-hub-device-account.md
+++ b/devices/surface-hub/change-surface-hub-device-account.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index b6719175f5..914b6136e6 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index 5c6ab373e5..9930a748e3 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
index 0d070c1ae5..f2cb38c5f2 100644
--- a/devices/surface-hub/device-reset-surface-hub.md
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -49,49 +49,21 @@ If you see a blank screen for long periods of time during the **Reset device** p
-3. Click **Recovery**, and then, under **Reset device**, click **Get started**.
+3. Click **Recovery**, and then click **Get started**.
-
-## Recover a Surface Hub from the cloud
+## Reset a Surface Hub from Windows Recovery Environment
-In the Windows Recovery Environment (Windows RE), you can recover your device by downloading a factory build from the cloud and installing it on the Surface Hub. This allows devices in an unusable state to recover without requiring assistance from Microsoft Support.
+On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset the device from [Windows Recovery Environment](https://technet.microsoft.com/library/cc765966.aspx) (Windows RE).
-### Recover a Surface Hub in a bad state
-
-If the device account gets into an unstable state or the Admin account is running into issues, you can use cloud recovery in **Settings**. You should only use cloud recovery when [reset](#reset-a-surface-hub-from-settings) doesn't fix the problem.
-
-1. On your Surface Hub, go to **Settings** > **Update & security** > **Recovery**.
-
-2. Under **Recover from the cloud**, click **Restart now**.
-
- 
-
-### Recover a locked Surface Hub
-
-On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset or recover the device from [Windows RE](https://technet.microsoft.com/library/cc765966.aspx).
+**To reset a Surface Hub from Windows Recovery Environment**
1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch.
-2. The device should automatically boot into Windows RE.
-3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.)
- >[!NOTE]
- >When using **Recover from the cloud**, an ethernet connection is recommended.
-
- 
-
-4. Enter the Bitlocker key (if prompted).
-5. When prompted, select **Reinstall**.
+2. The device should automatically boot into Windows RE. Select **Advanced Repair**.
+3. Select **Reset**.
+4. If prompted, enter your device's BitLocker key.
- 
-
-6. Select **Yes** to repartition the disk.
-
- 
-
-Reset will begin after the image is downloaded from the cloud. You will see progress indicators.
-
-
## Related topics
diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
index e6d812ea78..73557c1f2c 100644
--- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
+++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
@@ -33,7 +33,7 @@ Surface Hub doesn't have a lock screen or a screen saver, but it has a similar f
Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without logging on. The system always runs as a local, auto logged-in, low-privilege user. It doesn't support logging in any additional users - including admin users.
> [!NOTE]
-> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **End session**.
+> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **I'm done**.
*Organization policies that this may affect:*
Generally, Surface Hub uses lockdown features rather than user access control to enforce security. Policies related to password requirements, interactive logon, user accounts, and access control don't apply for Surface Hub.
@@ -46,7 +46,7 @@ Users have access to a limited set of directories on the Surface Hub:
- Pictures
- Downloads
-Files saved locally in these directories are deleted when users press **End session**. To save content created during a meeting, users should save files to a USB drive or to OneDrive.
+Files saved locally in these directories are deleted when users press **I'm done**. To save content created during a meeting, users should save files to a USB drive or to OneDrive.
*Organization policies that this may affect:*
Policies related to access permissions and ownership of files and folders don't apply for Surface Hub. Users can't browse and save files to system directories and network folders.
diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
index 527eaf6198..3e9df023a1 100644
--- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/finishing-your-surface-hub-meeting.md b/devices/surface-hub/finishing-your-surface-hub-meeting.md
deleted file mode 100644
index 8733038060..0000000000
--- a/devices/surface-hub/finishing-your-surface-hub-meeting.md
+++ /dev/null
@@ -1,92 +0,0 @@
----
-title: End session - ending a Surface Hub meeting
-description: To end a Surface Hub meeting, tap End session. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting.
-keywords: I am Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: surfacehub
-author: jdeckerMS
-localizationpriority: medium
----
-
-# End a Surface Hub meeting with End session
-Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states:
-- Applications
-- Operating system
-- User interface
-
-This topic explains what **End session** resets for each of these states.
-
-## Applications
-When you start apps on Surface Hub, they are stored in memory and data is stored at the application level. Data is available to all users during that session (or meeting) until date is removed or overwritten. When **End session** is selected, Surface Hub application state is cleared out by closing applications, deleting browser history, resetting applications, and removing Skype logs.
-
-### Close applications
-Surface Hub closes all visible windows, including Win32 and Universal Windows Platform (UWP) applications. The application close stage uses the multitasking view to query the visible windows. Win32 windows that do not close within a certain timeframe are closed using **TerminateProcess**.
-
-### Delete browser history
-Surface Hub uses Delete Browser History (DBH) in Edge to clear Edge history and cached data. This is similar to how a user can clear out their browser history manually, but **End session** also ensures that application states are cleared and data is removed before the next session, or meeting, starts.
-
-### Reset applications
-**End session** resets the state of each application that is installed on the Surface Hub. Resetting an application clears all background tasks, application data, notifications, and user consent dialogs. Applications are returned to their first-run state for the next people that use Surface Hub.
-
-### Remove Skype logs
-Skype does not store personally-identifiable information on Surface Hub. Information is stored in the Skype service to meet existing Skype for Business guidance. Local Skype logging information is the only data removed when **End session** is selected. This includes Unified Communications Client Platform (UCCP) logs and media logs.
-
-## Operating System
-The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting.
-
-### File System
-Meeting attendees have access to a limited set of directories on the Surface Hub. When **End session** is selected, Surface Hub clears these directories:
-- Music
-- Videos
-- Documents
-- Pictures
-- Downloads
-
-Surface Hub also clears these directories, since many applications often write to them:
-- Desktop
-- Favorites
-- Recent
-- Public Documents
-- Public Music
-- Public Videos
-- Public Downloads
-
-### Credentials
-User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **End session**.
-
-## User interface
-User interface (UI) settings are returned to their default values when **End session** is selected.
-
-### UI items
-- Reset Quick Actions to default state
-- Clear Toast notifications
-- Reset volume levels
-- Reset sidebar width
-- Reset tablet mode layout
-- Sign user out of Office 365 meetings and files
-
-### Accessibility
-Accessibility features and apps are returned to default settings when **End session** is selected.
-- Filter keys
-- High contrast
-- Sticky keys
-- Toggle keys
-- Mouse keys
-- Magnifier
-- Narrator
-
-### Clipboard
-The clipboard is cleared to remove data that was copied to the clipboard during the session.
-
-## Frequently asked questions
-**What happens if I forget to tap End session at the end of a meeting, and someone else uses the Surface Hub later?**
-Surface Hub only cleans up meeting content when users tap **End session**. If you leave the meeting without tapping **End session**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one. You can also disable the ability to resume a session if **End session** is not pressed.
-
-**Are documents recoverable?**
-Removing files from the hard drive when **End session** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting.
-
-**Do the clean-up actions from End session comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**
-No. Currently, the clean-up actions from **End session** do not comply with this standard.
-
diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md
index 4e6ceac8b8..6ee36023cc 100644
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -43,10 +43,9 @@ Each of these sections also contains information about paths you might take when
This is the first screen you'll see when you power up the Surface Hub for the first time. It's where you input localization information for your device.
->[!NOTE]
->This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing.
+>**Note** This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing.
- Select a language and the initial setup options are displayed.
+
@@ -327,9 +326,6 @@ This is what happens when you choose an option.
- **Use Microsoft Azure Active Directory**
Clicking this option allows you to join the device to Azure AD. Once you click **Next**, the device will restart to apply some settings, and then you’ll be taken to the [Use Microsoft Azure Active Directory](#use-microsoft-azure) page and asked to enter credentials that can allow you to join Azure AD. After joining, admins from the joined organization will be able to use the Settings app. The specific people that will be allowed depends on your Azure AD subscription and how you’ve configured the settings for your Azure AD organization.
-
- >[!IMPORTANT]
- >If you join Surface Hub to Azure AD during first-run setup, single sign-on (SSO) for Office apps will not work properly. Users will have to sign in to each Office app individually.
- **Use Active Directory Domain Services**
@@ -386,7 +382,7 @@ Once the device has been domain joined, you must specify a security group from t
The following input is required:
- **Domain:** This is the fully qualified domain name (FQDN) of the domain that you want to join. A security group from this domain can be used to manage the device.
-- **User name:** The user name of an account that has sufficient permission to join the specified domain. This account must be a computer object.
+- **User name:** The user name of an account that has sufficient permission to join the specified domain.
- **Password:** The password for the account.
After the credentials are verified, you will be asked to type a security group name. This input is required.
diff --git a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
new file mode 100644
index 0000000000..ccf99db112
--- /dev/null
+++ b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
@@ -0,0 +1,91 @@
+---
+title: I am done - ending a Surface Hub meeting
+description: To end a Surface Hub meeting, tap I am Done. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting.
+keywords: I am Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# End a Surface Hub meeting with I'm Done
+Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **I'm Done** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states:
+- Applications
+- Operating system
+- User interface
+
+This topic explains what **I'm Done** resets for each of these states.
+
+## Applications
+When you start apps on Surface Hub, they are stored in memory and data is stored at the application level. Data is available to all users during that session (or meeting) until date is removed or overwritten. When **I'm done** is selected, Surface Hub application state is cleared out by closing applications, deleting browser history, resetting applications, and removing Skype logs.
+
+### Close applications
+Surface Hub closes all visible windows, including Win32 and Universal Windows Platform (UWP) applications. The application close stage uses the multitasking view to query the visible windows. Win32 windows that do not close within a certain timeframe are closed using **TerminateProcess**.
+
+### Delete browser history
+Surface Hub uses Delete Browser History (DBH) in Edge to clear Edge history and cached data. This is similar to how a user can clear out their browser history manually, but **I'm Done** also ensures that application states are cleared and data is removed before the next session, or meeting, starts.
+
+### Reset applications
+**I'm Done** resets the state of each application that is installed on the Surface Hub. Resetting an application clears all background tasks, application data, notifications, and user consent dialogs. Applications are returned to their first-run state for the next people that use Surface Hub.
+
+### Remove Skype logs
+Skype does not store personally-identifiable information on Surface Hub. Information is stored in the Skype service to meet existing Skype for Business guidance. Local Skype logging information is the only data removed when **I'm Done** is selected. This includes Unified Communications Client Platform (UCCP) logs and media logs.
+
+## Operating System
+The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting.
+
+### File System
+Meeting attendees have access to a limited set of directories on the Surface Hub. When **I'm Done** is selected, Surface Hub clears these directories:
+- Music
+- Videos
+- Documents
+- Pictures
+- Downloads
+
+Surface Hub also clears these directories, since many applications often write to them:
+- Desktop
+- Favorites
+- Recent
+- Public Documents
+- Public Music
+- Public Videos
+- Public Downloads
+
+### Credentials
+User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **I’m done**.
+
+## User interface
+User interface (UI) settings are returned to their default values when **I'm Done** is selected.
+
+### UI items
+- Reset Quick Actions to default state
+- Clear Toast notifications
+- Reset volume levels
+- Reset sidebar width
+- Reset tablet mode layout
+
+### Accessibility
+Accessibility features and apps are returned to default settings when **I'm Done** is selected.
+- Filter keys
+- High contrast
+- Sticky keys
+- Toggle keys
+- Mouse keys
+- Magnifier
+- Narrator
+
+### Clipboard
+The clipboard is cleared to remove data that was copied to the clipboard during the session.
+
+## Frequently asked questions
+**What happens if I forget to tap I'm Done at the end of a meeting, and someone else uses the Surface Hub later?**
+Surface Hub only cleans up meeting content when users tap **I'm Done**. If you leave the meeting without tapping **I'm Done**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one.
+
+**Are documents recoverable?**
+Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting.
+
+**Do the clean-up actions from I'm Done comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**
+No. Currently, the clean-up actions from **I'm Done** do not comply with this standard.
+
diff --git a/devices/surface-hub/images/OOBE-2.jpg b/devices/surface-hub/images/OOBE-2.jpg
deleted file mode 100644
index 0c615a2ec4..0000000000
Binary files a/devices/surface-hub/images/OOBE-2.jpg and /dev/null differ
diff --git a/devices/surface-hub/images/account-management-details.PNG b/devices/surface-hub/images/account-management-details.PNG
deleted file mode 100644
index 66712394ec..0000000000
Binary files a/devices/surface-hub/images/account-management-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/account-management.PNG b/devices/surface-hub/images/account-management.PNG
deleted file mode 100644
index 34165dfcd6..0000000000
Binary files a/devices/surface-hub/images/account-management.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/add-applications-details.PNG b/devices/surface-hub/images/add-applications-details.PNG
deleted file mode 100644
index 2efd3483ae..0000000000
Binary files a/devices/surface-hub/images/add-applications-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/add-applications.PNG b/devices/surface-hub/images/add-applications.PNG
deleted file mode 100644
index 2316deb2fd..0000000000
Binary files a/devices/surface-hub/images/add-applications.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/add-certificates-details.PNG b/devices/surface-hub/images/add-certificates-details.PNG
deleted file mode 100644
index 78cd783282..0000000000
Binary files a/devices/surface-hub/images/add-certificates-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/add-certificates.PNG b/devices/surface-hub/images/add-certificates.PNG
deleted file mode 100644
index 24cb605d1c..0000000000
Binary files a/devices/surface-hub/images/add-certificates.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/add-config-file-details.PNG b/devices/surface-hub/images/add-config-file-details.PNG
deleted file mode 100644
index c7b4db97e6..0000000000
Binary files a/devices/surface-hub/images/add-config-file-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/add-config-file.PNG b/devices/surface-hub/images/add-config-file.PNG
deleted file mode 100644
index 5b779509d9..0000000000
Binary files a/devices/surface-hub/images/add-config-file.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/apps.png b/devices/surface-hub/images/apps.png
deleted file mode 100644
index 5cb3b7ec8f..0000000000
Binary files a/devices/surface-hub/images/apps.png and /dev/null differ
diff --git a/devices/surface-hub/images/developer-setup.PNG b/devices/surface-hub/images/developer-setup.PNG
deleted file mode 100644
index 8c93d5ed91..0000000000
Binary files a/devices/surface-hub/images/developer-setup.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/end-session.png b/devices/surface-hub/images/end-session.png
deleted file mode 100644
index 4b28583af4..0000000000
Binary files a/devices/surface-hub/images/end-session.png and /dev/null differ
diff --git a/devices/surface-hub/images/enroll-mdm-details.PNG b/devices/surface-hub/images/enroll-mdm-details.PNG
deleted file mode 100644
index f3a7fea8da..0000000000
Binary files a/devices/surface-hub/images/enroll-mdm-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/enroll-mdm.PNG b/devices/surface-hub/images/enroll-mdm.PNG
deleted file mode 100644
index b7cfdbc767..0000000000
Binary files a/devices/surface-hub/images/enroll-mdm.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/finish-details.png b/devices/surface-hub/images/finish-details.png
deleted file mode 100644
index 727efac696..0000000000
Binary files a/devices/surface-hub/images/finish-details.png and /dev/null differ
diff --git a/devices/surface-hub/images/finish.PNG b/devices/surface-hub/images/finish.PNG
deleted file mode 100644
index 7c65da1799..0000000000
Binary files a/devices/surface-hub/images/finish.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/five.png b/devices/surface-hub/images/five.png
deleted file mode 100644
index 961f0e15b7..0000000000
Binary files a/devices/surface-hub/images/five.png and /dev/null differ
diff --git a/devices/surface-hub/images/four.png b/devices/surface-hub/images/four.png
deleted file mode 100644
index 0fef213b37..0000000000
Binary files a/devices/surface-hub/images/four.png and /dev/null differ
diff --git a/devices/surface-hub/images/icd-simple-edit.png b/devices/surface-hub/images/icd-simple-edit.png
deleted file mode 100644
index aea2e24c8a..0000000000
Binary files a/devices/surface-hub/images/icd-simple-edit.png and /dev/null differ
diff --git a/devices/surface-hub/images/one.png b/devices/surface-hub/images/one.png
deleted file mode 100644
index 42b4742c49..0000000000
Binary files a/devices/surface-hub/images/one.png and /dev/null differ
diff --git a/devices/surface-hub/images/ppkg-config.png b/devices/surface-hub/images/ppkg-config.png
deleted file mode 100644
index 10a2b7de58..0000000000
Binary files a/devices/surface-hub/images/ppkg-config.png and /dev/null differ
diff --git a/devices/surface-hub/images/ppkg-csv.png b/devices/surface-hub/images/ppkg-csv.png
deleted file mode 100644
index 0648f555e1..0000000000
Binary files a/devices/surface-hub/images/ppkg-csv.png and /dev/null differ
diff --git a/devices/surface-hub/images/proxy-details.PNG b/devices/surface-hub/images/proxy-details.PNG
deleted file mode 100644
index fcc7b06a41..0000000000
Binary files a/devices/surface-hub/images/proxy-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/proxy.PNG b/devices/surface-hub/images/proxy.PNG
deleted file mode 100644
index cdfc02c454..0000000000
Binary files a/devices/surface-hub/images/proxy.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/recover-from-cloud.png b/devices/surface-hub/images/recover-from-cloud.png
deleted file mode 100644
index 7d409edc5f..0000000000
Binary files a/devices/surface-hub/images/recover-from-cloud.png and /dev/null differ
diff --git a/devices/surface-hub/images/recover-from-the-cloud.png b/devices/surface-hub/images/recover-from-the-cloud.png
deleted file mode 100644
index 07c1e22851..0000000000
Binary files a/devices/surface-hub/images/recover-from-the-cloud.png and /dev/null differ
diff --git a/devices/surface-hub/images/recover-progress.png b/devices/surface-hub/images/recover-progress.png
deleted file mode 100644
index 316d830a57..0000000000
Binary files a/devices/surface-hub/images/recover-progress.png and /dev/null differ
diff --git a/devices/surface-hub/images/reinstall.png b/devices/surface-hub/images/reinstall.png
deleted file mode 100644
index 2f307841aa..0000000000
Binary files a/devices/surface-hub/images/reinstall.png and /dev/null differ
diff --git a/devices/surface-hub/images/repartition.png b/devices/surface-hub/images/repartition.png
deleted file mode 100644
index 26725a8c54..0000000000
Binary files a/devices/surface-hub/images/repartition.png and /dev/null differ
diff --git a/devices/surface-hub/images/set-up-device-admins-details.PNG b/devices/surface-hub/images/set-up-device-admins-details.PNG
deleted file mode 100644
index 42c04b4b3b..0000000000
Binary files a/devices/surface-hub/images/set-up-device-admins-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/set-up-device-admins.PNG b/devices/surface-hub/images/set-up-device-admins.PNG
deleted file mode 100644
index e0e037903c..0000000000
Binary files a/devices/surface-hub/images/set-up-device-admins.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/set-up-device-details.PNG b/devices/surface-hub/images/set-up-device-details.PNG
deleted file mode 100644
index be565ac8d9..0000000000
Binary files a/devices/surface-hub/images/set-up-device-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/set-up-device.PNG b/devices/surface-hub/images/set-up-device.PNG
deleted file mode 100644
index 0c9eb0e3ff..0000000000
Binary files a/devices/surface-hub/images/set-up-device.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/set-up-network-details.PNG b/devices/surface-hub/images/set-up-network-details.PNG
deleted file mode 100644
index 7e1391326c..0000000000
Binary files a/devices/surface-hub/images/set-up-network-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/set-up-network.PNG b/devices/surface-hub/images/set-up-network.PNG
deleted file mode 100644
index a0e856c103..0000000000
Binary files a/devices/surface-hub/images/set-up-network.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/sh-quick-action.png b/devices/surface-hub/images/sh-quick-action.png
index 3003e464b3..cb072a9793 100644
Binary files a/devices/surface-hub/images/sh-quick-action.png and b/devices/surface-hub/images/sh-quick-action.png differ
diff --git a/devices/surface-hub/images/sh-settings-reset-device.png b/devices/surface-hub/images/sh-settings-reset-device.png
index f3a9a6dc5c..b3e35bb385 100644
Binary files a/devices/surface-hub/images/sh-settings-reset-device.png and b/devices/surface-hub/images/sh-settings-reset-device.png differ
diff --git a/devices/surface-hub/images/sh-settings-update-security.png b/devices/surface-hub/images/sh-settings-update-security.png
index 59212d1805..a10d4ffb51 100644
Binary files a/devices/surface-hub/images/sh-settings-update-security.png and b/devices/surface-hub/images/sh-settings-update-security.png differ
diff --git a/devices/surface-hub/images/sh-settings.png b/devices/surface-hub/images/sh-settings.png
index 0134fda740..03125b3419 100644
Binary files a/devices/surface-hub/images/sh-settings.png and b/devices/surface-hub/images/sh-settings.png differ
diff --git a/devices/surface-hub/images/six.png b/devices/surface-hub/images/six.png
deleted file mode 100644
index 2816328ec3..0000000000
Binary files a/devices/surface-hub/images/six.png and /dev/null differ
diff --git a/devices/surface-hub/images/surfacehub.png b/devices/surface-hub/images/surfacehub.png
deleted file mode 100644
index 1b9b484ab8..0000000000
Binary files a/devices/surface-hub/images/surfacehub.png and /dev/null differ
diff --git a/devices/surface-hub/images/three.png b/devices/surface-hub/images/three.png
deleted file mode 100644
index 887fa270d7..0000000000
Binary files a/devices/surface-hub/images/three.png and /dev/null differ
diff --git a/devices/surface-hub/images/two.png b/devices/surface-hub/images/two.png
deleted file mode 100644
index b8c2d52eaf..0000000000
Binary files a/devices/surface-hub/images/two.png and /dev/null differ
diff --git a/devices/surface-hub/images/wcd-wizard.PNG b/devices/surface-hub/images/wcd-wizard.PNG
deleted file mode 100644
index 706771f756..0000000000
Binary files a/devices/surface-hub/images/wcd-wizard.PNG and /dev/null differ
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index dabf0f1f6e..22e94d2746 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -12,36 +12,19 @@ localizationpriority: medium
# Microsoft Surface Hub
->[Looking for the user's guide for Surface Hub?](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf)
-
-
| Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. The documentation in this library describes what needs to be done both before and during setup in order to help you optimize your use of the device. |  |
-
-
-## Surface Hub setup process
-
-In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need:
-
-1. [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md)
-2. [Gather the information listed in the Setup worksheet](setup-worksheet-surface-hub.md)
-2. [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md)
-3. [Run the Surface Hub first-run setup program (OOBE)](first-run-program-surface-hub.md)
+Documents related to deploying and managing the Microsoft Surface Hub in your organization.
+>[Looking for the user's guide for Surface Hub?](https://www.microsoft.com/surface/support/surface-hub)
## In this section
| Topic | Description |
| --- | --- |
-| [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md) | Discover the changes and improvements for Microsoft Surface Hub in the Windows 10, version 1703 release (also known as Creators Update). |
+| [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) | This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.|
| [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise. |
-| [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) | This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment. |
-| [Set up Microsoft Surface Hub](set-up-your-surface-hub.md) | Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program. |
-| [Manage Microsoft Surface Hub](manage-surface-hub.md) | How to manage your Surface Hub after finishing the first-run program. |
-| [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) |
-| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. | PowerShell scripts to help set up and manage your Surface Hub. |
-| [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) | Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. |
+| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. |
| [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide. |
-| [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation library. |
-
+| [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation. |
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index dea976e29f..d26712627a 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: surfacehub, store
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/intro-to-surface-hub.md b/devices/surface-hub/intro-to-surface-hub.md
new file mode 100644
index 0000000000..eb48a1fb78
--- /dev/null
+++ b/devices/surface-hub/intro-to-surface-hub.md
@@ -0,0 +1,28 @@
+---
+title: Intro to Microsoft Surface Hub
+description: Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations.
+ms.assetid: 5DAD4489-81CF-47ED-9567-A798B90C7E76
+keywords: Surface Hub, productivity, collaboration, presentations, setup
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Intro to Microsoft Surface Hub
+
+
+Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device.
+
+You’ll need to understand how each of these services interacts with Surface Hub. See [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) for details.
+
+## Surface Hub setup process
+
+In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need:
+
+1. [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md)
+2. [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md)
+3. [Run the Surface Hub first-run setup program (OOBE)](first-run-program-surface-hub.md)
+
diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md
index 7d17d33c38..dea2a514bd 100644
--- a/devices/surface-hub/local-management-surface-hub-settings.md
+++ b/devices/surface-hub/local-management-surface-hub-settings.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -16,38 +16,29 @@ After initial setup of Microsoft Surface Hub, the device’s settings can be loc
## Surface Hub settings
-Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. This table lists settings only configurable on Surface Hubs.
+Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. This table lists settings only cofigurable on Surface Hubs.
| Setting | Location | Description |
| ------- | -------- | ----------- |
-| Device account | Surface Hub > Accounts | Set or change the Surface Hub's device account. |
-| Device account sync status | Surface Hub > Accounts | Check the sync status of the device account’s mail and calendar on the Surface Hub. |
-| Password rotation | Surface Hub > Accounts | Choose whether to let the Surface Hub automatically rotate the device account's password. |
-| Change admin account password | Surface Hub > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. |
-| Device Management | Surface Hub > Device management | Manage policies and business applications using mobile device management (MDM). |
-| Provisioning packages | Surface Hub > Device management | Set or change provisioning packages installed on the Surface Hub. |
-| Configure Operations Management Suite (OMS) | Surface Hub > Device management | Set up monitoring for your Surface Hub using OMS. |
-| Open the Windows Store app | Surface Hub > Apps & features | The Windows Store app is only available to admins through the Settings app. |
-| Skype for Business domain name | Surface Hub > Calling & Audio | Configure a domain name for your Skype for Business server. |
-| Default Speaker volume | Surface Hub > Calling & Audio | Configure the default speaker volume for the Surface Hub when it starts a session. |
-| Default microphone and speaker settings | Surface Hub > Calling & Audio | Configure a default microphone and speaker for calls, and a default speaker for media playback. |
-| Enable Dolby Audio X2 | Surface Hub > Calling & Audio | Configure the Dolby Audio X2 speaker enhancements. |
-| Open Connect App automatically | Surface Hub > Projection | Choose whether projection will automatically open the Connect app or wait for user input before opening. |
-| Turn off wireless projection using Miracast | Surface Hub > Projection | Choose whether presenters can wirelessly project to the Surface Hub using Miracast. |
-| Require a PIN for wireless projection | Surface Hub > Projection | Choose whether people are required to enter a PIN before they use wireless projection. |
-| Wireless projection (Miracast) channel | Surface Hub > Projection | Set the channel for Miracast projection. |
-| Meeting info shown on the welcome screen | Surface Hub > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. |
-| Welcome screen background | Surface Hub > Welcome screen | Choose a background image for the welcome screen. |
-| Idle timeout to Welcome screen | Surface Hub > Session & Power | Choose how long until the Surface Hub returns to the welcome screen after no motion is detected. |
-| Resume session | Surface Hub > Session & Power | Choose to allow users to resume a session after no motion is detected or to automatically clean up a session. |
-| Access to Office 365 meetings and files | Surface Hub > Session & Power | Choose whether a user can sign in to Office 365 to get access to their meetings and files. |
-| Turn on screen with motion sensors | Surface Hub > Session & clean up | Choose whether the screen turns on when motion is detected. |
-| Session time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. |
-| Sleep time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. |
-| Friendly name | Surface Hub > About | Set the Surface Hub name that people will see when connecting wirelessly. |
+| Device account | This device > Accounts | Set or change the Surface Hub's device account. |
+| Device account sync status | This device > Accounts | Check the sync status of the device account’s mail and calendar on the Surface Hub. |
+| Password rotation | This device > Accounts | Choose whether to let the Surface Hub automatically rotate the device account's password. |
+| Change admin account password | This device > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. |
+| Configure Operations Management Suite (OMS) | This device > Device management | Set up monitoring for your Surface Hub using OMS. |
+| Open the Windows Store app | This device > Apps & features | The Windows Store app is only available to admins through the Settings app. |
+| Skype for Business domain name | This device > Calling | Configure a domain name for your Skype for Business server. |
+| Default microphone and speaker settings | This device > Calling | Configure a default microphone and speaker for calls, and a default speaker for media playback. |
+| Turn off wireless projection using Miracast | This device > Wireless projection | Choose whether presenters can wirelessly project to the Surface Hub using Miracast. |
+| Require a PIN for wireless projection | This device > Wireless projection | Choose whether people are required to enter a PIN before they use wireless projection. |
+| Wireless projection (Miracast) channel | This device > Wireless projection | Set the channel for Miracast projection. |
+| Meeting info shown on the welcome screen | This device > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. |
+| Welcome screen background | This device > Welcome screen | Choose a background image for the welcome screen. |
+| Turn on screen with motion sensors | This device > Session & clean up | Choose whether the screen turns on when motion is detected. |
+| Session time out | This device > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. |
+| Sleep time out | This device > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. |
+| Friendly name | This device > About | Set the Surface Hub name that people will see when connecting wirelessly. |
| Maintenance hours | Update & security > Windows Update > Advanced options | Configure when updates can be installed. |
| Configure Windows Server Update Services (WSUS) server | Update & security > Windows Update > Advanced options | Change whether Surface Hub receives updates from a WSUS server instead of Windows Update. |
-| Recover from the cloud | Update & security > Recovery | Reinstall the operating system on Surface Hub to a manufacturer build from the cloud. |
| Save BitLocker key | Update & security > Recovery | Backup your Surface Hub's BitLocker key to a USB drive. |
| Collect logs | Update & security > Recovery | Save logs to a USB drive to send to Microsoft later. |
diff --git a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md
new file mode 100644
index 0000000000..db9230f9ad
--- /dev/null
+++ b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md
@@ -0,0 +1,13 @@
+---
+title: Manage settings with a local admin account (Surface Hub)
+description: A local admin account will be set up on every Microsoft Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device.
+ms.assetid: B4B3668B-985D-427E-8495-E30ABEECA679
+redirect_url: https://technet.microsoft.com/itpro/surface-hub/admin-group-management-for-surface-hub
+keywords: local admin account, Surface Hub, change local admin options
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index 1954027d43..8cadcb7309 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -65,23 +65,13 @@ For more information, see [SurfaceHub configuration service provider](https://ms
| Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
| Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.
Use a custom setting. | Yes |
| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID
MOMAgent/WorkspaceKey | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Friendly name for wireless projection | Properties/FriendlyName | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Friendly name for wireless projection | Properties/FriendlyName | Yes.
[Use a custom policy.](#example-intune)) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
| Device account, including password rotation | DeviceAccount/*``*
See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |
-| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set default volume | Properties/DefaultVolume | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set screen timeout | Properties/ScreenTimeout | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set session timeout | Properties/SessionTimeout | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set sleep timeout | Properties/SleepTimeout | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
### Supported Windows 10 settings
@@ -92,57 +82,57 @@ The following tables include info on Windows 10 settings that have been validate
#### Security settings
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
| -------- | -------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
. | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
#### Browser settings
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
| -------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
#### Windows Update settings
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML*? |
| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes|
-| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes|
+| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
#### Windows Defender settings
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
| Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
#### Remote reboot
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes |
-| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes |
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
#### Install certificates
@@ -152,7 +142,7 @@ The following tables include info on Windows 10 settings that have been validate
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
#### Collect logs
@@ -161,7 +151,7 @@ The following tables include info on Windows 10 settings that have been validate
| Collect ETW logs | Use to remotely collect ETW logs from Surface Hub. | [DiagnosticLog CSP](https://msdn.microsoft.com/library/windows/hardware/mt219118.aspx) | No | No | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
### Generate OMA URIs for settings
You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager.
@@ -262,7 +252,7 @@ For more information, see [Create configuration items for Windows 8.1 and Window
[Manage Microsoft Surface Hub](manage-surface-hub.md)
-
+[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md
index ecfbb7c584..5413d28a30 100644
--- a/devices/surface-hub/manage-surface-hub-settings.md
+++ b/devices/surface-hub/manage-surface-hub-settings.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md
index 95b3b394bd..b464c430f2 100644
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -30,7 +30,7 @@ Learn about managing and updating Surface Hub.
| [Remote Surface Hub management](remote-surface-hub-management.md) |Topics related to managing your Surface Hub remotely. Include install apps, managing settings with MDM and monitoring with Operations Management Suite. |
| [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network |
| [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Windows Store or the Windows Store for Business.|
-| [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.|
+| [End a meeting with I’m done](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap I'm Done to clean up any sensitive data and prepare the device for the next meeting.|
| [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.|
| [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.|
| [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.|
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index f54bd79038..659e2a6ae5 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md
index 27f722e175..4b96956704 100644
--- a/devices/surface-hub/monitor-surface-hub.md
+++ b/devices/surface-hub/monitor-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index 7a4a8ed551..8914899056 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 0c25519753..6510d41971 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
index 851ae60a58..c6c3db5d36 100644
--- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub, security
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md
index 3ea7a56b63..489e6a03a3 100644
--- a/devices/surface-hub/physically-install-your-surface-hub-device.md
+++ b/devices/surface-hub/physically-install-your-surface-hub-device.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub, readiness
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index 9ae8f829c5..f5c342d43d 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -27,12 +27,11 @@ Review these dependencies to make sure Surface Hub features will work in your IT
| Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. |
| Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. |
| Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. |
-| Network and Internet access | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1x Authentication is supported for both wired and wireless connections.
**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.
**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. |
+| Network and Internet access | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred.
**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.
**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. |
Additionally, note that Surface Hub requires the following open ports:
- HTTPS: 443
- HTTP: 80
-- NTP: 123
Depending on your environment, access to additional ports may be needed:
- For online environments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
@@ -42,20 +41,6 @@ Microsoft collects telemetry to help improve your Surface Hub experience. Add th
- Telemetry client endpoint: `https://vortex.data.microsoft.com/`
- Telemetry settings endpoint: `https://settings.data.microsoft.com/`
-### Proxy configuration
-
-If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Store for Business. Some of the Store for Business features use Windows Store app and Windows Store services. Devices using Store for Business – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs:
-
-- login.live.com
-- login.windows.net
-- account.live.com
-- clientconfig.passport.net
-- windowsphone.com
-- *.wns.windows.com
-- *.microsoft.com
-- www.msftncsi.com (prior to Windows 10, version 1607)
-- www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com starting with Windows 10, version 1607)
-
## Work with other admins
@@ -64,7 +49,7 @@ Surface Hub interacts with a few different products and services. Depending on t
## Create and verify device account
-A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
+A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, and send email. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
After you've created your device account, there are a couple of ways to verify that it's setup correctly.
- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide.
diff --git a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
new file mode 100644
index 0000000000..73dd21ac2e
--- /dev/null
+++ b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
@@ -0,0 +1,221 @@
+---
+title: Create provisioning packages (Surface Hub)
+description: For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning.
+ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345
+keywords: add certificate, provisioning package
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Create provisioning packages (Surface Hub)
+
+This topic explains how to create a provisioning package using the Windows Imaging and Configuration Designer (ICD), and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings.
+
+You can apply a provisioning package using a USB during first run, or through the **Settings** app.
+
+
+## Advantages
+- Quickly configure devices without using a MDM provider.
+
+- No network connectivity required.
+
+- Simple to apply.
+
+[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/whats-new/new-provisioning-packages)
+
+
+## Requirements
+
+To create and apply a provisioning package to a Surface Hub, you'll need the following:
+
+- Windows Imaging and Configuration Designer (ICD), which is installed as a part of the [Windows 10 Assessment and Deployment Kit (ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526740).
+- A PC running Windows 10.
+- A USB flash drive.
+- If you apply the package using the **Settings** app, you'll need device admin credentials.
+
+You'll create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub.
+
+
+## Supported items for Surface Hub provisioning packages
+
+Currently, you can add these items to provisioning packages for Surface Hub:
+- **Certificates** - You can add certificates, if needed, to authenticate to Microsoft Exchange.
+- **Universal Windows Platform (UWP) apps** - You can install UWP apps. This can be an offline-licensed app from the Windows Store for Business, or an app created by an in-house dev.
+- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
+- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx).
+
+
+## Create the provisioning package
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. When you install the ADK, you can choose to install only the Imaging and Configuration Designer (ICD). [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+1. Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`).
+
+2. Click **Advanced provisioning**.
+
+ 
+
+3. Name your project and click **Next**.
+
+4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**.
+
+ 
+
+5. In the project, under **Available customizations**, select **Common Team edition settings**.
+
+ 
+
+
+### Add a certificate to your package
+You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange.
+
+> [!NOTE]
+> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**.
+
+2. Enter a **CertificateName** and then click **Add**.
+
+2. Enter the **CertificatePassword**.
+
+3. For **CertificatePath**, browse and select the certificate.
+
+4. Set **ExportCertificate** to **False**.
+
+5. For **KeyLocation**, select **Software only**.
+
+
+### Add a Universal Windows Platform (UWP) app to your package
+Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Windows Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Windows Store for Business.
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**.
+
+2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Windows Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \...\ tags.
+
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
+
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies.
+
+If you acquired the app from the Windows Store for Business, you will also need to add the app license to your provisioning package.
+
+1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license".
+
+2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**.
+
+3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \ tag, use the value in the **LicenseID** attribute.
+
+4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1.
+
+
+### Add a policy to your package
+Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**.
+
+2. Select one of the available policy areas.
+
+3. Select and set the policy you want to add to your provisioning package.
+
+
+### Add Surface Hub settings to your package
+
+You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package.
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**.
+
+2. Select one of the available setting areas.
+
+3. Select and set the setting you want to add to your provisioning package.
+
+
+## Build your package
+
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
+
+2. Read the warning that project files may contain sensitive information, and click **OK**.
+
+ > [!IMPORTANT]
+ > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+3. On the **Export** menu, click **Provisioning package**.
+
+4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources.
+
+5. Set a value for **Package Version**, and then select **Next.**
+
+ > [!TIP]
+ > You can make changes to existing packages and change the version number to update previously applied packages.
+
+6. Optional: You can choose to encrypt the package and enable package signing.
+
+ - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package.
+
+ > [!IMPORTANT]
+ > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
+
+7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+Optionally, you can click **Browse** to change the default output location.
+
+8. Click **Next**.
+
+9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive.
+
+
+## Apply a provisioning package to Surface Hub
+
+There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings).
+
+
+### Apply a provisioning package during first run
+
+> [!IMPORTANT]
+> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings.
+
+1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding.
+
+2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**.
+
+ 
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+ 
+
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run.
+
+ 
+
+5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**. The package will be applied, and you'll be taken to the next page in the first-run program.
+
+ 
+
+
+### Apply a package using Settings
+
+1. Insert the USB flash drive containing the .ppkg file into the Surface Hub.
+
+2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted.
+
+3. Navigate to **This device** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**.
+
+4. Select **Add a package**.
+
+5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted.
+
+6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**.
diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md
deleted file mode 100644
index 0d3604f6ad..0000000000
--- a/devices/surface-hub/provisioning-packages-for-surface-hub.md
+++ /dev/null
@@ -1,319 +0,0 @@
----
-title: Create provisioning packages (Surface Hub)
-description: For Windows 10, settings that use the registry or a configuration service provider (CSP) can be configured using provisioning packages.
-ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345
-keywords: add certificate, provisioning package
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: surfacehub
-author: jdeckerMS
-localizationpriority: medium
----
-
-# Create provisioning packages (Surface Hub)
-
-This topic explains how to create a provisioning package using the Windows Configuration Designer, and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings.
-
-You can apply a provisioning package using a USB stick during first-run setup, or through the **Settings** app.
-
-
-## Advantages
-- Quickly configure devices without using a mobile device management (MDM) provider.
-
-- No network connectivity required.
-
-- Simple to apply.
-
-[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/configure/provisioning-packages)
-
-
-## Requirements
-
-To create and apply a provisioning package to a Surface Hub, you'll need the following:
-
-- Windows Configuration Designer, which can be installed from Windows Store or from the Windows 10 Assessment and Deployment Kit (ADK). [Learn how to install Windows Configuration Designer.](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd)
-- A USB stick.
-- If you apply the package using the **Settings** app, you'll need device admin credentials.
-
-You create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub.
-
-
-## Supported items for Surface Hub provisioning packages
-
-Using the **Provision Surface Hub devices** wizard, you can:
-
-- Enroll in Active Directory, Azure Active Directory, or MDM
-- Create an device administrator account
-- Add applications and certificates
-- Configure proxy settings
-- Add a Surface Hub configuration file
-
->[!WARNING]
->You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using the wizard.
-
-Using the advanced provisioning editor, you can add these items to provisioning packages for Surface Hub:
-
-- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#surfacehubpolicies).
-- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx).
-
->[!TIP]
-> Use the wizard to create a package with the common settings, then switch to the advanced editor to add other settings.
->
->
-
-## Use the Surface Hub provisioning wizard
-
-After you [install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd), you can create a provisioning package.
-
-### Create the provisioning package
-
-1. Open Windows Configuration Designer:
- - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut,
-
- or
-
- - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
-
-2. Click **Provision Surface Hub devices**.
-
-3. Name your project and click **Next**.
-
-### Configure settings
-
-
-|  To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used. |  |
-|  Toggle **Yes** or **No** for proxy settings. The default configuration for Surface Hub is to automatically detect proxy settings, so you can select **No** if that is the setting that you want. However, if your infrastructure previously required using a proxy server and has changed to not require a proxy server, you can use a provisioning package to revert your Surface Hub devices to the default settings by selecting **Yes** and **Automatically detect settings**. If you toggle **Yes**, you can select to automatically detect proxy settings, or you can manually configure the settings by entering a URL to a setup script, or a static proxy server address. You can also identify whether to use the proxy server for local addresses, and enter exceptions (addresses that Surface Hub should connect to directly without using the proxy server). |  |
-|  You can enroll the device in Active Directory and specify a security group to use the Settings app, enroll in Azure Active Directory to allow global admins to use the Settings app, or create a local administrator account on the device.To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain, and specify the security group to have admin credentials on Surface Hub. If a provisioning package that enrolls a device in Active Directory is going to be applied to a Surface Hub that was reset, the same domain account can only be used if the account listed is a domain administrator or is the same account that set up the Surface Hub initially. Otherwise, a different domain account must be used in the provisioning package.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.To create a local administrator account, select that option and enter a user name and password. **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. |  |
-|  Toggle **Yes** or **No** for enrollment in MDM. If you toggle **Yes**, you must provide a service account and password or certificate thumbprint that is authorized to enroll the device, and also specify the authentication type. If required by your MDM provider, also enter the URLs for the discovery service, enrollment service, and policy service. [Learn more about managing Surface Hub with MDM.](manage-settings-with-mdm-for-surface-hub.md) |  |
-|  You can install multiple Universal Windows Platform (UWP) apps in a provisioning package. For help with the settings, see [Provision PCs with apps](https://technet.microsoft.com/itpro/windows/configure/provision-pcs-with-apps). **Important:** Although the wizard interface allows you to select a Classic Win32 app, only include UWP apps in a provisioning package that will be applied to Surface Hub. If you include a Classic Win32 app, provisioning will fail. |  |
-|  You don't configure any settings in this step. It provides instructions for including a configuration file that contains a list of device accounts. The configuration file must not contain column headers. When you apply the provisioning package to Surface Hub, if a Surface Hub configuration file is included on the USB drive, you can select the account and friendly name for the device from the file. See [Sample configuration file](#sample-configuration-file) for an example.**Important:** The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703. |  |
-| You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device. |  |
-
-
-After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
-
-## Sample configuration file
-
-A Surface Hub configuration file contains a list of device accounts that your device can use to connect to Exchange and Skype for Business. When you apply a provisioning package to Surface Hub, you can include a configuration file in the root directory of the USB flash drive, and then select the desired account to apply to that device. The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703.
-
-Use Microsoft Excel or other CSV editor to create a CSV file named `SurfaceHubConfiguration.csv`. In the file, enter a list of device accounts and friendly names in this format:
-
-```
-,,
-```
->[!IMPORTANT]
->Because the configuration file stores the device account passwords in plaintext, we recommend that you update the passwords after you've applied the provisioning package to your devices. You can use the [DeviceAccount node](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp#deviceaccount) in the [Surface Hub configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp) to update the passwords via MDM.
-
-
-The following is an example of `SurfaceHubConfiguration.csv`.
-
-```
-Rainier@contoso.com,password,Rainier Surface Hub
-Adams@contoso.com,password,Adams Surface Hub
-Baker@contoso.com,password,Baker Surface Hub
-Glacier@constoso.com,password,Glacier Surface Hub
-Stuart@contoso.com,password,Stuart Surface Hub
-Fernow@contoso.com,password,Fernow Surface Hub
-Goode@contoso.com,password,Goode Surface Hub
-Shuksan@contoso.com,password,Shuksan Surface Hub
-Buckner@contoso.com,password,Buckner Surface Hub
-Logan@contoso.com,password,Logan Surface Hub
-Maude@consoto.com,password,Maude Surface hub
-Spickard@contoso.com,password,Spickard Surface Hub
-Redoubt@contoso.com,password,Redoubt Surface Hub
-Dome@contoso.com,password,Dome Surface Hub
-Eldorado@contoso.com,password,Eldorado Surface Hub
-Dragontail@contoso.com,password,Dragontail Surface Hub
-Forbidden@contoso.com,password,Forbidden Surface Hub
-Oval@contoso.com,password,Oval Surface Hub
-StHelens@contoso.com,password,St Helens Surface Hub
-Rushmore@contoso.com,password,Rushmore Surface Hub
-```
-
-## Use advanced provisioning
-
-After you [install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd), you can create a provisioning package.
-
-### Create the provisioning package (advanced)
-
-1. Open Windows Configuration Designer:
- - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut,
-
- or
-
- - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
-
-2. Click **Advanced provisioning**.
-
-3. Name your project and click **Next**.
-
-4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**.
-
- 
-
-5. In the project, under **Available customizations**, select **Common Team edition settings**.
-
- 
-
-
-### Add a certificate to your package
-You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange.
-
-> [!NOTE]
-> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
-
-1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**.
-
-2. Enter a **CertificateName** and then click **Add**.
-
-2. Enter the **CertificatePassword**.
-
-3. For **CertificatePath**, browse and select the certificate.
-
-4. Set **ExportCertificate** to **False**.
-
-5. For **KeyLocation**, select **Software only**.
-
-
-### Add a Universal Windows Platform (UWP) app to your package
-Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Windows Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Windows Store for Business.
-
-1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**.
-
-2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Windows Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \...\ tags.
-
-3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
-
-4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies.
-
-If you acquired the app from the Windows Store for Business, you will also need to add the app license to your provisioning package.
-
-1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license".
-
-2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**.
-
-3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \ tag, use the value in the **LicenseID** attribute.
-
-4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1.
-
-
-### Add a policy to your package
-Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
-
-1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**.
-
-2. Select one of the available policy areas.
-
-3. Select and set the policy you want to add to your provisioning package.
-
-
-### Add Surface Hub settings to your package
-
-You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package.
-
-1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**.
-
-2. Select one of the available setting areas.
-
-3. Select and set the setting you want to add to your provisioning package.
-
-
-## Build your package
-
-1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
-
-2. Read the warning that project files may contain sensitive information, and click **OK**.
-
- > [!IMPORTANT]
- > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
-
-3. On the **Export** menu, click **Provisioning package**.
-
-4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources.
-
-5. Set a value for **Package Version**, and then select **Next.**
-
- > [!TIP]
- > You can make changes to existing packages and change the version number to update previously applied packages.
-
-6. Optional: You can choose to encrypt the package and enable package signing.
-
- - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
-
- - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package.
-
- > [!IMPORTANT]
- > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
-
-7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
-Optionally, you can click **Browse** to change the default output location.
-
-8. Click **Next**.
-
-9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
-If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
-
-10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
-If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
-
- - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
-
- - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
-
-11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive.
-
-
-## Apply a provisioning package to Surface Hub
-
-There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings).
-
-
-### Apply a provisioning package during first run
-
-> [!IMPORTANT]
-> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings.
-
-1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding.
-
-2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**.
-
- 
-
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
-
- 
-
-4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run.
-
- 
-
-5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**.
-
- 
-
-6. If a configuration file is included in the root directory of the USB flash drive, you will see **Select a configuration**. The first device account in the configuration file will be shown with a summary of the account information that will be applied to the Surface Hub.
-
- 
-
-7. In **Select a configuration**, select the device name to apply, and then click **Next**.
-
- 
-
-The settings from the provisioning package will be applied to the device and OOBE will be complete. After the device restarts, you can remove the USB flash drive.
-
-### Apply a package using Settings
-
-1. Insert the USB flash drive containing the .ppkg file into the Surface Hub.
-
-2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted.
-
-3. Navigate to **Surface Hub** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**.
-
-4. Select **Add a package**.
-
-5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted.
-
-6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**.
-
-
diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md
index 57bd619f8b..41588251fe 100644
--- a/devices/surface-hub/remote-surface-hub-management.md
+++ b/devices/surface-hub/remote-surface-hub-management.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md
index 6e6b8b5317..2354de0f40 100644
--- a/devices/surface-hub/save-bitlocker-key-surface-hub.md
+++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub, security
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md
index 96310f473c..95b7c2c92f 100644
--- a/devices/surface-hub/set-up-your-surface-hub.md
+++ b/devices/surface-hub/set-up-your-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md
index d8e7f921c0..a77cf5850f 100644
--- a/devices/surface-hub/setup-worksheet-surface-hub.md
+++ b/devices/surface-hub/setup-worksheet-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/surface-hub-administrators-guide.md b/devices/surface-hub/surface-hub-administrators-guide.md
new file mode 100644
index 0000000000..4786082d45
--- /dev/null
+++ b/devices/surface-hub/surface-hub-administrators-guide.md
@@ -0,0 +1,76 @@
+---
+title: Microsoft Surface Hub administrator's guide
+description: This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.
+ms.assetid: e618aab7-3a94-4159-954e-d455ef7b8839
+keywords: Surface Hub, installation, administration, administrator's guide
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Microsoft Surface Hub administrator's guide
+
+
+This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.
+
+Before you power on Microsoft Surface Hub for the first time, make sure you've [completed preparation items](prepare-your-environment-for-surface-hub.md), and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct.
+
+## In this section
+
+
+
+
+
+
+
+
+
+
+
+
+[Intro to Microsoft Surface Hub](intro-to-surface-hub.md) |
+Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device. |
+
+
+[Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md) |
+The Surface Hub Readiness Guide will help make sure that your site is ready for the installation. You can download the Guide from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?LinkId=718144). It includes planning information for both the 55" and 84" devices, as well as info on moving the Surface Hub from receiving to the installation location, mounting options, and a list of what's in the box. |
+
+
+[Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) |
+This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment. |
+
+
+[Set up Microsoft Surface Hub](set-up-your-surface-hub.md) |
+Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program. |
+
+
+[Manage Microsoft Surface Hub](manage-surface-hub.md) |
+How to manage your Surface Hub after finishing the first-run program. |
+
+
+[Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) |
+Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. |
+
+
+[Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md) |
+PowerShell scripts to help set up and manage your Surface Hub . |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md
deleted file mode 100644
index d05ed24b2a..0000000000
--- a/devices/surface-hub/surfacehub-whats-new-1703.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: What's new in Windows 10, version 1703 for Surface Hub
-description: Windows 10, version 1703 (Creators Update) brings new features to Microsoft Surface Hub.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.pagetype: devices
-ms.sitesec: library
-author: jdeckerMS
-localizationpriority: medium
----
-
-# What's new in Windows 10, version 1703 for Microsoft Surface Hub?
-
-Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub:
-
-## New settings
-
-Settings have been added to mobile device management (MDM) and configuration service providers (CSPs) to expand the Surface Hub management capabilities. [New settings include](manage-settings-with-mdm-for-surface-hub.md):
-
-- InBoxApps/SkypeForBusiness/DomainName
-- InBoxApps/Connect/AutoLaunch
-- Properties/DefaultVolume
-- Properties/ScreenTimeout
-- Properties/SessionTimeout
-- Properties/SleepTimeout
-- Properties/AllowSessionResume
-- Properties/AllowAutoProxyAuth
-- Properties/DisableSigninSuggestions
-- Properties/DoNotShowMyMeetingsAndFiles
-
-
-## Provizioning wizard
-
-An easy-to-use wizard helps you quickly create provisioning packages that you can apply to multiple Surface Hub devices, and includes bulk join to Azure Active Directory. [Learn how to create a provisioning package for Surface Hub.](provisioning-packages-for-certificates-surface-hub.md)
-
-
-
-## Cloud recovery
-
-When you reset a Surface Hub device, you now have the ability to download and install a factory build of the operating system from the cloud. [Learn more about cloud recovery.](device-reset-surface-hub.md#cloud-recovery)
-
->[!NOTE]
->Cloud recovery doesn't work if you use proxy servers.
-
-
-
-## End session
-
-**I'm done** is now **End session**. [Learn how to use End session.](i-am-done-finishing-your-surface-hub-meeting.md)
-
-
-
-
-
-
-
-
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index 678d06e664..cc3bd57b95 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: support
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -622,9 +622,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
-## Related content
-- [Troubleshooting Miracast connection to the Surface Hub](https://blogs.msdn.microsoft.com/surfacehub/2017/01/30/troubleshooting-miracast-connection-to-the-surface-hub/)
diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
index 512cf6b4bf..fbed027215 100644
--- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@@ -3,7 +3,7 @@ title: Use fully qualified doman name with Surface Hub
description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.
ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync errors"]
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -16,7 +16,7 @@ There are a few scenarios where you need to specify the domain name of your Skyp
**To configure the domain name for your Skype for Business server**
1. On Surface Hub, open **Settings**.
-2. Click **Surface Hub**, and then click **Calling & Audio**.
+2. Click **This device**, and then click **Calling**.
3. Under **Skype for Business configuration**, click **Configure domain name**.
4. Type the domain name for your Skype for Business server, and then click **Ok**.
> [!TIP]
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index 4ff4665c6a..16fd8c71d1 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md
index db080ce397..0ccd6ad70d 100644
--- a/devices/surface-hub/wireless-network-management-for-surface-hub.md
+++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub, networking
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -24,7 +24,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele
### Choose a wireless access point
1. On the Surface Hub, open **Settings** and enter your admin credentials.
-2. Click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**.
+2. Click **System**, and then click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**.
@@ -35,7 +35,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele
### Review wireless settings
1. On the Surface Hub, open **Settings** and enter your admin credentials.
-2. Click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**.
+2. Click **System**, click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**.
3. Surface Hub shows you the properties for the wireless network connection.
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index 0ce34a2dfe..2fc832d764 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -1,6 +1,7 @@
# [Surface](index.md)
## [Deploy Surface devices](deploy.md)
-### [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md)
+### [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md)
+#### [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md)
### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)
### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index a6195be9e0..09cfde4e61 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -11,6 +11,14 @@ author: jdeckerMS
This topic lists new and updated topics in the Surface documentation library.
+
+## April 2017
+
+|New or changed topic | Description |
+| --- | --- |
+|[Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md) | New (supersedes [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md))|
+
+
## January 2017
|New or changed topic | Description |
diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md
index 03cdc49f49..3753718aef 100644
--- a/devices/surface/deploy.md
+++ b/devices/surface/deploy.md
@@ -16,7 +16,7 @@ Get deployment guidance for your Surface devices including information about MDT
| Topic | Description |
| --- | --- |
-| [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md) | Explains that LTSB is not supported for general-purpose Surface devices and should be used for specialized devices only. |
+| [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md) | Find out about compatibility and limitations of Surface devices running Windows 10 Enterprise LTSB edition. |
| [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) | Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.|
| [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)| Find out how to perform a Windows 10 upgrade deployment to your Surface devices. |
| [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.|
diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md
index 91ae3a566b..5482418741 100644
--- a/devices/surface/ltsb-for-surface.md
+++ b/devices/surface/ltsb-for-surface.md
@@ -10,6 +10,8 @@ author: jdeckerMS
# Long-Term Servicing Branch (LTSB) for Surface devices
+>[!WARNING]
+>For updated information on this topic, see [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md). For additional information on this update, see the [Documentation Updates for Surface and Windows 10 LTSB Compatibility](https://blogs.technet.microsoft.com/surface/2017/04/11/documentation-updates-for-surface-and-windows-10-ltsb-compatibility) post on the Surface Blog for IT Pros.
General-purpose Surface devices running Long-Term Servicing Branch (LTSB) are not supported. As a general guideline, if a Surface device runs productivity software, such as Microsoft Office, it is a general-purpose device that does not qualify for LTSB and should instead run Current Branch (CB) or Current Branch for Business (CBB).
diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md
new file mode 100644
index 0000000000..189e013e77
--- /dev/null
+++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md
@@ -0,0 +1,58 @@
+---
+title: Surface device compatibility with Windows 10 Long-Term Servicing Branch (Surface)
+description: Find out about compatibility and limitations of Surface devices running Windows 10 Enterprise LTSB edition.
+keywords: ltsb, update, surface servicing options
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Surface device compatibility with Windows 10 Long-Term Servicing Branch (LTSB)
+
+Surface devices are designed to provide best-in-class experiences in productivity and general-purpose scenarios. Regular updates enable Surface devices to bring to life new innovations and to evolve with the new capabilities delivered by Windows 10 Feature Updates. Feature Updates are available only in Windows 10 Pro or Windows 10 Enterprise editions that receive continuous updates through the Current Branch (CB) or Current Branch for Business (CBB) servicing options.
+
+In contrast to the CB and CBB servicing options, you cannot select the Long-Term Servicing Branch (LTSB) option in Windows 10 settings. To use the LTSB servicing option, you must install a separate edition of Windows 10 Enterprise, known as *Windows 10 Enterprise LTSB*. In addition to providing an extended servicing model, the Windows 10 Enterprise LTSB edition also provides an environment with several Windows components removed. The core Surface experiences that are impacted by LTSB include:
+
+* Windows Feature Updates, including enhancements such as:
+
+ * Improvements to Direct Ink and palm rejection provided in Windows 10, version 1607 (also referred to as the Anniversary Update)
+ * Improved support for high DPI applications provided in Windows 10, version 1703 (also referred to as the Creators Update)
+
+* Pressure sensitivity settings provided by the Surface app
+
+* The Windows Ink Workspace
+
+* Key touch-optimized in-box applications including Microsoft Edge, OneNote, Calendar, and Camera
+
+The use of the Windows 10 Enterprise LTSB environment on Surface devices results in sub-optimal end-user experiences and you should avoid using it in environments where users want and expect a premium, up-to-date user experience.
+
+The LTSB servicing option is designed for device types and scenarios where the key attribute is for features or functionality to never change. Examples include systems that power manufacturing or medical equipment, or embedded systems in kiosks, such as ATMs or airport ticketing systems.
+
+>[!NOTE]
+>For general information about Windows servicing branches, including LTSB, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/update/waas-overview#long-term-servicing-branch).
+
+>[!NOTE]
+>As a general guideline, devices that fulfill the following criteria are considered general-purpose devices and should be paired with Windows 10 Pro or Windows 10 Enterprise using the CB or CBB servicing option:
+
+* Devices that run productivity software such as Microsoft Office
+
+* Devices that use Windows Store applications
+
+* Devices that are used for general Internet browsing (for example, research or access to social media)
+
+Before you choose to use Windows 10 Enterprise LTSB edition on Surface devices, consider the following limitations:
+
+* Drivers and firmware for Surface devices are tested against the most recent version of Windows 10 CB and the last two versions of CBB. Drivers and firmware are not explicitly tested against releases of Windows 10 Enterprise LTSB.
+
+* If you encounter problems, Microsoft Support will provide troubleshooting assistance. However, due to the servicing nature of the Windows LTSB, issue resolution may require that devices be upgraded to a more recent version of Windows 10 Enterprise LTSB, or to Windows 10 Pro or Enterprise with the CB or CBB servicing option.
+
+* Surface device replacements (for example, devices replaced under warranty) may contain subtle variations in hardware components that require updated device drivers and firmware. Compatibility with these updates may require the installation of a more recent version of Windows 10 Enterprise LTSB or Windows 10 Pro or Enterprise with the CB or CBB servicing option.
+
+>[!NOTE]
+>Organizations that standardize on a specific version of Windows 10 Enterprise LTSB may be unable to adopt new generations of Surface hardware without also updating to a later version of Windows 10 Enterprise LTSB or Windows 10 Pro or Enterprise. For more information, see the **How will Windows 10 LTSBs be supported?** topic in the **Supporting the latest processor and chipsets on Windows** section of [Lifecycle Policy FAQ—Windows products](https://support.microsoft.com/help/18581/lifecycle-policy-faq-windows-products#b4).
+
+Surface devices running Windows 10 Enterprise LTSB edition will not receive new features. In many cases these features are requested by customers to improve the usability and capabilities of Surface hardware. For example, new improvements for High DPI applications in Windows 10, version 1703. Customers that use Surface devices in the LTSB configuration will not see the improvements until they either update to a new Windows 10 Enterprise LTSB release or upgrade to a version of Windows 10 with support for the CB and CBB servicing options.
+
+Devices can be changed from Windows 10 Enterprise LTSB to a more recent version of Windows 10 Enterprise, with support for the CB and CBB servicing options, without the loss of user data by performing an upgrade installation. You can also perform an upgrade installation on multiple devices by leveraging the Upgrade Task Sequence Templates available in the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. For more information, see [Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/upgrade-surface-devices-to-windows-10-with-mdt).
diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md
index 875fe51b0c..ae5f54addb 100644
--- a/devices/surface/surface-dock-updater.md
+++ b/devices/surface/surface-dock-updater.md
@@ -104,6 +104,33 @@ Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in
*Figure 8. Surface Dock Updater events in Event Viewer*
+## Changes and updates
+
+Microsoft periodically updates Surface Dock Updater. To learn more about the application of firmware by Surface Dock Updater, see [Manage Surface Dock firmware updates](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-dock-firmware-updates).
+
+>[!Note]
+>Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater.
+
+### Version 1.0.8.0
+
+This version of Surface Dock Updater adds support for the following:
+
+* Update for Surface Dock Main Chipset firmware
+* Update for Surface Dock DisplayPort firmware
+
+### Version 2.0.22.0
+
+This version of Surface Dock Updater adds support for the following:
+
+* Update for Surface Dock USB firmware
+* Improved reliability of Ethernet, audio, and USB ports
+
+### Version 2.1.6.0
+
+This version of Surface Dock Updater adds support for the following:
+
+* Updated firmware for Surface Dock DisplayPort
+
## Related topics
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index f47b4a68e2..4575df5963 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -1,19 +1,20 @@
# [Windows 10 for Education](index.md)
## [Windows 10 editions for education customers](windows-editions-for-education-customers.md)
-## [Setup options for Windows 10](set-up-windows-10.md)
-### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md)
+## [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)
+## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
+## [Set up Windows devices for education](set-up-windows-10.md)
### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
+### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md)
### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
### [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
-## [Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)
-## [Get Minecraft Education Edition](get-minecraft-for-education.md)
-### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
-### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
## [Take tests in Windows 10 ](take-tests-in-windows-10.md)
### [Set up Take a Test on a single PC](take-a-test-single-pc.md)
### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
### [Take a Test app technical reference](take-a-test-app-technical.md)
-## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
+## [Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)
+## [Get Minecraft Education Edition](get-minecraft-for-education.md)
+### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
+### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
## [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index e83f98b49f..44f87ac341 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -12,12 +12,25 @@ author: CelesteDG
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
+## RELEASE: Windows 10, version 1703 (Creators Update)
+
+| New or changed topic | Description|
+| --- | --- |
+| [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) | New. Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school. |
+| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Updated the screenshots and related instructions to reflect the current UI and experience. |
+| [Set up Windows devices for education](set-up-windows-10.md) | Updated for Windows 10, version 1703. |
+| Set up School PCs app: [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated. Describes the school-specific settings and policies that Set up School PC configures. Also provides step-by-step instructions for using the latest version of the app to create a provisioning package that you can use to set up student PCs. |
+| Set up using Windows Configuration Designer: [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md) [Provision student PCs with apps](set-up-students-pcs-with-apps.md) | Updated the information for Windows 10, version 1703. |
+| [Take tests in Windows 10 ](take-tests-in-windows-10.md) [Set up Take a Test on a single PC](take-a-test-single-pc.md) [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) [Take a Test app technical reference](take-a-test-app-technical.md) | Updated. Includes new information on ways you can set up the test account and assessment URL and methods for creating and distributing the link. Methods available to you vary depending on whether you're setting up Take a Test on a single PC or multiple PCs. |
+
## January 2017
+
| New or changed topic | Description |
| --- | --- |
| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md) | Updates. Learn how schools can use invoices to pay for Minecraft: Education Edition. |
## December 2016
+
| New or changed topic | Description |
| --- | --- |
| [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md) | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. |
@@ -30,13 +43,8 @@ This topic lists new and updated topics in the [Windows 10 for Education](index.
| [For teachers - get Minecraft: Education Edition](teacher-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. |
| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. |
-## September 2016
-| New or changed topic | Description|
-| --- | --- |
-| [Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md) | New. Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. |
-
-## RELEASE: Windows 10, version 1607
+## RELEASE: Windows 10, version 1607 (Anniversary Update)
The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
- [Set up Windows 10](set-up-windows-10.md)
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index bcf28c02a2..27bf9b1c63 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu, devices
+localizationpriority: high
author: craigash
---
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
new file mode 100644
index 0000000000..85dfe0c547
--- /dev/null
+++ b/education/windows/configure-windows-for-education.md
@@ -0,0 +1,172 @@
+---
+title: Windows 10 configuration recommendations for education customers
+description: Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.
+keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school", "education", "configurations"]
+ms.mktglfcycl: plan
+ms.sitesec: library
+localizationpriority: high
+author: CelesteDG
+---
+
+# Windows 10 configuration recommendations for education customers
+**Applies to:**
+
+- Windows 10
+
+
+Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
+
+In Windows 10, version 1703 (Creators Update), it is straightforward to configure Windows to be education ready.
+
+| Area | How to configure | What this does | Notes |
+| --- | --- | --- | --- |
+| **Diagnostic Data** | **SetEduPolicies** | Sets Diagnostic Data to [Basic](https://technet.microsoft.com/itpro/windows/configure/configure-windows-telemetry-in-your-organization) | On Windows 10 Education or Windows 10 Pro Education, this is already set |
+| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | On Windows 10 Education or Windows 10 Pro Education, this is already set |
+| **Cortana** | **AllowCortana** | Disables Cortana | * Cortana is enabled by default on all editions in Windows 10, version 1703 * If using Windows 10 Pro Education or Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. You can use the **AllowCortana** policy to turn it off. |
+| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | On Windows 10 Education or Windows 10 Pro Education, this is already set |
+| **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge | Depending on your specific requirements, there are different ways to configure this as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) |
+| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready | * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](https://docs.microsoft.com/en-us/uwp/api/windows.system.profile.educationsettings) * On Windows 10 Education or Windows 10 Pro Education, this is already set |
+
+
+## Recommended configuration
+It is easy to be education ready when using Microsoft products. We recommend the following configuration:
+
+1. Use an Office 365 Education tenant.
+
+ With Office 365, you also have Azure Active Directory (Azure AD). To learn more about Office 365 Education features and pricing, see [Office 365 Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
+
+2. Activate Intune for Education in your tenant.
+
+ You can [sign up to learn more about Intune for Education](https://info.microsoft.com/US-WNDWS-CNTNT-FY17-01Jan-17-IntuneforEducationlandingpageandnurture292531_01Registration-ForminBody.html).
+
+3. On PCs running Windows 10, version 1703 (Windows 10 Pro Education or Windows 10 Education):
+ 1. Provision the PC using one of these methods:
+ * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - This will automatically set both **SetEduPolicies** to True and **AllowCortana** to False.
+ * [Provision PCs with a custom package created with Windows Configuration Designer](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False.
+ 2. Join the PC to Azure Active Directory.
+ * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Azure AD.
+ * Manually Azure AD join the PC during the Windows device setup experience.
+ 3. Enroll the PCs in MDM.
+ * If you have activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
+
+4. Distribute the PCs to students.
+
+ Students sign in with their Azure AD/Office 365 identity, which enables single sign-on to Bing in Microsoft Edge, enabling an ad-free search experience with Bing in Microsoft Edge.
+
+5. Ongoing management through Intune for Education.
+
+ You can set many policies through Intune for Education, including **SetEduPolicies** and **AllowCortana**, for ongoing management of the PCs.
+
+## Configuring Windows
+You can configure Windows through provisioning or management tools including industry standard MDM.
+- Provisioning - A one-time setup process.
+- Management - A one-time and/or ongoing management of a PC by setting policies.
+
+You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready:
+- [Set up School PCs](use-set-up-school-pcs-app.md)
+- Intune for Education (coming soon)
+
+## AllowCortana
+**AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana).
+
+Use one of these methods to set this policy.
+
+### MDM
+- Intune for Education automatically sets this policy in the **All devices** group policy configuration.
+- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
+ - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
+
+ For example, in Intune, create a new configuration policy and add an OMA-URI.
+ - OMA-URI: ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
+ - Data type: Integer
+ - Value: 0
+
+ 
+
+### Group Policy
+Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**.
+
+
+
+### Provisioning tools
+- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
+- [Windows Configuration Designer](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-create-package)
+ - Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**.
+
+ 
+
+## SetEduPolicies
+**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/sharedpc-csp).
+
+Use one of these methods to set this policy.
+
+### MDM
+- Intune for Education automatically sets this policy in the **All devices** group policy configuration.
+- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
+ - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
+
+ For example, in Intune, create a new configuration policy and add an OMA-URI.
+ - OMA-URI: ./Vendor/MSFT/SharedPC/SetEduPolicies
+ - Data type: Boolean
+ - Value: true
+
+ 
+
+### Group Policy
+**SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/dn905224(v=vs.85).aspx) to set the policy in [MDM SharedPC](https://msdn.microsoft.com/en-us/library/windows/desktop/mt779129(v=vs.85).aspx).
+
+### Provisioning tools
+- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
+- [Windows Configuration Designer](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-create-package)
+ - Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**.
+
+ 
+
+## Ad-free search with Bing
+Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. Additional information is available at http://www.bing.com/classroom/about-us.
+
+> [!NOTE]
+> If you enable the guest account in shared PC mode, students using the guest account will not have an ad-free experience searching with Bing in Microsoft Edge unless the PC is connected to your school network and your school network has been configured as described in [IP registration for entire school network using Microsoft Edge](#ip-registration-for-entire-school-network-using-microsoft-edge).
+
+### Configurations
+
+#### IP registration for entire school network using Microsoft Edge
+Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bicteam@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email.
+
+**District information**
+- **District or School Name:**
+- **Outbound IP Addresses (IP Range + CIDR):**
+- **Address:**
+- **City:**
+- **State Abbreviation:**
+- **Zip Code:**
+
+**Registrant information**
+- **First Name:**
+- **Last Name:**
+- **Job Title:**
+- **Email Address:**
+- **Opt-In for Email Announcements?:**
+- **Phone Number:**
+
+This will suppress ads when searching with Bing on Microsoft Edge when the PC is connected to the school network.
+
+#### Azure AD and Office 365 Education tenant
+To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps:
+
+1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590).
+2. Domain join the Windows 10 PCs to your Azure AD tenant (this is the same as your Office 365 tenant).
+3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
+4. Have students sign in with their Azure AD identity, which is the same as your Office 365 identity, to use the PC.
+
+#### Office 365 sign-in to Bing
+To suppress ads only when the student signs into Bing with their Office 365 account in Microsoft Edge, follow these steps:
+
+1. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
+2. Have students sign into Bing with their Office 365 account.
+
+### More information
+For more information on all the possible Bing configuration methods, see https://aka.ms/e4ahor.
+
+## Related topics
+[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 89225a2609..4037a7093e 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: edu
ms.sitesec: library
+localizationpriority: high
author: craigash
---
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 3f1dad3d00..e81b0dbbd7 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: edu
ms.sitesec: library
+localizationpriority: high
author: craigash
---
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index 20539db158..71b7b4829f 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -4,6 +4,7 @@ description: Provides guidance on ways to customize the OS privacy settings, as
keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school"]
ms.mktglfcycl: plan
ms.sitesec: library
+localizationpriority: high
author: CelesteDG
---
@@ -15,7 +16,7 @@ author: CelesteDG
Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, as well as some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
-Here are some best practices and specific privacy settings we’d like you to be aware of.
+Here are some best practices and specific privacy settings we’d like you to be aware of. Also see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) for more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search.
## Deployment best practices
@@ -41,11 +42,11 @@ To change the setting, you can:
To turn off access to contacts for all apps on individual Windows devices:
1. On the computer, go to **Settings** and select **Privacy**.
- 
+ 
2. Under the list of **Privacy** areas, select **Contacts**.
- 
+ 
3. Turn off **Let apps access my contacts**.
@@ -56,7 +57,7 @@ For IT-managed Windows devices, you can use a Group Policy to turn off the setti
### Choose the apps that you want to allow access to contacts
If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off.
-
+
The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts.
@@ -64,11 +65,11 @@ To allow only certain apps to have access to contacts, you can:
* Configure each app individually using the **Settings** > **Contacts** option in the Windows UI
* Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce.
- 
+ 
## Skype and Xbox settings
-Skype Preview (a Universal Windows Platform [UWP] preview app) and Xbox are preinstalled as part of Windows 10.
+Skype (a Universal Windows Platform [UWP]) and Xbox are preinstalled as part of Windows 10.
The Skype app replaces the integration of Skype features into Skype video and Messaging apps on Windows PCs and large tablets. The Skype app provides all these features in one place and lets users have a single place to manage both their chat and voice conversations so they can take better advantage of their screen. For information about the new Skype UWP app preview, see this [FAQ](https://go.microsoft.com/fwlink/?LinkId=821441).
@@ -85,21 +86,24 @@ If the school allows the use of personal or Microsoft account in addition to org
Skype uses the user’s contact details to deliver important information about the account and it also lets friends find each other on Skype.
To manage and edit your profile in the Skype UWP app, follow these steps:
-1. In the Skype UWP app, select the user profile icon  to go to the user’s profile page.
-2. In the **Accounts** section, select **Manage** for the Skype account that you want to change. This will take you to the online Skype portal.
-3. In the online Skype portal, scroll down to the Account details section. In Settings and preferences, select Edit profile.
-The profile page includes these sections:
- * Profile completeness
- * Personal information
- * Contact details
-4. Review the information in each section and click **Edit** to change the information being shared.
-5. If you do not wish your name to be included, replace the fields with **XXX**.
-6. To change your profile picture, simply click on the current profile picture or avatar. The **Manage Profile Picture** window pops up.
+1. In the Skype UWP app, select the user profile icon  to go to the user’s profile page.
+2. In the account page, select **Manage account** for the Skype account that you want to change. This will take you to the online Skype portal.
+3. In the online Skype portal, scroll down to the **Account details** section. In **Settings and preferences**, click **Edit profile**.
- 
+ The profile page includes these sections:
+
+ * Personal information
+ * Contact details
+ * Profile settings
+
+4. Review the information in each section and click **Edit profile** in either or both the **Personal information** and **Contact details** sections to change the information being shared. You can also remove the checks in the **Profile settings** section to change settings on discoverability, notifications, and staying in touch.
+5. If you do not wish the name to be included, edit the fields and replace the fields with **XXX**.
+6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up.
+
+ 
* To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**).
- * You can also change the visibility of your profile picture between public (everyone) or your contacts only. To change the profile picture visibility, select the dropdown under **Profile picture** and choose between **Show to everyone** or **Show to contacts only**.
+ * You can also change the visibility of the profile picture between public (everyone) or for contacts only. To change the profile picture visibility, select the dropdown under **Profile picture** and choose between **Show to everyone** or **Show to contacts only**.
#### Xbox
A user’s Xbox friends and their friends’ friends can see their real name and profile. By default, the Xbox privacy settings enforce that no personal identifying information of a minor is shared on the Xbox Live network, although adults in the child’s family can change these default settings to allow it to be more permissive.
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index ce335d4357..a06a16e9e1 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -1,10 +1,11 @@
---
title: Education scenarios Windows Store for Business
description: Learn how IT admins and teachers can use Windows Store for Business to acquire and manage apps in schools.
-keywords: ["school"]
+keywords: ["school", "store for business"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
+localizationpriority: high
author: trudyha
---
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 91345b72c1..1e81d3437e 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -1,10 +1,11 @@
---
title: Get Minecraft Education Edition
description: Learn how to get and distribute Minecraft Education Edition.
-keywords: school
+keywords: school, minecraft
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
+localizationpriority: high
author: trudyha
---
diff --git a/education/windows/images/allowcortana_gp.PNG b/education/windows/images/allowcortana_gp.PNG
new file mode 100644
index 0000000000..7adf1b7594
Binary files /dev/null and b/education/windows/images/allowcortana_gp.PNG differ
diff --git a/education/windows/images/allowcortana_omauri.PNG b/education/windows/images/allowcortana_omauri.PNG
new file mode 100644
index 0000000000..303c89ed5f
Binary files /dev/null and b/education/windows/images/allowcortana_omauri.PNG differ
diff --git a/education/windows/images/allowcortana_wcd.PNG b/education/windows/images/allowcortana_wcd.PNG
new file mode 100644
index 0000000000..5e62e0bb01
Binary files /dev/null and b/education/windows/images/allowcortana_wcd.PNG differ
diff --git a/education/windows/images/azuread_usersandgroups_allusers_automaticaccounts.png b/education/windows/images/azuread_usersandgroups_allusers_automaticaccounts.png
new file mode 100644
index 0000000000..f0549797a0
Binary files /dev/null and b/education/windows/images/azuread_usersandgroups_allusers_automaticaccounts.png differ
diff --git a/education/windows/images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png b/education/windows/images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png
new file mode 100644
index 0000000000..37ea63cda2
Binary files /dev/null and b/education/windows/images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png differ
diff --git a/education/windows/images/azuread_usersandgroups_devicesettings_requiremultifactorauth.png b/education/windows/images/azuread_usersandgroups_devicesettings_requiremultifactorauth.png
new file mode 100644
index 0000000000..1b8389b1f5
Binary files /dev/null and b/education/windows/images/azuread_usersandgroups_devicesettings_requiremultifactorauth.png differ
diff --git a/education/windows/images/azuread_usersandgroups_devicesettings_usersmayjoin.png b/education/windows/images/azuread_usersandgroups_devicesettings_usersmayjoin.png
new file mode 100644
index 0000000000..40a603cf64
Binary files /dev/null and b/education/windows/images/azuread_usersandgroups_devicesettings_usersmayjoin.png differ
diff --git a/education/windows/images/gp_letwinappsaccesscontacts.PNG b/education/windows/images/gp_letwinappsaccesscontacts.PNG
new file mode 100644
index 0000000000..0228c9474b
Binary files /dev/null and b/education/windows/images/gp_letwinappsaccesscontacts.PNG differ
diff --git a/education/windows/images/i4e_takeatestprofile_accountsummary.PNG b/education/windows/images/i4e_takeatestprofile_accountsummary.PNG
new file mode 100644
index 0000000000..e8feb9b5d7
Binary files /dev/null and b/education/windows/images/i4e_takeatestprofile_accountsummary.PNG differ
diff --git a/education/windows/images/i4e_takeatestprofile_addnewprofile.PNG b/education/windows/images/i4e_takeatestprofile_addnewprofile.PNG
new file mode 100644
index 0000000000..401bccef4a
Binary files /dev/null and b/education/windows/images/i4e_takeatestprofile_addnewprofile.PNG differ
diff --git a/education/windows/images/i4e_takeatestprofile_changegroup_selectgroup.PNG b/education/windows/images/i4e_takeatestprofile_changegroup_selectgroup.PNG
new file mode 100644
index 0000000000..4c8f0705ce
Binary files /dev/null and b/education/windows/images/i4e_takeatestprofile_changegroup_selectgroup.PNG differ
diff --git a/education/windows/images/i4e_takeatestprofile_groupassignment_selected.PNG b/education/windows/images/i4e_takeatestprofile_groupassignment_selected.PNG
new file mode 100644
index 0000000000..8431e1d0cf
Binary files /dev/null and b/education/windows/images/i4e_takeatestprofile_groupassignment_selected.PNG differ
diff --git a/education/windows/images/i4e_takeatestprofile_groups_changegroupassignments.PNG b/education/windows/images/i4e_takeatestprofile_groups_changegroupassignments.PNG
new file mode 100644
index 0000000000..914f0b4edd
Binary files /dev/null and b/education/windows/images/i4e_takeatestprofile_groups_changegroupassignments.PNG differ
diff --git a/education/windows/images/i4e_takeatestprofile_newtestaccount.PNG b/education/windows/images/i4e_takeatestprofile_newtestaccount.PNG
new file mode 100644
index 0000000000..1ec2f0a2e2
Binary files /dev/null and b/education/windows/images/i4e_takeatestprofile_newtestaccount.PNG differ
diff --git a/education/windows/images/setedupolicies_omauri.PNG b/education/windows/images/setedupolicies_omauri.PNG
new file mode 100644
index 0000000000..eb3d9e216c
Binary files /dev/null and b/education/windows/images/setedupolicies_omauri.PNG differ
diff --git a/education/windows/images/setedupolicies_wcd.PNG b/education/windows/images/setedupolicies_wcd.PNG
new file mode 100644
index 0000000000..e240063f68
Binary files /dev/null and b/education/windows/images/setedupolicies_wcd.PNG differ
diff --git a/education/windows/images/skype_uwp_manageprofilepic.PNG b/education/windows/images/skype_uwp_manageprofilepic.PNG
new file mode 100644
index 0000000000..bdcf23dbc2
Binary files /dev/null and b/education/windows/images/skype_uwp_manageprofilepic.PNG differ
diff --git a/education/windows/images/skype_uwp_userprofile_icon.PNG b/education/windows/images/skype_uwp_userprofile_icon.PNG
new file mode 100644
index 0000000000..ad36c7f886
Binary files /dev/null and b/education/windows/images/skype_uwp_userprofile_icon.PNG differ
diff --git a/education/windows/images/suspc_account_signin.PNG b/education/windows/images/suspc_account_signin.PNG
new file mode 100644
index 0000000000..d045cff914
Binary files /dev/null and b/education/windows/images/suspc_account_signin.PNG differ
diff --git a/education/windows/images/suspc_and_wcd_comparison.png b/education/windows/images/suspc_and_wcd_comparison.png
new file mode 100644
index 0000000000..cff874ceb8
Binary files /dev/null and b/education/windows/images/suspc_and_wcd_comparison.png differ
diff --git a/education/windows/images/suspc_choosesettings_apps.PNG b/education/windows/images/suspc_choosesettings_apps.PNG
new file mode 100644
index 0000000000..babb55a445
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_apps.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_settings.PNG b/education/windows/images/suspc_choosesettings_settings.PNG
new file mode 100644
index 0000000000..bd556c0892
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_settings.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_settings_updated.PNG b/education/windows/images/suspc_choosesettings_settings_updated.PNG
new file mode 100644
index 0000000000..c62b4fa86f
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_settings_updated.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_setuptakeatest.PNG b/education/windows/images/suspc_choosesettings_setuptakeatest.PNG
new file mode 100644
index 0000000000..8ffc3fe3e6
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_setuptakeatest.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_signin.PNG b/education/windows/images/suspc_choosesettings_signin.PNG
new file mode 100644
index 0000000000..a45a12fbf5
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_signin.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_signin_final.PNG b/education/windows/images/suspc_choosesettings_signin_final.PNG
new file mode 100644
index 0000000000..3ec997cb73
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_signin_final.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_summary.PNG b/education/windows/images/suspc_choosesettings_summary.PNG
new file mode 100644
index 0000000000..c659a579e4
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_summary.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_takeatest.PNG b/education/windows/images/suspc_choosesettings_takeatest.PNG
new file mode 100644
index 0000000000..9f9f028852
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_takeatest.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_takeatest_updated.png b/education/windows/images/suspc_choosesettings_takeatest_updated.png
new file mode 100644
index 0000000000..e44dd21207
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_takeatest_updated.png differ
diff --git a/education/windows/images/suspc_getpcsready.PNG b/education/windows/images/suspc_getpcsready.PNG
new file mode 100644
index 0000000000..1e2bfae0ff
Binary files /dev/null and b/education/windows/images/suspc_getpcsready.PNG differ
diff --git a/education/windows/images/suspc_getpcsready_getpcsready.PNG b/education/windows/images/suspc_getpcsready_getpcsready.PNG
new file mode 100644
index 0000000000..6bb9ec078b
Binary files /dev/null and b/education/windows/images/suspc_getpcsready_getpcsready.PNG differ
diff --git a/education/windows/images/suspc_getpcsready_installpackage.PNG b/education/windows/images/suspc_getpcsready_installpackage.PNG
new file mode 100644
index 0000000000..c12bbe4de9
Binary files /dev/null and b/education/windows/images/suspc_getpcsready_installpackage.PNG differ
diff --git a/education/windows/images/suspc_getstarted.PNG b/education/windows/images/suspc_getstarted.PNG
new file mode 100644
index 0000000000..cbb3d4977c
Binary files /dev/null and b/education/windows/images/suspc_getstarted.PNG differ
diff --git a/education/windows/images/suspc_getstarted_final.PNG b/education/windows/images/suspc_getstarted_final.PNG
new file mode 100644
index 0000000000..d533536ad1
Binary files /dev/null and b/education/windows/images/suspc_getstarted_final.PNG differ
diff --git a/education/windows/images/suspc_getstarted_resized.png b/education/windows/images/suspc_getstarted_resized.png
new file mode 100644
index 0000000000..c9c99d8555
Binary files /dev/null and b/education/windows/images/suspc_getstarted_resized.png differ
diff --git a/education/windows/images/suspc_installsetupfile.PNG b/education/windows/images/suspc_installsetupfile.PNG
new file mode 100644
index 0000000000..61d0d9a3ad
Binary files /dev/null and b/education/windows/images/suspc_installsetupfile.PNG differ
diff --git a/education/windows/images/suspc_ppkg_isready.PNG b/education/windows/images/suspc_ppkg_isready.PNG
new file mode 100644
index 0000000000..e601a05a0f
Binary files /dev/null and b/education/windows/images/suspc_ppkg_isready.PNG differ
diff --git a/education/windows/images/suspc_ppkgready.PNG b/education/windows/images/suspc_ppkgready.PNG
new file mode 100644
index 0000000000..e285acdaee
Binary files /dev/null and b/education/windows/images/suspc_ppkgready.PNG differ
diff --git a/education/windows/images/suspc_reviewsettings.PNG b/education/windows/images/suspc_reviewsettings.PNG
new file mode 100644
index 0000000000..0948dbccb1
Binary files /dev/null and b/education/windows/images/suspc_reviewsettings.PNG differ
diff --git a/education/windows/images/suspc_reviewsettings_bluelinks.png b/education/windows/images/suspc_reviewsettings_bluelinks.png
new file mode 100644
index 0000000000..46c07c7a1a
Binary files /dev/null and b/education/windows/images/suspc_reviewsettings_bluelinks.png differ
diff --git a/education/windows/images/suspc_savepackage_insertusb.PNG b/education/windows/images/suspc_savepackage_insertusb.PNG
new file mode 100644
index 0000000000..e5f9968d7e
Binary files /dev/null and b/education/windows/images/suspc_savepackage_insertusb.PNG differ
diff --git a/education/windows/images/suspc_savesettings.PNG b/education/windows/images/suspc_savesettings.PNG
new file mode 100644
index 0000000000..f8338d3dec
Binary files /dev/null and b/education/windows/images/suspc_savesettings.PNG differ
diff --git a/education/windows/images/suspc_setup_removemediamessage.png b/education/windows/images/suspc_setup_removemediamessage.png
new file mode 100644
index 0000000000..94e9ddb900
Binary files /dev/null and b/education/windows/images/suspc_setup_removemediamessage.png differ
diff --git a/education/windows/images/suspc_setupfile_reviewsettings.PNG b/education/windows/images/suspc_setupfile_reviewsettings.PNG
new file mode 100644
index 0000000000..c5f3425ff5
Binary files /dev/null and b/education/windows/images/suspc_setupfile_reviewsettings.PNG differ
diff --git a/education/windows/images/suspc_setupfile_savesettings.PNG b/education/windows/images/suspc_setupfile_savesettings.PNG
new file mode 100644
index 0000000000..97ba234b8e
Binary files /dev/null and b/education/windows/images/suspc_setupfile_savesettings.PNG differ
diff --git a/education/windows/images/suspc_setupfileready.PNG b/education/windows/images/suspc_setupfileready.PNG
new file mode 100644
index 0000000000..349acbaf9d
Binary files /dev/null and b/education/windows/images/suspc_setupfileready.PNG differ
diff --git a/education/windows/images/suspc_signin_account.PNG b/education/windows/images/suspc_signin_account.PNG
new file mode 100644
index 0000000000..3f8b040f45
Binary files /dev/null and b/education/windows/images/suspc_signin_account.PNG differ
diff --git a/education/windows/images/suspc_signin_addapps.PNG b/education/windows/images/suspc_signin_addapps.PNG
new file mode 100644
index 0000000000..93e572a043
Binary files /dev/null and b/education/windows/images/suspc_signin_addapps.PNG differ
diff --git a/education/windows/images/suspc_signin_allowguests.PNG b/education/windows/images/suspc_signin_allowguests.PNG
new file mode 100644
index 0000000000..0bd0f69680
Binary files /dev/null and b/education/windows/images/suspc_signin_allowguests.PNG differ
diff --git a/education/windows/images/suspc_signin_setuptakeatest.PNG b/education/windows/images/suspc_signin_setuptakeatest.PNG
new file mode 100644
index 0000000000..6c8ba1799b
Binary files /dev/null and b/education/windows/images/suspc_signin_setuptakeatest.PNG differ
diff --git a/education/windows/images/suspc_start.PNG b/education/windows/images/suspc_start.PNG
new file mode 100644
index 0000000000..ab34f99a6b
Binary files /dev/null and b/education/windows/images/suspc_start.PNG differ
diff --git a/education/windows/images/suspc_studentpcsetup_installingsetupfile.png b/education/windows/images/suspc_studentpcsetup_installingsetupfile.png
new file mode 100644
index 0000000000..bbd10c89c4
Binary files /dev/null and b/education/windows/images/suspc_studentpcsetup_installingsetupfile.png differ
diff --git a/education/windows/images/suspc_wcd_featureslist.png b/education/windows/images/suspc_wcd_featureslist.png
new file mode 100644
index 0000000000..32b9211799
Binary files /dev/null and b/education/windows/images/suspc_wcd_featureslist.png differ
diff --git a/education/windows/images/suspc_wcd_sidebyside.png b/education/windows/images/suspc_wcd_sidebyside.png
new file mode 100644
index 0000000000..7fc108133e
Binary files /dev/null and b/education/windows/images/suspc_wcd_sidebyside.png differ
diff --git a/education/windows/images/suspc_win10v1703_getstarted.PNG b/education/windows/images/suspc_win10v1703_getstarted.PNG
new file mode 100644
index 0000000000..2777edfef9
Binary files /dev/null and b/education/windows/images/suspc_win10v1703_getstarted.PNG differ
diff --git a/education/windows/images/take_a_test_flow_dark.png b/education/windows/images/take_a_test_flow_dark.png
new file mode 100644
index 0000000000..98255e8694
Binary files /dev/null and b/education/windows/images/take_a_test_flow_dark.png differ
diff --git a/education/windows/images/tat_settingsapp_setupaccount_addtestaccount.PNG b/education/windows/images/tat_settingsapp_setupaccount_addtestaccount.PNG
new file mode 100644
index 0000000000..66c28eccc7
Binary files /dev/null and b/education/windows/images/tat_settingsapp_setupaccount_addtestaccount.PNG differ
diff --git a/education/windows/images/tat_settingsapp_setuptesttakingaccount.PNG b/education/windows/images/tat_settingsapp_setuptesttakingaccount.PNG
new file mode 100644
index 0000000000..70a917d836
Binary files /dev/null and b/education/windows/images/tat_settingsapp_setuptesttakingaccount.PNG differ
diff --git a/education/windows/images/tat_settingsapp_setuptesttakingaccount_1703.PNG b/education/windows/images/tat_settingsapp_setuptesttakingaccount_1703.PNG
new file mode 100644
index 0000000000..deb04f2e74
Binary files /dev/null and b/education/windows/images/tat_settingsapp_setuptesttakingaccount_1703.PNG differ
diff --git a/education/windows/images/tat_settingsapp_workorschoolaccess_setuptestaccount.PNG b/education/windows/images/tat_settingsapp_workorschoolaccess_setuptestaccount.PNG
new file mode 100644
index 0000000000..c9221ed95a
Binary files /dev/null and b/education/windows/images/tat_settingsapp_workorschoolaccess_setuptestaccount.PNG differ
diff --git a/education/windows/images/wcd_accountmanagement.PNG b/education/windows/images/wcd_accountmanagement.PNG
new file mode 100644
index 0000000000..071522f906
Binary files /dev/null and b/education/windows/images/wcd_accountmanagement.PNG differ
diff --git a/education/windows/images/wcd_exportpackage.PNG b/education/windows/images/wcd_exportpackage.PNG
new file mode 100644
index 0000000000..19a1c89703
Binary files /dev/null and b/education/windows/images/wcd_exportpackage.PNG differ
diff --git a/education/windows/images/wcd_settings_assignedaccess.PNG b/education/windows/images/wcd_settings_assignedaccess.PNG
new file mode 100644
index 0000000000..443a5d0688
Binary files /dev/null and b/education/windows/images/wcd_settings_assignedaccess.PNG differ
diff --git a/education/windows/images/wcd_setupdevice.PNG b/education/windows/images/wcd_setupdevice.PNG
new file mode 100644
index 0000000000..01422870d4
Binary files /dev/null and b/education/windows/images/wcd_setupdevice.PNG differ
diff --git a/education/windows/images/wcd_setupnetwork.PNG b/education/windows/images/wcd_setupnetwork.PNG
new file mode 100644
index 0000000000..f0be6908f5
Binary files /dev/null and b/education/windows/images/wcd_setupnetwork.PNG differ
diff --git a/education/windows/images/wcd_win10v1703_start_newdesktopproject.PNG b/education/windows/images/wcd_win10v1703_start_newdesktopproject.PNG
new file mode 100644
index 0000000000..f0ce8f6b93
Binary files /dev/null and b/education/windows/images/wcd_win10v1703_start_newdesktopproject.PNG differ
diff --git a/education/windows/images/win10_1703_oobe_firstscreen.png b/education/windows/images/win10_1703_oobe_firstscreen.png
new file mode 100644
index 0000000000..0d5343d0b4
Binary files /dev/null and b/education/windows/images/win10_1703_oobe_firstscreen.png differ
diff --git a/education/windows/images/win10_settings_privacy.PNG b/education/windows/images/win10_settings_privacy.PNG
new file mode 100644
index 0000000000..5285ce94f2
Binary files /dev/null and b/education/windows/images/win10_settings_privacy.PNG differ
diff --git a/education/windows/images/win10_settings_privacy_contacts.PNG b/education/windows/images/win10_settings_privacy_contacts.PNG
new file mode 100644
index 0000000000..f17ef60de0
Binary files /dev/null and b/education/windows/images/win10_settings_privacy_contacts.PNG differ
diff --git a/education/windows/images/win10_settings_privacy_contacts_apps.png b/education/windows/images/win10_settings_privacy_contacts_apps.png
new file mode 100644
index 0000000000..774f18fad9
Binary files /dev/null and b/education/windows/images/win10_settings_privacy_contacts_apps.png differ
diff --git a/education/windows/index.md b/education/windows/index.md
index 6ee2d1946a..218a13938e 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -19,12 +19,9 @@ author: CelesteDG
###  Learn
-
-
[Windows 10 editions for education customers](windows-editions-for-education-customers.md)
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
[Compare each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
Find out more about the features and functionality we support in each edition of Windows.
-
[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)
When you've made your decision, find out how to buy Windows for your school.
-
+
[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)
When you've made your decision, find out how to buy Windows for your school.
How-to videos
-
-
+
###  Plan
-
-
-[Provisioning options for Windows 10](set-up-windows-10.md)
Depending on your school's device management needs, you can use **Set up School PCs** or the *Provision school devices* option in **Windows Imaging and Configuration Designer** to quickly set up student PCs.
+
[Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)
Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.
+
[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
[Get Minecraft Education Edition](get-minecraft-for-education.md)Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.
[Take tests in Windows 10](take-tests-in-windows-10.md)
Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
-
[Chromebook migration guide](chromebook-migration-guide.md)
Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
-
+[Chromebook migration guide](chromebook-migration-guide.md)
Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
- ###  Deploy
+###  Deploy
-
-
-
[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
-
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
Get step-by-step guidance to help you deploy Windows 10 in a school environment.
-
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
-
-
+
[Set up Windows devices for education](set-up-windows-10.md)
Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.
+
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
Get step-by-step guidance to help you deploy Windows 10 in a school environment.
+
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
Try it out: Windows 10 deployment (for education)
Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.
For the best experience, use this guide in tandem with the TechNet Virtual Lab: IT Pro Try-It-Out.
-
-
###  Upgrade
-
-
[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.
-
-
-
+[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.
## Windows 8.1
Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in an academic environment.
-
-
Windows 8.1 deployment planning
Explore key considerations and questions that should be answered when planning for Windows 8.1 deployment.
Windows 8.1 deployment to PCs
Get an overview of Windows 8.1 deployment to PCs in an educational environment.
BYOD
Explore Bring Your Own Device (BYOD) considerations, including device types, infrastructure, and deployment models.
Deploying Windows RT 8.1
Get step-by-step instructions on how to configure and deploy Windows RT devices (like Surface and other tablets) in educational environments.
-
-
Virtual Desktop Infrastructure
Learn how to address challenges related to BYOD scenarios using Virtual Desktop Infrastructure (VDI).
Windows Store apps
Explore Windows Store app deployment strategies and considerations for educational institutions running Windows 8.1.
Windows To Go
Learn about the benefits, limitations, and processes involved in deploying Windows To Go.
-
-
+
## Related topics
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index b065ab2c96..f385bbbcd2 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -5,6 +5,7 @@ keywords: ["school"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
+localizationpriority: high
author: trudyha
---
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index bb0dc144ae..7c998c3e0b 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -1,11 +1,12 @@
---
title: Set up School PCs app technical reference
description: Describes the changes that the Set up School PCs app makes to a PC.
-keywords: shared cart, shared PC, school
+keywords: shared cart, shared PC, school, set up school pcs
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
@@ -16,51 +17,94 @@ author: CelesteDG
-The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607. **Set up School PCs** also configures school-specific settings and policies, described in this topic.
+The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode. The latest Set up School PCs app is available for Windows 10, version 1703 (Creators Update). Set up School PCs also configures school-specific settings and policies, described in this topic.
-If your school uses Azure Active Directory (Azure AD) or Office 365, the **Set up School PCs** app will create a setup file that connects the computer to your subscription. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity.
+If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up School PCs app will create a setup file that joins the PC to your Azure Active Directory tenant. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity.
-The following table tells you what you get using the **Set up School PCs** app in your school.
+Here's a list of what you get when using the Set up School PCs app in your school.
| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium |
| --- | :---: | :---: | :---: | :---: |
| **Fast sign-in**
Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X |
| **Custom Start experience**
The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X |
-| **Temporary access, no sign-in required**
This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X |
+| **Guest account, no sign-in required**
This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X |
| **School policies**
Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X |
| **Azure AD Join**
The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X |
-| **Single sign-on to Office 365**
By signing on with student IDs, students have fast access to Office 365 web apps. | | | X | X |
+| **Single sign-on to Office 365**
By signing on with student IDs, students have fast access to Office 365 web apps or installed Office apps. | | | X | X |
+| **Take a Test**
Configure the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. | | | | X |
| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD**
Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X |
-| | | | | |
-> **Note**: If your school uses Active Directory, use Windows Imaging and Configuration Designer to configure your PCs to join the domain. You can only use the **Set up School PCs** app to set up PCs that are not connected to your traditional domain.
+> [!NOTE]
+> If your school uses Active Directory, use [Windows Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs to join the domain. You can only use the Set up School PCs app to set up PCs that are connected to Azure AD.
-## Prerequisites for IT
+## Automated Azure AD join
+One of the most important features in Set up School PCs is the ability to create a provisioning package that performs automated Azure AD join. With this feature, you no longer have to spend minutes going through Windows setup, manually connecting to a network, and manually joining your Azure AD domain. With the automated Azure AD join feature in Set up School School PCs, this process is reduced to zero clicks! You can skip all of the Windows setup experience and the OS automatically joins the PC to your Azure AD domain and enrolls it into MDM if you have a MDM provider activated.
-* If your school uses Azure AD, [configure your directory to allow devices to join](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/). If the teacher is going to set up a lot of devices, give the teacher appropriate privileges for joining devices or make a special account.
-* Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan)
-* If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
-* After you set up your Office 365 Education tenant, use [Microsoft School Data Sync Preview](https://sis.microsoft.com/) to sync user profiles and class rosters from your Student Information System (SIS).
+To make this as seamless as possible, in your Azure AD tenant:
+- Allow your teacher and other IT staff to join devices to Azure AD so they can sucessfully request an automated Azure AD join token.
+
+ In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and in **Users may join devices to Azure AD**, click **Selected** and choose the members you want to enable to join devices to Azure AD.
+
+ **Figure 1** - Select the users you want to enable to join devices to Azure AD
+
+ 
+
+- Consider creating a special account that uses a username and password that you provide, and which has the rights to join devices if you don't want to add all teachers and IT staff.
+ - When teachers or IT staff need to set up PCs, they can use this account in the Set up School PCs app.
+ - If you use a service to set up PCs for you, you can give them this special account so they can deliver PCs to you that are already Azure AD joined and ready to be given to a student.
+
+- Turn off multifactor authentication.
+
+ In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Require Multi-Factor Auth to join devices** to **No**.
+
+ **Figure 2** - Turn off multi-factor authentication in Azure AD
+
+ 
+
+- Set the maximum number of devices a user can add to unlimited.
+
+ In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Maximum number of devices per user** to **Unlimited**.
+
+ **Figure 3** - Set maximum number of devices per user to unlimited
+
+ 
+
+- Clear your Azure AD tokens from time to time. Your tenant can only have 50 automated Azure AD tokens active at any one time.
+
+ In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these.
+
+ **Figure 4** - Delete the accounts automatically created for the Azure AD tokens
+
+ 
+
+- Note that automated Azure AD tokens have expiration dates. Set up School PCs creates them with an expiration date of one month. You will see the specific expiration date for the package in the **Review package summary** page in Set up School PCs.
+
+ **Figure 5** - Sample summary page showing the expiration date
+
+ 
+
+
+
## Information about Windows Update
-Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the **Set up School PCs** app, shared PC mode sets the power states and Windows Update to:
+Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the Set up School PCs app, shared PC mode sets the power states and Windows Update to:
* Wake nightly
* Check and install updates
* Forcibly reboot if necessary to finish applying updates
-The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots.
+The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. Notfications are also blocked.
## Guidance for accounts on shared PCs
* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
-* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out.
+* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** or **Kiosk** will also be deleted automatically at sign out.
* On a Windows PC joined to Azure Active Directory:
* By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
* With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
-* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out.
+* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts created through **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** or **Kiosk** selection on the sign-in screen, if enabled, will automatically be deleted at sign-out.
* If admin accounts are necessary on the PC
* Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
* Create admin accounts before setting up shared PC mode, or
@@ -68,6 +112,7 @@ The PC is also configured to not interrupt the user during normal daytime hours
* The account management service supports accounts that are exempt from deletion.
* An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
* To add the account SID to the registry key using PowerShell:
+
```
$adminName = "LocalAdmin"
$adminPass = 'Pa$$word123'
@@ -78,24 +123,22 @@ The PC is also configured to not interrupt the user during normal daytime hours
New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
```
-
## Custom images
-Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the **Set up School PCs** provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx).
+Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the Set up School PCs provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx).
## Provisioning package details
-The **Set up School PCs** app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx).
+The Set up School PCs app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx).
-### Education customizations
+### Education customizations set by local MDM policy
-- Saving content locally to the PC is disabled. This prevents data loss by forcing students to save to the cloud.
-- A custom Start layout and sign in background image are set.
+- By default, saving content locally to the PC is blocked, but you can choose to enable it. This prevents data loss by forcing students to save to the cloud.
+- A custom Start layout, taskbar layout, and lock screen image are set.
- Prohibits unlocking the PC to developer mode.
- Prohibits untrusted Windows Store apps from being installed.
- Prohibits students from removing MDM.
- Prohibits students from adding new provisioning packages.
-- Prohibits student from removing existing provisioning packages (including the one set by **Set up School PCs**).
-- Sets active hours from 6 AM to 6 PM.
+- Prohibits student from removing existing provisioning packages (including the one set by Set up School PCs).
- Sets Windows Update to update nightly.
@@ -103,19 +146,18 @@ The **Set up School PCs** app produces a specialized provisioning package that m
- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe)
- Weather (Microsoft.BingWeather_8wekyb3d8bbwe)
-- Get Started (Microsoft.Getstarted_8wekyb3d8bbwe)
+- Tips (Microsoft.Getstarted_8wekyb3d8bbwe)
- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe)
- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe)
- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe)
- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe)
- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe)
-- Groove Music (Microsoft.ZuneMusic_8wekyb3d8bbwe)
-- Movies & TV (Microsoft.ZuneVideo_8wekyb3d8bbwe)
- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe)
### Local Group Policies
-> **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
+> [!IMPORTANT]
+> We do not recommend setting additional policies on PCs configured with the Set up School PCs app. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required.
Policy path |
|---|
@@ -171,6 +213,9 @@ The **Set up School PCs** app produces a specialized provisioning package that m
| Turn off the display (on battery | 1 hour |
+ | Admin Templates>System>Power Management>Energy Saver Settings |
+ | Energy Saver Battery Threshold (on battery) | 70 |
+
| Admin Templates>System>Logon |
| Show first sign-in animation | Disabled |
@@ -212,36 +257,32 @@ The **Set up School PCs** app produces a specialized provisioning package that m
| Do not show feedback notifications | Enabled |
+ | Allow Telemetry | Basic, 0 |
+
| Admin Templates > Windows Components > File Explorer |
| Show lock in the user tile menu | Disabled |
| Admin Templates > Windows Components > Maintenance Scheduler |
- | Automatic Maintenance Activation Boundary | 12am |
+
| Automatic Maintenance Activation Boundary | *MaintenanceStartTime* |
| Automatic Maintenance Random Delay | Enabled, 2 hours |
| Automatic Maintenance WakeUp Policy | Enabled |
- | Admin Templates > Windows Components > Microsoft Edge |
-
- | Open a new tab with an empty tab | Disabled |
-
- | Configure corporate home pages | Enabled, about:blank |
-
| Admin Templates > Windows Components > OneDrive |
| Prevent the usage of OneDrive for file storage | Enabled |
- | Admin Templates > Windows Components > Search |
-
- | Allow Cortana | Disabled |
-
| Admin Templates > Windows Components > Windows Hello for Business |
+ | Use phone sign-in | Disabled |
+
| Use Windows Hello for Business | Disabled |
+ | Use biometrics | Disabled |
+
| Windows Settings > Security Settings > Local Policies > Security Options |
Accounts: Block Microsoft accounts **Note** Microsoft accounts can still be used in apps. | Enabled |
@@ -256,9 +297,13 @@ The **Set up School PCs** app produces a specialized provisioning package that m
+## Use the app
+When you're ready to use the app, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
+
## Related topics
-[Use Set up School PCs app](use-set-up-school-pcs-app.md)
+[Set up Windows devices for education](set-up-windows-10.md)
+
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
index 1c3d6361e1..9a8c59b2c6 100644
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -1,10 +1,11 @@
---
title: Set up student PCs to join domain
description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
-keywords: ["shared cart", "shared PC", "school"]
+keywords: school
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
+localizationpriority: high
author: CelesteDG
---
@@ -13,81 +14,57 @@ author: CelesteDG
- Windows 10
-If your school uses Active Directory, use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package that will configure a PC for student use that is joined to the Active Directory domain. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+If your school uses Active Directory, use the Windows Configuration Designer tool to create a provisioning package that will configure a PC for student use that is joined to the Active Directory domain.
+
+## Install Windows Configuration Designer
+Follow the instructions in [Install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd).
## Create the provisioning package
+Follow the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](https://technet.microsoft.com/en-us/itpro/windows/configure/provision-pcs-for-initial-deployment). However, make a note of these steps to further customize the provisioning package for use in a school that will join a student PC to a domain:
-1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+1. In the **Account Management** step:
-2. Click **Provision school devices**.
+ > [!WARNING]
+ > If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
+ > - Use a least-privileged domain account to join the device to the domain.
+ > - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
+ > - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
- 
+2. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtine settings**.
+3. Find the **SharedPC** settings group.
+ - Set **EnableSharedPCMode** to **TRUE** to configure the PC for shared use.
+4. (Optional) To configure the PC for secure testing, follow these steps.
+ 1. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**.
+ 2. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up.
-3. Name your project and click **Finish**. The screens for school provisioning will walk you through the following steps.
+ **Figure 7** - Add the account to use for test-taking
- 
+ 
-4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
+ The account can be in one of the following formats:
+ - username
+ - domain\username
+ - computer name\\username
+ - username@tenant.com
-5. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
- - Home to Education
- - Pro to Education
- - Pro to Enterprise
- - Enterprise to Education
-
-6. Click **Set up network**.
+ 3. Under **Runtime settings**, go to **TakeATest** and configure the following settings:
+ 1. In **LaunchURI**, enter the assessment URL.
+ 2. In **TesterAccount**, enter the test account you entered in the previous step.
-7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
+5. To configure other settings to make Windows education ready, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) and follow the guidance on what settings you can set using Windows Configuration Designer.
-8. Click **Enroll into Active Directory**.
+6. Follow the steps to [build a package](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-create-package#build-package).
+ - You will see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username*\Windows Imaging and Configuration Designer (WICD)\*Project name*).
+ - Copy the provisioning package to a USB drive.
-9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account.
+ > [!IMPORTANT]
+ > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
- > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
- - Use a least-privileged domain account to join the device to the domain.
- - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
- - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
-
-10. Click **Set up school settings**.
-
-11. Toggle **Yes** or **No** to configure the PC for shared use.
-
-12. (Optional) Toggle **Yes** or **No** to configure the PC for secure testing. If you select **Yes**, you must also enter the test account to be used and the URL for the test. If you don't configure the test account and URL in this provisioning package, you can do so after the PC is configured; for more information, see [Take tests in Windows 10](take-tests-in-windows-10.md).
-
-10. Click **Finish**.
-
-11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
-
-12. Click **Create**.
-
-13. You will see the file path for your provisioning package (by default, %windir%\Users\*your alias*\Windows Imaging and Configuration Designer (WICD)\*Project name*). Copy the provisioning package to a USB drive.
-
-> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
## Apply package
+Follow the steps in [Apply a provisioning package](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-apply-package) to apply the package that you created.
-1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
-
- 
-
-2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
-
- 
-
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
-
- 
-
-4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
-
- 
-
-5. Select **Yes, add it**.
-
- 
-
-When you see the progress ring, you can remove the USB drive.
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index 55da4e77f5..401f60f084 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -5,6 +5,7 @@ keywords: ["shared cart", "shared PC", "school"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
+localizationpriority: high
author: CelesteDG
---
@@ -14,16 +15,19 @@ author: CelesteDG
- Windows 10
-This topic explains how to create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
+To create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home, follow the steps in [Provision PCs with apps](https://technet.microsoft.com/en-us/itpro/windows/configure/provision-pcs-with-apps).
+
+Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
+- If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Provision PCs with apps](https://technet.microsoft.com/en-us/itpro/windows/configure/provision-pcs-with-apps).
+- If you want to provision a school PC to join Azure AD, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md). Set up School PCs now lets you add recommended apps from the Store so you can add these apps while you're creating your package through Set up School PCs. You can also follow the steps in [Provision PCs with apps](https://technet.microsoft.com/en-us/itpro/windows/configure/provision-pcs-with-apps) if you want to add apps to student PCs after initial setup with the Set up School PCs package.
-If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Add apps to a provisioning package](#add-apps-to-a-provisioning-package). If you want to provision a school PC to join Azure AD, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md), and then follow the steps in [Create a provisioning package to add apps after initial setup](#create-a-provisioning-package-to-add-apps-after-initial-setup).
-
+
## Learn more
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
index 16a30c38bc..1d43aed651 100644
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@@ -1,28 +1,35 @@
---
-title: Provisioning options for Windows 10
+title: Set up Windows devices for education
description: Decide which option for setting up Windows 10 is right for you.
-keywords: shared cart, shared PC, school
+keywords: school, Windows device setup, education device setup
ms.prod: w10
-ms.mktglfcycl: plan
+ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
-# Provisioning options for Windows 10
+# Set up Windows devices for education
**Applies to:**
- Windows 10
-You have two tools to choose from to set up PCs for your classroom: **Set up School PCs** app and the **Provision school devices** option in Windows Imaging and Configuration Designer (ICD). Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account). The following diagram compares the tools.
+You have two tools to choose from to set up PCs for your classroom:
+ * Set up School PCs
+ * Windows Configuration Designer
+
+Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account).
-
+You can use the following diagram to compare the tools.
+
+
## In this section
-- [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md)
-- [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md)
+- [Use the Set up School PCs app](use-set-up-school-pcs-app.md)
+- [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
- [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
index 32d45fb353..5aa6b3ed7b 100644
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@@ -1,11 +1,12 @@
---
title: Take a Test app technical reference
description: The policies and settings applied by the Take a Test app.
-keywords: shared cart, shared PC, school
+keywords: take a test, test taking, school
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
@@ -20,7 +21,7 @@ Take a Test is an app that locks down the PC and displays an online assessment w
Whether you are a teacher or IT administrator, you can easily configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment for more secure online assessments. This means that students taking the tests that don’t have copy/paste privileges, can’t access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher’s preferred assessment website to deliver digital assessments
-Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](http://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. (Link to Javascript API when available)
+Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](http://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/take-a-test-api).
## PC lockdown for assessment
@@ -28,17 +29,11 @@ Assessment vendors can use Take a Test as a platform to lock down the operating
When running above the lock screen:
- The app runs full screen with no chrome
-
- The hardware print screen button is disabled
-
-- Content within the app will show up as black in screen capturing/sharing software
-
+- Depending on the parameter you set through the schema or dedicated account, content within the app will show up as black in screen capturing/sharing software
- System clipboard is cleared
-
- Web apps can query the processes currently running in the user’s device
-
- Extended display shows up as black
-
- Auto-fill is disabled
## Mobile device management (MDM) policies
@@ -59,9 +54,7 @@ When Take a Test is running, the following MDM policies are applied to lock down
When Take a Test is running, the following functionality is available to students:
- Assistive technology that is configured to run above the lock screen should run as expected
-
- Narrator is available through Windows key + Enter
-
- Magnifier is available through Windows key + "+" key
- Full screen mode is compatible
@@ -70,14 +63,15 @@ When Take a Test is running, the following functionality is available to student
- Take a Test
- Assistive technology that may be running
- - Lock Screen (not available if student is using a dedicated test account)
- > **Note** The app will exit if the student signs in to an account from the lock screen. Progress made in the test may be lost or invalidated.
+ - Lock screen (not available if student is using a dedicated test account)
+
+ > [!NOTE]
+ > The app will exit if the student signs in to an account from the lock screen. Progress made in the test may be lost or invalidated.
- The student can exit the test by pressing one of the following key combinations:
- Ctrl+Alt+Del
-
- - Alt+F4 (**Take a Test** will restart if the student is using a dedicated test account)
+ - Alt+F4 (Take a Test will restart if the student is using a dedicated test account)
## Learn more
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index caa227ea97..d58000171e 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -1,11 +1,12 @@
---
title: Set up Take a Test on multiple PCs
description: Learn how to set up and use the Take a Test app on multiple PCs.
-keywords: ["shared cart", "shared PC", "school"]
+keywords: ["take a test", "test taking", "school"]
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
@@ -15,127 +16,158 @@ author: CelesteDG
- Windows 10
-Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
+Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test.
-- Take a Test shows just the test and nothing else.
-- Take a Test clears the clipboard.
-- Students aren’t able to go to other websites.
-- Students can’t open or access other apps.
-- Students can't share, print, or record their screens.
-- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
-- Cortana is turned off.
-
-## How to use Take a Test
-
-
-
-- **Use an assessment URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
-- **[Put an assessment URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
+Follow the guidance in this topic to set up Take a Test on multiple PCs.
## Set up a dedicated test account
-To configure a dedicated test account on multiple PCs, you can use:
+To configure a dedicated test account on multiple PCs, select any of the following methods:
+- [Provisioning package created through the Set up School PCs app](#set-up-a-test-account-in-the-set-up-school-pcs-app)
+- [Configuration in Intune for Education](#set-up-a-test-account-in-intune-for-education)
- [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-a-test-account-in-mdm-or-configuration-manager)
-- [A provisioning package](#set-up-a-test-account-in-a-provisioning-package) created in Windows Imaging and Configuration Designer (ICD)
-- [Group Policy](#set-up-a-test-account-in-group-policy) to deploy a scheduled task that runs a Powershell script
+- [Provisioning package created through Windows Configuration Designer](#set-up-a-test-account-through-windows-configuration-designer)
+- [Group Policy to deploy a scheduled task that runs a Powershell script](#set-up-a-test-account-in-group-policy)
+
+### Set up a test account in the Set up School PCs app
+If you want to set up a test account using the Set up School PCs app, configure the settings in the **Set up the Take a Test app** page in the Set up School PCs app. Follow the instructions in [Use the Set up School PCs app](use-set-up-school-pcs-app.md) to configure the test-taking account and create a provisioning package.
+
+If you set up Take a Test, this adds a **Take a Test** button on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test.
+
+**Figure 1** - Configure Take a Test in the Set up School PCs app
+
+
+
+### Set up a test account in Intune for Education
+You can set up a test-taking account in Intune for Education. To do this, follow these steps:
+
+1. In Intune for Education, select **Take a Test profiles** from the menu.
+2. Click **+ Add Test Profile** to create an account.
+
+ **Figure 2** - Add a test profile in Intune for Education
+
+ 
+
+3. In the new profile page:
+ 1. Enter a name for the profile.
+ 2. Enter the assessment URL.
+ 3. Toggle the switch to **Allow screen capture**.
+ 4. Select a user account to use as the test-taking account.
+ 5. Click **Save**.
+
+ **Figure 3** - Add information about the test profile
+
+ 
+
+ After you save the test profile, you will see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account.
+
+4. In the test account page, click **Groups**.
+
+ **Figure 4** - Assign the test account to a group
+
+ 
+
+5. In the **Groups** page, click **Change group assignments**.
+
+ **Figure 5** - Change group assignments
+
+ 
+
+6. In the **Change group assignments** page:
+ 1. Select a group from the right column and click **Add Members** to select the group and assign the test-taking account to that group. You can select more than one group.
+ 2. Click **OK** when you're done making your selection.
+
+ **Figure 6** - Select the group(s) that will use the test account
+
+ 
+
+And that's it! When the students from the selected group sign in to the student PCs using the Take a Test user name that you selected, the PC will be locked down and Take a Test will open the assessment URL and students can start taking tests.
### Set up a test account in MDM or Configuration Manager
+You can configure a dedicated testing account through MDM or Configuration Manager by specifying a single account in the directory to be the test-taking account. Devices that have the test-taking policies can sign into the specified account to take the test.
+
+**Best practice**
+- Create a single account in the directory specifically for test taking
+ - Active Directory example: Contoso\TestAccount
+ - Azure Active Directory example: testaccount@contoso.com
+
+- Deploy the policies to the group of test-taking devices
+
+**To enable this configuration**
+
1. Launch your management console.
-2. Create a policy to set up single app kiosk mode, using the following values:
+2. Create a policy to set up single app kiosk mode using the following values:
- **Custom OMA-DM URI** = ./Vendor/MSFT/AssignedAccess/KioskModeApp
- - **String value** = {"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}
+ - **String value** = {"*Account*":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}
- Account can be in one of the following formats:
- - username
+ *Account* can be in one of the following formats:
+ - username (not recommended)
- domain\username
- - computer name\\username
+ - computer name\\username (not recommended)
- username@tenant.com
-3. Create a policy to configure the assessment URL, using the following values:
+3. Create a policy to configure the assessment URL using the following values:
- **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/LaunchURI
- **String value** = *assessment URL*
See [Assessment URLs](#assessment-urls) for more information.
-4. Create a policy that associates the assessment URL to the account, using the following values:
+4. Create a policy that associates the assessment URL to the account using the following values:
- **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/TesterAccount
- **String value** = Enter the account that you specified in step 2, using the same account format.
-5. To take the test, the student signs in to the test account.
+5. Deploy the policies to the test-taking devices.
+6. To take the test, the student signs in to the test account.
-### Set up a test account in a provisioning package
+### Set up a test account through Windows Configuration Designer
+To set up a test account through Windows Configuration Designer, follow these steps.
-**Prerequisite:** You must first download the Windows ADK for Windows 10, Version 1607, and install Windows Imaging and Configuration Designer (ICD). For more info, see [Install Windows Imaging and Configuration Designer](https://technet.microsoft.com/en-us/itpro/windows/deploy/provisioning-install-icd).
+1. [Install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd).
+2. Create a provisioning package by following the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](https://technet.microsoft.com/en-us/itpro/windows/configure/provision-pcs-for-initial-deployment). However, make a note of these other settings to customize the test account.
+ 1. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtine settings**.
+ 2. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**.
+ 3. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up.
-**Create a provisioning package to set up a test account**
+ **Figure 7** - Add the account to use for test-taking
-1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
-2. Select **Advanced provisioning**.
-3. Name your project, and click **Next**.
-4. Select **All Windows desktop editions**, and click **Next**.
-5. Click **Finish**.
-6. Go to **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings**.
-7. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up, as shown in the following image.
+ 
- 
-
- Account can be in one of the following formats:
+ The account can be in one of the following formats:
- username
- domain\username
- computer name\\username
- username@tenant.com
-8. Go to **Runtime settings** > **TakeATest**.
-9. Enter the assessment URL in **LaunchURI**.
-10. Enter the test account from step 7 in **TesterAccount**.
-On the **File** menu, select **Save.**
-9. On the **Export** menu, select **Provisioning package**.
-10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
-11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
+ 4. Under **Runtime settings**, go to **TakeATest** and configure the following settings:
+ 1. In **LaunchURI**, enter the assessment URL.
+ 2. In **TesterAccount**, enter the test account you entered in step 3.
-12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
+3. Follow the steps to [build a package](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-create-package#build-package).
- Optionally, you can click **Browse** to change the default output location.
+ - You will see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username*\Windows Imaging and Configuration Designer (WICD)\*Project name*).
+ - Copy the provisioning package to a USB drive.
-13. Click **Next**.
-14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
-
- If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
-
-15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
-
- If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
-
- - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
-
-**Apply the provisioning package**
-
-1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges.
-2. Consent to allow the package to be installed.
-
- After you allow the package to be installed, the settings will be applied to the device. [Learn how to apply a provisioning package in audit mode or OOBE](https://go.microsoft.com/fwlink/p/?LinkID=692012).
+4. Follow the steps in [Apply a provisioning package](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-apply-package) to apply the package that you created.
### Set up a test account in Group Policy
To set up a test account using Group Policy, first create a Powershell script that configures the test account and assessment URL, and then create a scheduled task to run the script.
#### Create a PowerShell script
This sample PowerShell script configures the test account and the assessment URL. Edit the sample to:
-- Use your test account for **$obj.LaunchURI**
-- Use your assessment URL for **$obj.TesterAccount**
+
+- Use your assessment URL for **$obj.LaunchURI**
+- Use your test account for **$obj.TesterAccount**
- Use your test account for **-UserName**
-```
-$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'";
-$obj.LaunchURI='http://www.foo.com';
-$obj.TesterAccount='TestAccount';
-$obj.put()
-Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount
-```
+ ```
+ $obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'";
+ $obj.LaunchURI='http://www.foo.com';
+ $obj.TesterAccount='TestAccount';
+ $obj.put()
+ Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount
+ ```
#### Create a scheduled task in Group Policy
1. Open the Group Policy Management Console.
@@ -165,15 +197,53 @@ Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5
## Provide link to test
Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments.
-1. Create a link to the assessment URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL.
+**To provide a link to the test**
+
+1. Create the link to the test using schema activation.
+
+ Manually embed a URL with a specific prefix. You can select parameters depending on what you want to enable. For more info, see [Create a link using schema activation](#create-a-link-using-schema-activation).
+
+2. Distribute the link.
+
+ Once the links are created, you can distribute them through the web, email, OneNote, or any other method of your choosing. You can also create shortcuts to distribute the link. For more info, see [Create a shortcut for the test link](#create-a-shortcut-for-the-test-link).
+
+3. To take the test, have the students click on the link and provide user consent.
+
+### Create a link using schema activation
+One of the ways you can present content in a locked down manner is by embedding a URL with a specific prefix. Once users click the URL, devices will be locked down.
+
+**To enable schema activation for assessment URLs**
+
+1. Embed a link or create a desktop shortcut with:
+
```
ms-edu-secureassessment:!enforceLockdown
```
- > [!NOTE]
- > You may want to remove !enforceLockdown for tests that utilizes our lockdown API that checks for running processes before locking down. Removing !enforceLockdown will result in the app not locking down immediately which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
-2. Distribute the link. You can use the web, email, OneNote, or any other method of your choosing.
-3. To take the test, the student clicks on the link and provides user consent.
+2. To enable printing, screen capture, or both, use the above link and append one of these parameters:
+
+ - `&enableTextSuggestions` - Enables text suggestions
+ - `&enablePrint` - Enables printing
+ - `&enableScreenCapture` - Enables screen capture
+ - `&enablePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&enablePrint`, and `&enableScreenCapture` if you want to enable more than one capability.
+
+ If you exclude these parameters, the default behavior is disabled.
+
+ For tests that utilizes the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
+
+ > [!NOTE]
+ > The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:!enforcelockdown` is still supported, but not in combination with the new parameters.
+
+### Create a shortcut for the test link
+You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-l) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
+
+1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**.
+2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**.
+3. Click **Next**.
+4. Type a name for the shortcut and then click **Finish**.
+
+Once the shortcut is created, you can copy it and distribute it to students.
+
## Assessment URLs
This assessment URL uses our lockdown API:
@@ -186,6 +256,4 @@ This assessment URL uses our lockdown API:
[Set up Take a Test on a single PC](take-a-test-single-pc.md)
-[Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
-
[Take a Test app technical reference](take-a-test-app-technical.md)
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 52a6636b7d..7c2d4ac065 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -1,11 +1,12 @@
---
title: Set up Take a Test on a single PC
description: Learn how to set up and use the Take a Test app on a single PC.
-keywords: shared cart, shared PC, school
+keywords: take a test, test taking, school
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
@@ -14,54 +15,109 @@ author: CelesteDG
- Windows 10
-
-The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
-
-- Take a Test shows just the test and nothing else.
-- Take a Test clears the clipboard.
-- Students aren’t able to go to other websites.
-- Students can’t open or access other apps.
-- Students can't share, print, or record their screens.
-- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
-- Cortana is turned off.
-
-> [!TIP]
-> To exit **Take a Test**, press Ctrl+Alt+Delete.
-
-
-## How to use Take a Test
-
-
-
-- **Use an assessment URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
-- **[Put an assessment URL with an included prefix](#provide-a-link-to-the-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
+To configure [Take a Test](take-tests-in-windows-10.md) on a single PC, follow the guidance in this topic.
## Set up a dedicated test account
-1. Sign into the device with an administrator account.
-2. Go to **Settings** > **Accounts** > **Work or school access** > **Set up an account for taking tests**.
-3. Select an existing account to use as the dedicated testing account.
+To configure the assessment URL and a dedicated testing account on a single PC, follow these steps.
- > [!NOTE]
- > If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**.
+1. Sign into the Windows 10 device with an administrator account.
+2. Open the **Settings** app and go to **Accounts > Access work or school**.
+3. Click **Set up an account for taking tests**.
-4. Specify an assessment URL.
-5. Click **Save**.
-6. To take the test, the student signs in to the selected account.
+ **Figure 1** - Use the Settings app to set up a test-taking account
+
+ 
+
+4. In the **Set up an account for taking tests** window, choose an existing account to use as the dedicated testing account.
+
+ **Figure 2** - Choose the test-taking account
+
+ 
+
+ > [!NOTE]
+ > If you don't have an account on the device, you can create a new account. To do this, go to **Settings > Accounts > Other people > Add someone else to this PC > I don’t have this person’s sign-in information > Add a user without a Microsoft account**.
+
+5. In the **Set up an account for taking tests**, enter the assessment URL in the field under **Enter the test's web address**.
+6. Select the options you want to enable during the test.
+ - To enable printing, select **Require printing**.
+
+ > [!NOTE]
+ > Make sure a printer is preconfigured on the Take a Test account if you're enabling this option.
+
+ - To enable teachers to monitor screens, select **Allow screen monitoring**.
+ - To allow text suggestions, select **Allow text suggestions**.
+
+6. Click **Save**.
+7. To take the test, the student must sign in using the test-taking account that you created.
## Provide a link to the test
-
Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments.
-1. Create a link to the assessment URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL.
+**To provide a link to the test**
+
+1. Create the link to the test.
+
+ There are different ways you can do this:
+
+ - Create a link using a web UI
+
+ For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
+
+ To get started, go here: [Create a link using a web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link)
+
+ - Create a link using schema activation
+
+ You can accomplish the same thing as the first option (using a web UI), by manually embedding a URL with a specific prefix. You can select parameters depending on what you want to enable.
+
+ For more info, see [Create a link using schema activation](#create-a-link-using-schema-activation).
+
+2. Distribute the link.
+
+ Once the links are created, you can distribute them through the web, email, OneNote, or any other method of your choosing.
+
+ You can also create shortcuts to distribute the link. For more info, see [Create a shortcut for the test link](#create-a-shortcut-for-the-test-link).
+
+3. To take the test, have the students click on the link and provide user consent.
+
+ > [!NOTE]
+ > If you enabled printing, the printer must be preconfigured for the account before the student takes the test.
+
+
+### Create a link using schema activation
+One of the ways you can present content in a locked down manner is by embedding a URL with a specific prefix. Once users click the URL, devices will be locked down.
+
+**To enable schema activation for assessment URLs**
+
+1. Embed a link or create a desktop shortcut with:
```
ms-edu-secureassessment:!enforceLockdown
```
- > [!NOTE]
- > You may want to remove !enforceLockdown for tests that utilizes our lockdown API that checks for running processes before locking down. Removing !enforceLockdown will result in the app not locking down immediately which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
-2. Distribute the link. You can use the web, email, OneNote, or any other method of your choosing.
-3. To take the test, the student clicks on the link and provides user consent.
+2. To enable printing, screen capture, or both, use the above link and append one of these parameters:
+
+ - `&enableTextSuggestions` - Enables text suggestions
+ - `&enablePrint` - Enables printing
+ - `&enableScreenCapture` - Enables screen capture
+ - `&enablePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&enablePrint`, and `&enableScreenCapture` if you want to enable more than one capability.
+
+ If you exclude these parameters, the default behavior is disabled.
+
+ For tests that utilizes the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
+
+ > [!NOTE]
+ > The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:!enforcelockdown` is still supported, but not in combination with the new parameters.
+
+
+### Create a shortcut for the test link
+You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-l) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
+
+1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**.
+2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**.
+3. Click **Next**.
+4. Type a name for the shortcut and then click **Finish**.
+
+Once the shortcut is created, you can copy it and distribute it to students.
## Related topics
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index 6ba8afa38c..361dbff702 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -1,11 +1,12 @@
---
title: Take tests in Windows 10
description: Learn how to set up and use the Take a Test app.
-keywords: shared cart, shared PC, school
+keywords: take a test, test taking, school
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
@@ -15,32 +16,55 @@ author: CelesteDG
- Windows 10
-Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
+Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10 creates the right environment for taking a test:
-- **Take a Test** shows just the test and nothing else.
-- **Take a Test** clears the clipboard.
+- Take a Test shows just the test and nothing else.
+- Take a Test clears the clipboard.
- Students aren’t able to go to other websites.
- Students can’t open or access other apps.
-- Students can't share, print, or record their screens.
+- Students can't share, print, or record their screens unless enabled by the teacher or IT administrator
- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
- Cortana is turned off.
-
-
## How to use Take a Test
-
+
-- **Use an assessment URL and a dedicated testing account** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
-- **Put an assessment URL with an included prefix on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
+There are several ways to configure devices for assessments. You can:
+- **Configure an assessment URL and a dedicated testing account**
-## How to set up Take a Test on PCs
-You can use Take a Test to set up a test for a single PC or multiple PCs. Follow these links to learn how:
-- [Set up Take a Test on a single PC](take-a-test-single-pc.md)
-- [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
+ In this configuration, a user signs into in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
-## Related topics
+ There are different methods to configure the assessment URL and a dedicated testing account depending on whether you're setting up Take a Test on a single PC or multiple PCs.
-[Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md)
+ - **For a single PC**
+
+ You can use the Windows 10 **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md).
-[Take a Test app technical reference](take-a-test-app-technical.md)
+ - **For multiple PCs**
+
+ You can use any of these methods:
+ - Mobile device management (MDM) or Microsoft System Center Configuration Manager
+ - A provisioning package created in Windows Configuration Designer
+ - Group Policy to deploy a scheduled task that runs a Powershell script
+
+ Beginning with Windows 10 Creators Update (version 1703), you can also configure Take a Test using these options:
+ - Set up School PCs app
+ - Intune for Education
+
+ For more info about these methods, see [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md).
+
+- **Distribute the assessment URL through the web, email, OneNote, or any other method of your choosing. You can also create shortcuts to distribute the link**
+
+ This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
+
+ You can enable this using a schema activation.
+
+
+## How to exit Take a Test
+To exit the Take a Test app at any time, press Ctrl+Alt+Delete.
+
+
+## Get more info
+- Teachers can use Microsoft Forms to create tests. See [Create tests using Microsoft Forms](https://support.microsoft.com/en-us/help/4000711/windows-10-create-tests-using-microsoft-forms) to find out how.
+- To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 211c2913d0..e5ce0def1b 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -1,10 +1,11 @@
---
title: For teachers get Minecraft Education Edition
description: Learn how teachers can get and distribute Minecraft.
-keywords: ["school"]
+keywords: ["school", "minecraft"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
+localizationpriority: high
author: trudyha
---
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index b6303d21a2..0467fd2994 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -1,11 +1,12 @@
---
title: Use Set up School PCs app
description: Learn how the Set up School PCs app works and how to use it.
-keywords: shared cart, shared PC, school
+keywords: shared cart, shared PC, school, set up school pcs
ms.prod: w10
-ms.mktglfcycl: plan
+ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
@@ -15,130 +16,251 @@ author: CelesteDG
- Windows 10
+ > [!NOTE]
+ > The latest Set up School PCs app will be available for download in the Store very soon. To get familiar with the settings you can configure in the latest app, read the information in this topic.
-Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
-[Download the Set up School PCs app from the Windows Store](https://www.microsoft.com/store/apps/9nblggh4ls40)
+IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
-
+
## What does this app do?
-The Set up School PCs app helps you set up new computers running Windows 10, version 1607. Some benefits of using this app to set up your students' PCs:
-* A computer set up this way is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
- * Places tiles for OneNote, Office 365 web apps, Sway, and Microsoft Classroom on the Start menu
- * Installs OneDrive for cloud-based documents and places it on the Start menu and taskbar
- * Sets Microsoft Edge as the default browser
- * Uninstalls apps not specific to education, such as Solitaire and Sports
- * Turns off Offers and tips
- * Prevents students from adding personal Microsoft accounts to the computer
-* Significantly improves how fast students sign-in.
-* The app connects the PCs to your school’s cloud so IT can manage them (optional).
-* Windows 10 automatically manages accounts no matter how many students use the PC.
-* Keeps computers up-to-date without interfering with class time using Windows Update and maintenance hours (by default, 12 AM).
-* Customizes the sign-in screen to support students with IDs and temporary users.
-* Locks down the computer to prevent mischievous activity:
- * Prevents students from installing apps
- * Prevents students from removing the computer from the school's device management system
+Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically:
+- Joins each student PC to your organization's Office 365 and Azure Active Directory tenant
+- Enrolls each student PC into a mobile device management (MDM) provider, like Intune for Education, if licensed in your tenant. You can manage all the settings Set up School PCs sets later through MDM.
+- Removes OEM preinstalled software from each student PC
+- Auto-configures and saves a wireless network profile on each student PC
+- Gives a friendly and unique name to each student device for future management
+- Sets Microsoft-recommended school PC settings, including shared PC mode which provides faster sign-in and automatic account cleanup
+- Enables optional guest account for younger students, lost passwords, or visitors
+- Enables optional secure testing account
+- Locks down the student PC to prevent mischievous activity:
+ * Prevents students from removing the PC from the school's device management system
* Prevents students from removing the Set up School PCs settings
+- Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours
+A student PC that's set up using the Set up School PCs provisioning package is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
+ * Customizes the Start layout with Office
+ * Installs OneDrive for cloud-based documents and places it on the Start menu and taskbar
+ * Uninstalls apps not specific to education, such as Solitaire
+ * [Gets the student PC ready for use in an education environment](configure-windows-for-education.md)
+ * Prevents students from adding personal Microsoft accounts to the PC
## Tips for success
-* **Run the app at work**: For the best results, run the **Set up School PCs** app on your work device connected to your school's network. That way the app can gather accurate information about your wireless networks and cloud subscriptions.
- > **Note**: Don't use **Set up Schools PCs** app for PCs that must connect to enterprise networks or to open wi-fi networks that require the user to accept Terms of Use.
-* **Apply to new computers**: The setup file that the **Set up School PCs** app creates should be used on new computers that haven't been set up for accounts yet. If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
-> **Warning**: Only use the setup file on computers that you want to configure and lock down for students. After you apply the setup file to a computer, the computer must be reset to remove the settings.
-* **Turn on student PCs and stay on first screen**: The computer must be on this screen when you insert the USB key.
+* **Run the app at work**
-
+ For the best results, run the Set up School PCs app on your work device connected to your school's network. That way the app can gather accurate information about your wireless networks and cloud subscriptions.
+
+ > [!NOTE]
+ > Don't use the **Set up Schools PCs** app for PCs that must connect to enterprise networks or to open Wi-Fi networks that require the user to accept Terms of Use.
+
+* **Apply to new student PCs**
+ * The provisioning package that the Set up School PCs app creates should be used on new PCs that haven't been set up for accounts yet. If you apply the provisioning package to a student PC that has already been set up, existing accounts and data might be lost.
+
+ > [!WARNING]
+ > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings.
+
+ * If the PC has already been set up and you want to return to the first-run experience to apply a new package, you can reset the PC to get to a clean state and get it back to the first-run experience and ready to provision again.
+
+ To do this:
+ - Go to **Settings > Update & security > Recovery**. In the **Reset this PC** section of the **Recovery** page, click **Get started**.
+ - Or, hit **Shift + L + click Restart in the Power menu** to load the Windows boot user experience. From there, follow these steps:
+ 1. Click **Troubleshoot** and then choose **Reset this PC**.
+ 2. Select **Remove everything**.
+ 3. Select **No - remove provisioning packages**.
+ 4. Select **Only the drive where Windows is installed** (this may not always show up).
+ 5. Click **Just remove my files**.
+
+* **Use more than one USB key**
+
+ If you are setting up multiple PCs, you can set them up at the same time. Just save the provisioning package to another USB drive. Create two keys and you can run it on two PCs at once, and so on.
+
+* **Keep it clean**
+
+ We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. Get more information at [Set up School PCs app technical reference](set-up-school-pcs-technical.md).
+
+* **Get more info**
+
+ Learn more about what Set up School PCs does, including provisioning details, in [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).
-If you have gone past this screen, you may have to reset your PC to start over. To reset your PC after you have completed the first run experience, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
-* **Use more than one USB key**: If you are setting up multiple PCs, you can set them up at the same time. Just run the **Set up School PCs** app again and save the same settings to another key. That way you can run set up on more than one PC at once. Create three keys and you can run it on three PCs at once, etc.
-* **Start fresh**: If the PC has already been set up and you want to return to the first-run-experience to apply a new package, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
-* **Keep it clean**: We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. Get more information at [Set up School PCs app technical reference](set-up-school-pcs-technical.md).
## Set up School PCs app step-by-step
What you need:
-- The **Set up School PCs** app, installed on your work computer, connected to your school's network
-- A USB drive, 1 GB or larger
+- The **Set up School PCs** app, installed on your work PC and connected to your school's network.
-### Create the setup file in the app
+
+
+- A USB drive, 1 GB or larger. We recommend an 8 GB or larger USB drive if you're installing Office.
+
+### Create the provisioning package in the app
The **Set up School PCs** app guides you through the configuration choices for the student PCs.
-1. Open the **Set up School PCs** app and select **Start**.
+1. Launch the Set up School PCs app.
- 
-
-2. Choose **No** to require students to sign in only with an account, or choose **Yes** to allow students to use the PC without an account too, and then select **Next**.
+ **Figure 1** - Launch the Set up School PCs app
- 
+ 
-3. Choose a Wi-Fi network from the list and then select **Next**, or choose **Manually connect to a wireless network** to enter the network information yourself.
+2. Click **Get started**.
+3. To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page:
- 
+ To get the best option for setup and enable student PCs to automatically be connected to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**.
- - For a manual network connection, enter the network name, security type, and password (if required), and then select **Next**.
-
- 
-
-4. Insert a USB drive, select it in the app, and then select **Save**.
+ To complete setup without signing in, click **Skip**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later.
- 
+ If you opt to sign in, follow these steps:
+
+ 1. Choose the account from the list. If you don't see the account, select **Work or school account**, click **Continue**, and enter the account details.
+ 2. Click **Next** once you've specified the account.
+ 3. If you added an account, you may be asked to provide the user account and password. You will get a notification to allow the app to access your account. This will give Set up School PCs permission to access Store for Business, read memberships, sign you in and read your profile, and more.
+ 4. Click **Accept**.
+
+ The account will show up as the account that Set up School PCs will use to connect the school PCs to the cloud.
+
+ **Figure 2** - Verify that the account you selected shows up
+
+ 
+
+ 5. Click **Next**.
+
+4. To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page:
+ 1. Select the school's Wi-Fi network from the list of available wireless networks or manually add a wireless network.
+ 2. Click **Next**.
+
+5. To assign a name to the student PCs, in the **Assign a name to these student PCs** page:
+ 1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client.
+
+ > [!NOTE]
+ > The name must be five (5) characters or less. Set up School PCs automatically appends `_%SERIAL%` to the prefix that you specify. `_%SERIAL%` ensures that all device names are unique.
+
+ For example, if you add *Math4* as the prefix, the device names will be *Math4* followed by a random string of letters and numbers.
+
+ 2. Click **Next**.
+
+6. To specify other settings for the student PC, in the **Configure student PC settings** page:
+ - Select **Remove apps pre-installed by the device manufacturer** to install only the base Windows image.
+
+ > [!NOTE]
+ > If you select this option, the provisioning process will take longer (about 30 minutes).
+
+ - Select **Allow local storage (not recommended for shared devices)** to let students save files to the **Desktop** and **Documents** folder on the student PC. We don't recommend this option if the device will be part of a shared cart or lab.
+ - Select **Optimize device for a single student, instead of a shared cart or lab** to optimize the device for use by a single student (1:1). Check this option if the device will not be part of a shared cart or lab.
+ - Select **Let guests sign-in to these PCs** to allow guests to use student PCs without a school account. For example, if the device will be in a library and you want other users (like visiting students or teachers) to be able to use the device, you can select this option.
+
+ If you select this option, this adds a **Guest** account button in the PC's sign-in screen to allow anyone to use the PC.
+
+ - To change the default lock screen background or to use your school's custom lock screen background, click **Browse** to select a new lock screen background.
+
+ **Figure 3** - Configure student PC settings
+
+ 
+
+ When you're doing configuring the student PC settings, click **Next**.
+
+7. If you want to set up the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced, configure the settings in the **Set up the Take a Test app** page.
+ 1. Enter the assessment URL.
+ 2. Check the options whether to allow keyboard text suggestions to appear and to allow teachers to monitor online tests.
+
+ If you set up Take a Test, this adds a **Take a Test** button on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test.
+
+ **Figure 4** - Configure the Take a Test app
+
+ 
+
+ 3. Click **Next** or **Skip** depending on whether you want to set up Take a Test.
+
+
+
+8. In the **Review package summary** page, make sure that all the settings you configured appear correctly.
+ 1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes.
+
+ **Figure 5** - Review your settings and change them as needed
+
+ 
+
+ 2. Click **Accept**.
+
+9. In the **Insert a USB drive now** page:
+ 1. Insert a USB drive to save your settings and create a provisioning package on the USB drive.
+ 2. Set up School PCs will automatically detect the USB drive after it's inserted. Choose the USB drive from the list.
+ 3. Click **Save** to save the provisioning package to the USB drive.
+
+ **Figure 6** - Select the USB drive and save the provisioning package
+
+ 
+
+10. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
+
+ **Figure 7** - Provisioning package is ready
+
+ 
+
+12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs.
+
+ **Figure 8** - Line up the student PCs and get them ready for setup
+
+ 
+
+13. Click **Next**.
+14. In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs.
+
+ Select **Create new package** if you need to create a new provisioning package. Otherwise, you can remove the USB drive if you're completely done creating the package.
+
+ **Figure 9** - Install the provisioning package on the student PCs
+
+ 
+### Apply the provisioning package to the student PCs
-### Apply the setup file to PCs
+The provisioning package on your USB drive is named `Set up School PCs.ppkg`. A provisioning package is a method for applying settings to Windows 10 without needing to reimage the device. When Windows 10 refers to *package*, it means your provisioning package, and when it refers to *provisioning*, it means applying the provisioning package to the student PC.
-The setup file on your USB drive is named `SetupSchoolPCs.ppkg`, which is a provisioning package. A provisioning package is a method for applying settings to Windows 10. When Windows 10 refers to *package*, it means your setup file, and when it refers to *provisioning*, it means applying the setup file to the computer.
+> [!NOTE]
+> The student PC must contain a new or reset image and the PC must not already have been through first-run setup (OOBE).
-1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+**To set up the student PC using the Set up School PCs provisioning package**
- 
+1. Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 Creators Update (version 1703), this first-run setup screen says **Let's start with region. Is this right?**.
-2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+ If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
- 
+ **Figure 10** - The first screen during first-run setup in Windows 10 Creators Update (version 1703)
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+ 
- 
-
-4. Select `SetupSchoolPCs.ppkg` and tap **Next**.
+2. Insert the USB drive. Windows will recognize the drive and automatically install the provisioning package.
- 
+ **Figure 11** - Windows automatically detects the provisioning package and installs it
-5. Select **Yes, add it**.
+ 
- 
-
-6. Read and accept the Microsoft Software License Terms.
+3. You can remove the USB drive when you see the message that you can remove the removable media. You can then use the USB drive to start provisioning another student PC.
- 
-
-7. Select **Use Express settings**.
+ **Figure 12** - Remove the USB drive when you see the message that the media can be removed
- 
+ 
+
+4. If you set up the package to do Azure AD Join, that's it! You're done, and the PC is now ready for students to use.
-8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+ If you did not set up the package to do Azure AD Join, go through the rest of the Windows device setup experience.
- 
+## Related topics
-9. On the **Choose how you'll connect** screen, select **Join Azure AD** and tap **Next**.
-
- 
-
-10. Your last step is to sign in. Use your Azure AD or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
-
- 
-
-
-That's it! Sign out and the computer is now ready for students.
-
-## Learn more
-
-See [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) for prerequisites and provisioning details.
+[Set up Windows devices for education](set-up-windows-10.md)
diff --git a/education/windows/windows-10-pro-to-pro-edu-upgrade.md b/education/windows/windows-10-pro-to-pro-edu-upgrade.md
index cb88389ec9..0e2befd5c6 100644
--- a/education/windows/windows-10-pro-to-pro-edu-upgrade.md
+++ b/education/windows/windows-10-pro-to-pro-edu-upgrade.md
@@ -1,30 +1,32 @@
---
-title: Windows 10 Pro to Pro Education upgrade
-description: Describes how IT Pros can opt into a Windows 10 Pro Education upgrade from the Windows Store for Business.
+title: Switch Windows 10 Pro to Pro Education
+description: Describes how IT Pros can opt into switching from Windows 10 Pro to Windows 10 Pro Education from the Windows Store for Business.
+keywords: switch, Pro to Pro Education, education customers
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
-# Upgrade Windows 10 Pro to Pro Education from Windows Store for Business
+# Switch Windows 10 Pro to Pro Education from Windows Store for Business
Windows 10 Pro Education is a new offering in Windows 10 Anniversary Update (Windows 10, version 1607). This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings.
-If you have an education tenant and use Windows 10 Pro in your schools now, global administrators can opt-in to a free upgrade to Windows 10 Pro Education through the Windows Store for Business. To take advantage of this offering, make sure you meet the [requirements for upgrade](#requirements-for-upgrade).
+If you have an education tenant and use Windows 10 Pro in your schools now, global administrators can opt-in to a free switch to Windows 10 Pro Education through the Windows Store for Business. To take advantage of this offering, make sure you meet the [requirements for switching](#requirements-for-switching).
Starting with Windows 10, version 1607, academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Education—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Pro Education license, the operating system turns from Windows 10 Pro to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. When a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro.
Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have a Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features.
-When you upgrade to Windows 10 Pro Education, you get the following benefits:
+When you switch to Windows 10 Pro Education, you get the following benefits:
- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB).
- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have.
-- **Roll back to Windows 10 Pro at any time**. When a user leaves the domain or you turn off the setting to automatic upgrade to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days).
+- **Roll back to Windows 10 Pro at any time**. When a user leaves the domain or you turn off the setting to automatic switch to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days).
-In summary, the Windows 10 Pro Education free upgrade through the Windows Store for Business is an upgrade offering that provides organizations easier, more flexible access to the benefits of Windows 10 Pro Education edition.
+In summary, the Windows 10 Pro Education free switch through the Windows Store for Business is an offering that provides organizations easier, more flexible access to the benefits of Windows 10 Pro Education edition.
## Compare Windows 10 Pro and Pro Education editions
@@ -35,9 +37,9 @@ In Windows 10, version 1607, the Windows 10 Pro Education edition contains the
See [Windows 10 editions for education customers](windows-editions-for-education-customers.md) for more info about Windows 10 Pro Education and you can also [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10.
-## Requirements for upgrade
+## Requirements for switching
-Before you upgrade from Windows 10 Pro to Windows 10 Pro Education, make sure you meet these requirements:
+Before you switch from Windows 10 Pro to Windows 10 Pro Education, make sure you meet these requirements:
- Devices must be:
- Running Windows 10 Pro, version 1607
- Must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices).
@@ -47,59 +49,59 @@ Before you upgrade from Windows 10 Pro to Windows 10 Pro Education, make sure yo
- The Azure AD tenant must be recognized as an education approved tenant.
- You must have a Windows Store for Business account.
-## Upgrade from Windows 10 Pro to Windows 10 Pro Education
-Once you enable the setting to upgrade Windows 10 Pro to Windows 10 Pro Education, the upgrade will begin only after a user signs in to their device. The setting applies to the entire organization so you cannot select which users will receive the upgrade.
+## Switch from Windows 10 Pro to Windows 10 Pro Education
+Once you enable the setting to switch Windows 10 Pro to Windows 10 Pro Education, the switch will begin only after a user signs in to their device. The setting applies to the entire organization so you cannot select which users will receive the switch.
-**To turn on the automatic upgrade from Windows 10 Pro to Windows 10 Pro Education**
+**To turn on the automatic switch from Windows 10 Pro to Windows 10 Pro Education**
1. Sign in to [Windows Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your work or school account.
If this is the first time you're signing into the Store, you'll be prompted to accept the Windows Store for Business Terms of Use.
2. Go to **Manage > Account information**.
3. In the **Account information** page, look for the **Automatic Windows 10 Pro Education upgrade** section and follow the link.
- You will see the following page informing you that your school is eligible for a free automatic upgrade from Windows 10 Pro to Windows 10 Pro Education.
+ You will see the following page informing you that your school is eligible for a free automatic switch from Windows 10 Pro to Windows 10 Pro Education.
- 
+ 
- **Figure 1** - Upgrade Windows 10 Pro to Windows 10 Pro Education
+ **Figure 1** - Switch Windows 10 Pro to Windows 10 Pro Education
4. Select **I understand enabling this setting will impact all devices running Windows 10 Pro in my organization**.
-5. Click **Send me email with a link to enable this upgrade** to receive an email with a link to the upgrade.
+5. Click **Send me email with a link to enable this upgrade** to receive an email with a link to the switch.
- 
+ 
- **Figure 2** - Email notification with a link to enable the upgrade
+ **Figure 2** - Email notification with a link to enable the switch
-6. Click **Enable the automatic upgrade now** to turn on automatic upgrades.
+6. Click **Enable the automatic upgrade now** to turn on automatic switches.
- .
+ .
- **Figure 3** - Enable the automatic upgrade
+ **Figure 3** - Enable the automatic switch
- Enabling the automatic upgrade also triggers an email message notifying all global administrators in your organization about the upgrade. It also contains a link that enables any global administrators to cancel the upgrade, if they choose. For more info about rolling back or canceling the upgrade, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).
+ Enabling the automatic switch also triggers an email message notifying all global administrators in your organization about the switch. It also contains a link that enables any global administrators to cancel the switch, if they choose. For more info about rolling back or canceling the switch, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).
- .
+ .
**Figure 4** - Notification email sent to all global administrators
7. Click **Close** in the **Success** page.
- In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see a message informing you when the upgrade was enabled and the name of the admin who enabled the upgrade.
+ In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see a message informing you when the switch was enabled and the name of the admin who enabled the switch.
- 
+ 
- **Figure 5** - Details about the automatic upgrade
+ **Figure 5** - Details about the automatic switch
-## Explore the upgrade experience
+## Explore the switch experience
-So what will the users experience? How will they upgrade their devices?
+So what will the users experience? How will they switch their devices?
### For existing Azure AD domain joined devices
-Existing Azure AD domain joined devices will be upgraded from Windows 10 Pro to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed.
+Existing Azure AD domain joined devices will be switched from Windows 10 Pro to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed.
### For new devices that are not Azure AD domain joined
-Now that you've turned on the setting to automatically upgrade Windows 10 Pro to Windows 10 Pro Education, the users are ready to upgrade their devices running Windows 10 Pro, version 1607 edition to Windows 10 Pro Education edition.
+Now that you've turned on the setting to automatically switch Windows 10 Pro to Windows 10 Pro Education, the users are ready to switch their devices running Windows 10 Pro, version 1607 edition to Windows 10 Pro Education edition.
#### Step 1: Join users’ devices to Azure AD
@@ -171,23 +173,23 @@ If there are any problems with the Windows 10 Pro Education license or the acti
## Troubleshoot the user experience
-In some instances, users may experience problems with the Windows 10 Pro Education upgrade. The most common problems that users may experience are as follows:
+In some instances, users may experience problems with the Windows 10 Pro Education switch. The most common problems that users may experience are as follows:
- The existing Windows 10 Pro, version 1607 operating system is not activated.
-- The Windows 10 Pro Education upgrade has lapsed or has been removed.
+- The Windows 10 Pro Education switch has lapsed or has been removed.
Use the following figures to help you troubleshoot when users experience these common problems:
-**Figure 13** - Illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Pro Education upgrade is active.
+**Figure 13** - Illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Pro Education switch is active.
-**Figure 14** - Illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Pro Education upgrade is active.
+**Figure 14** - Illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Pro Education switch is active.
@@ -209,30 +211,30 @@ Devices must be running Windows 10 Pro, version 1607, and be Azure Active Direct
A popup window will display the Windows 10 version number and detailed OS build information.
- If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license.
+ If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be switched to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license.
## Roll back Windows 10 Pro Education to Windows 10 Pro
-If your organization has the Windows 10 Pro to Windows 10 Pro Education upgrade enabled, and you decide to roll back to Windows 10 Pro or to cancel the upgrade, you can do this by:
-- Logging into Windows Store for Business page and turning off the automatic upgrade.
-- Selecting the link to turn off the automatic upgrade from the notification email sent to all global administrators.
+If your organization has the Windows 10 Pro to Windows 10 Pro Education switch enabled, and you decide to roll back to Windows 10 Pro or to cancel the switch, you can do this by:
+- Logging into Windows Store for Business page and turning off the automatic switch.
+- Selecting the link to turn off the automatic switch from the notification email sent to all global administrators.
-Once the automatic upgrade to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were upgraded will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was upgraded may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that an upgrade was enabled and then turned off will never see their device change from Windows 10 Pro.
+Once the automatic switch to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were switched will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was switched may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that an switch was enabled and then turned off will never see their device change from Windows 10 Pro.
**To roll back Windows 10 Pro Education to Windows 10 Pro**
-1. Log in to [Windows Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic upgrade.
+1. Log in to [Windows Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic switch.
2. Select **Manage > Account information** and locate the section **Automatic Windows 10 Pro Education upgrade** and follow the link.
3. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, select **Turn off the automatic upgrade to Windows 10 Pro Education**.
- 
+ 
- **Figure 15** - Link to turn off the automatic upgrade
+ **Figure 15** - Link to turn off the automatic switch
-4. You will be asked if you're sure that you want to turn off automatic upgrades to Windows 10 Pro Education. Click **Yes**.
+4. You will be asked if you're sure that you want to turn off automatic switches to Windows 10 Pro Education. Click **Yes**.
5. Click **Close** in the **Success** page.
-6. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see information on when the upgrade was disabled.
+6. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see information on when the switch was disabled.
- If you decide later that you want to turn on automatic upgrades again, you can do this from the **Upgrade Windows 10 Pro to Windows 10 Pro Education**.
+ If you decide later that you want to turn on automatic switches again, you can do this from the **Upgrade Windows 10 Pro to Windows 10 Pro Education**.
## Preparing for deployment of Windows 10 Pro Education licenses
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
index ed22802caa..99a438e0b9 100644
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
@@ -14,9 +15,10 @@ author: CelesteDG
- Windows 10
+
Windows 10 Anniversary Update (Windows 10, version 1607) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](https://go.microsoft.com/fwlink/?LinkId=822619) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620).
-Windows 10, version 1607 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](https://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](https://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information about Windows 10, version 1607 on [windows.com](http://www.windows.com/).
+Windows 10, version 1607 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](https://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Configuration Designer](https://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](https://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information about Windows 10, version 1607 on [windows.com](http://www.windows.com/).
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
@@ -24,7 +26,11 @@ Windows 10, version 1607 introduces two editions designed for the unique needs o
Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings, including the removal of Cortana1. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
-Windows 10 Pro Education is available on new devices pre-installed with Windows 10, version 1607 that are purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future).
+> [!NOTE]
+> If using Windows 10 Pro Education or Windows 10 Education, upgrading from Windows 10, version 1607 (Anniversary Update) to Windows 10, version 1703 (Creators Update) will enable Cortana. You can use the **AllowCortana** policy to turn it off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
+
+
+Windows 10 Pro Education is available on new devices pre-installed with Windows 10, version 1607 or newer versions that are purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future).
Existing devices running Windows 10 Pro, currently activated with the original OEM digital product key and purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future), will upgrade automatically to Windows 10 Pro Education as part of the Windows 10, version 1607 installation.
@@ -36,13 +42,18 @@ Customers that deploy Windows 10 Pro are able to configure the product to have s
Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings, including the removal of Cortana1. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
-Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you do not have access to Windows 10 Education, contact your Microsoft representative or see more information [here](https://go.microsoft.com/fwlink/?LinkId=822628).
+> [!NOTE]
+> If using Windows 10 Pro Education or Windows 10 Education, upgrading from Windows 10, version 1607 (Anniversary Update) to Windows 10, version 1703 (Creators Update) will enable Cortana. You can use the **AllowCortana** policy to turn it off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
+
+
+Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 or newer versions through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you do not have access to Windows 10 Education, contact your Microsoft representative or see more information [here](https://go.microsoft.com/fwlink/?LinkId=822628).
Customers that deploy Windows 10 Enterprise are able to configure the product to have similar feature settings to Windows 10 Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Enterprise read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us).
## Related topics
+* [Switch Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
* [Windows deployment for education](http://aka.ms/edudeploy)
* [Windows 10 upgrade paths](https://go.microsoft.com/fwlink/?LinkId=822787)
* [Volume Activation for Windows 10](https://go.microsoft.com/fwlink/?LinkId=822788)
diff --git a/mdop/agpm/choosing-which-version-of-agpm-to-install.md b/mdop/agpm/choosing-which-version-of-agpm-to-install.md
index e79ec15b6e..a3062b6238 100644
--- a/mdop/agpm/choosing-which-version-of-agpm-to-install.md
+++ b/mdop/agpm/choosing-which-version-of-agpm-to-install.md
@@ -50,31 +50,37 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP3, and
Supported |
+Windows Server 2012 R2 |
+Windows 10 |
+Supported with the caveats outlined in [KB 4015786](https://support.microsoft.com/en-us/help/4015786/known-issues-managing-a-windows-10-group-policy-client-in-windows-serv)
+ |
+
+
Windows Server 2012 R2 or Windows 8.1 |
Windows Server 2012 R2 or Windows 8.1 |
Supported |
-
+
Windows Server 2012 R2, Windows Server 2012, or Windows 8.1 |
Windows Server 2012 or Windows 8.1 |
Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1 |
-
+
Windows Server 2008 R2 or Windows 7 |
Windows Server 2008 R2 or Windows 7 |
Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1 |
-
+
Windows Server 2012, Windows Server 2008 R2, or Windows 7 |
Windows Server 2008 or Windows Vista with Service Pack 1 (SP1) |
Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7 |
-
+
Windows Server 2008 or Windows Vista with SP1 |
Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7 |
Not supported |
-
+
Windows Server 2008 or Windows Vista with SP1 |
Windows Server 2008 or Windows Vista with SP1 |
Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7 |
diff --git a/windows/WaaS-infographic.pdf b/windows/WaaS-infographic.pdf
new file mode 100644
index 0000000000..cb1ef988a1
Binary files /dev/null and b/windows/WaaS-infographic.pdf differ
diff --git a/windows/configure/TOC.md b/windows/configure/TOC.md
index b284277953..75766ed065 100644
--- a/windows/configure/TOC.md
+++ b/windows/configure/TOC.md
@@ -1,5 +1,7 @@
# [Configure Windows 10](index.md)
## [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
+## [Basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
+## [Windows 10, version 1703 diagnostic data](windows-diagnostic-data.md)
## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md)
@@ -32,11 +34,11 @@
## [Cortana integration in your business or enterprise](cortana-at-work-overview.md)
### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md)
#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work-scenario-1.md)
-#### [Test scenario 2 - Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
+#### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work-scenario-3.md)
#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work-scenario-4.md)
#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work-scenario-5.md)
-#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email}(cortana-at-work-scenario-6.md)
+#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md)
#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-7.md)
### [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md)
### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work-crm.md)
diff --git a/windows/configure/basic-level-windows-diagnostic-events-and-fields.md b/windows/configure/basic-level-windows-diagnostic-events-and-fields.md
new file mode 100644
index 0000000000..0ae4581bb0
--- /dev/null
+++ b/windows/configure/basic-level-windows-diagnostic-events-and-fields.md
@@ -0,0 +1,4115 @@
+---
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
+title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10)
+keywords: privacy, telemetry
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+ms.author: brianlic
+---
+
+
+# Windows 10, version 1703 basic level Windows diagnostic events and fields
+
+
+ **Applies to**
+
+- Windows 10, version 1703
+
+
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information.
+
+The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
+
+Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data.
+
+You can learn more about Windows functional and diagnostic data through these articles:
+
+
+- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+- [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
+
+
+
+
+## Common data extensions
+
+### Common Data Extensions.App
+
+
+
+The following fields are available:
+
+- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
+- **userId** The userID as known by the application.
+- **env** The environment from which the event was logged.
+- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+
+
+### Common Data Extensions.CS
+
+
+
+The following fields are available:
+
+- **sig** A common schema signature that identifies new and modified event schemas.
+
+
+### Common Data Extensions.CUET
+
+
+
+The following fields are available:
+
+- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
+- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
+- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
+- **op** Represents the ETW Op Code.
+- **cat** Represents a bitmask of the ETW Keywords associated with the event.
+- **flags** Represents the bitmap that captures various Windows specific flags.
+- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
+- **tickets** A list of strings that represent entries in the HTTP header of the web request that includes this event.
+- **bseq** Upload buffer sequence number in the format \:\
+- **mon** Combined monitor and event sequence numbers in the format \:\
+
+
+### Common Data Extensions.Device
+
+
+
+The following fields are available:
+
+- **ver** Represents the major and minor version of the extension.
+- **localId** Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+- **deviceClass** Represents the classification of the device, the device “family”. For example, Desktop, Server, or Mobile.
+
+
+### Common Data Extensions.Envelope
+
+
+
+The following fields are available:
+
+- **ver** Represents the major and minor version of the extension.
+- **name** Represents the uniquely qualified name for the event.
+- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
+- **popSample** Represents the effective sample rate for this event at the time it was generated by a client.
+- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **seqNum** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **iKey** Represents an ID for applications or other logical groupings of events.
+- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **os** Represents the operating system name.
+- **osVer** Represents the OS version, and its format is OS dependent.
+- **appId** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **appVer** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
+- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
+
+
+### Common Data Extensions.OS
+
+
+
+The following fields are available:
+
+- **ver** Represents the major and minor version of the extension.
+- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
+- **locale** Represents the locale of the operating system.
+- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+
+
+### Common Data Extensions.User
+
+
+
+The following fields are available:
+
+- **ver** Represents the major and minor version of the extension.
+- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+
+
+### Common Data Extensions.XBL
+
+
+
+The following fields are available:
+
+- **nbf** Not before time
+- **expId** Expiration time
+- **sbx** XBOX sandbox identifier
+- **dty** XBOX device type
+- **did** XBOX device ID
+- **xid** A list of base10-encoded XBOX User IDs.
+- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
+
+
+### Common Data Extensions.Consent UI Event
+
+This User Account Control (UAC) telemetry point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
+
+The following fields are available:
+
+- **eventType** Represents the type of elevation: If it succeeded, was cancelled, or was auto-approved.
+- **splitToken** Represents the flag used to distinguish between administrators and standard users.
+- **friendlyName** Represents the name of the file requesting elevation from low IL.
+- **elevationReason** Represents the distinction between various elevation requests sources (appcompat, installer, COM, MSI and so on).
+- **exeName** Represents the name of the file requesting elevation from low IL.
+- **signatureState** Represents the state of the signature, if it signed, unsigned, OS signed and so on.
+- **publisherName** Represents the name of the publisher of the file requesting elevation from low IL.
+- **cmdLine** Represents the full command line arguments being used to elevate.
+- **Hash.Length** Represents the length of the hash of the file requesting elevation from low IL.
+- **Hash** Represents the hash of the file requesting elevation from low IL.
+- **HashAlgId** Represents the algorithm ID of the hash of the file requesting elevation from low IL.
+- **telemetryFlags** Represents the details about the elevation prompt for CEIP data.
+- **timeStamp** Represents the time stamp on the file requesting elevation.
+- **fileVersionMS** Represents the major version of the file requesting elevation.
+- **fileVersionLS** Represents the minor version of the file requesting elevation.
+
+
+## Common data fields
+
+### Common Data Fields.MS.Device.DeviceInventory.Change
+
+These fields are added whenever Ms.Device.DeviceInventoryChange is included in the event.
+
+The following fields are available:
+
+- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+- **objectType** Indicates the object type that the event applies to.
+- **Action** The change that was invoked on a device inventory object.
+- **inventoryId** Device ID used for Compatibility testing
+
+
+### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PreUpgradeSettings
+
+These fields are added whenever PreUpgradeSettings is included in the event.
+
+The following fields are available:
+
+- **HKLM_SensorPermissionState.SensorPermissionState** The state of the Location service before the feature update completed.
+- **HKLM_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the device.
+- **HKCU_SensorPermissionState.SensorPermissionState** The state of the Location service when a user signs on before the feature update completed.
+- **HKCU_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the current user.
+- **HKLM_LocationPlatform.Status** The state of the location platform after the feature update has completed.
+- **HKLM_LocationPlatform.HRESULT** The error code returned when trying to query the location platform for the device.
+- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the device before the feature update completed.
+- **HKLM_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the device.
+- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the current user before the feature update completed.
+- **HKCU_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the current user.
+- **HKLM_AllowTelemetry.AllowTelemetry** The state of the Connected User Experiences and Telemetry component for the device before the feature update.
+- **HKLM_AllowTelemetry.HRESULT** The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
+- **HKLM_TIPC.Enabled** The state of TIPC for the device.
+- **HKLM_TIPC.HRESULT** The error code returned when trying to query TIPC for the device.
+- **HKCU_TIPC.Enabled** The state of TIPC for the current user.
+- **HKCU_TIPC.HRESULT** The error code returned when trying to query TIPC for the current user.
+- **HKLM_FlipAhead.FPEnabled** Is Flip Ahead enabled for the device before the feature update was completed?
+- **HKLM_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the device.
+- **HKCU_FlipAhead.FPEnabled** Is Flip Ahead enabled for the current user before the feature update was completed?
+- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user.
+- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
+- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
+- **HKLM_AdvertisingID.Enabled** Is the adveristing ID enabled for the device?
+- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device.
+- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user?
+- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user.
+
+
+### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PostUpgradeSettings
+
+These fields are added whenever PostUpgradeSettings is included in the event.
+
+The following fields are available:
+
+- **HKLM_SensorPermissionState.SensorPermissionState** The state of the Location service after the feature update has completed.
+- **HKLM_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the device.
+- **HKCU_SensorPermissionState.SensorPermissionState** The state of the Location service when a user signs on after a feature update has completed.
+- **HKCU_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the current user.
+- **HKLM_LocationPlatform.Status** The state of the location platform after the feature update has completed.
+- **HKLM_LocationPlatform.HRESULT** The error code returned when trying to query the location platform for the device.
+- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the device after the feature update has completed.
+- **HKLM_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the device.
+- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the current user after the feature update has completed.
+- **HKCU_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the current user.
+- **HKLM_AllowTelemetry.AllowTelemetry** The state of the Connected User Experiences and Telemetry component for the device after the feature update.
+- **HKLM_AllowTelemetry.HRESULT** The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
+- **HKLM_TIPC.Enabled** The state of TIPC for the device.
+- **HKLM_TIPC.HRESULT** The error code returned when trying to query TIPC for the device.
+- **HKCU_TIPC.Enabled** The state of TIPC for the current user.
+- **HKCU_TIPC.HRESULT** The error code returned when trying to query TIPC for the current user.
+- **HKLM_FlipAhead.FPEnabled** Is Flip Ahead enabled for the device after the feature update has completed?
+- **HKLM_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the device.
+- **HKCU_FlipAhead.FPEnabled** Is Flip Ahead enabled for the current user after the feature update has completed?
+- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user.
+- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
+- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
+- **HKLM_AdvertisingID.Enabled** Is the adveristing ID enabled for the device?
+- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device.
+- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user?
+- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user.
+
+
+## Appraiser events
+
+### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
+
+This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client.
+
+The following fields are available:
+
+- **PCFP** An ID for the system that is calculated by hashing hardware identifiers.
+- **InventoryApplicationFile** The total InventoryApplicationFile objects that are present on this device.
+- **InventoryMediaCenter** The total InventoryMediaCenter objects that are present on this device.
+- **InventoryLanguagePack** The total InventoryLanguagePack objects that are present on this device.
+- **InventoryUplevelDriverPackage** The total InventoryUplevelDriverPackage objects that are present on this device.
+- **InventorySystemBios** The total InventorySystemBios objects that are present on this device.
+- **SystemProcessorCompareExchange** The total SystemProcessorCompareExchange objects that are present on this device.
+- **SystemProcessorLahfSahf** The total SystemProcessorLahfSahf objects that are present on this device.
+- **SystemMemory** The total SystemMemory objects that are present on this device.
+- **SystemProcessorPrefetchW** The total SystemProcessorPrefetchW objects that are present on this device.
+- **SystemProcessorSse2** The total SystemProcessorSse2 objects that are present on this device.
+- **SystemProcessorNx** The total SystemProcessorNx objects that are present on this device.
+- **SystemWlan** The total SystemWlan objects that are present on this device.
+- **SystemWim** The total SystemWim objects that are present on this device
+- **SystemTouch** The total SystemTouch objects that are present on this device.
+- **SystemWindowsActivationStatus** The total SystemWindowsActivationStatus objects that are present on this device.
+
+
+### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureIdHashSha256
+
+This event lists the types of objects and the hashed values of all the identifiers for each one. This allows for a more in-depth way to ensure that the records present on the server match what is present on the client.
+
+The following fields are available:
+
+- **PCFP** An ID for the system that is calculated by hashing hardware identifiers.
+- **InventoryApplicationFile** The SHA256 hash of InventoryApplicationFile objects that are present on this device.
+- **InventoryMediaCenter** The SHA256 hash of InventoryMediaCenter objects that are present on this device.
+- **InventoryLanguagePack** The SHA256 hash of InventoryLanguagePack objects that are present on this device.
+- **InventoryUplevelDriverPackage** The SHA256 hash of InventoryUplevelDriverPackage objects that are present on this device.
+- **InventorySystemBios** The SHA256 hash of InventorySystemBios objects that are present on this device.
+- **SystemProcessorCompareExchange** The SHA256 hash of SystemProcessorCompareExchange objects that are present on this device.
+- **SystemProcessorLahfSahf** The SHA256 hash of SystemProcessorLahfSahf objects that are present on this device.
+- **SystemMemory** The SHA256 hash of SystemMemory objects that are present on this device.
+- **SystemProcessorPrefetchW** The SHA256 hash of SystemProcessorPrefetchW objects that are present on this device.
+- **SystemProcessorSse2** The SHA256 hash of SystemProcessorSse2 objects that are present on this device.
+- **SystemProcessorNx** The SHA256 hash of SystemProcessorNx objects that are present on this device.
+- **SystemWlan** The SHA256 hash of SystemWlan objects that are present on this device.
+- **SystemWim** The SHA256 hash of SystemWim objects that are present on this device.
+- **SystemTouch** The SHA256 hash of SystemTouch objects that are present on this device.
+- **SystemWindowsActivationStatus** The SHA256 hash of SystemWindowsActivationStatus objects that are present on this device.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
+
+This event sends compatibility information about a file to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file that is generating the events.
+- **AvDisplayName** If it is an anti-virus app, this is its display name.
+- **CompatModelIndex** The compatibility prediction for this file.
+- **HasCitData** Is the file present in CIT data?
+- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file?
+- **IsAv** Is the file an anti-virus reporting EXE?
+- **ResolveAttempted** This will always be an empty string when sending telemetry.
+- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
+
+This event indicates that the DatasourceApplicationFile object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
+
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
+
+This event sends compatibility data for a PNP device, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **ActiveNetworkConnection** Is the device an active network device?
+- **IsBootCritical** Is the device boot critical?
+- **SdbEntries** An array of fields indicating the SDB entries that apply to this device.
+- **WuDriverCoverage** Is there a driver uplevel for this device according to Windows Update?
+- **WuDriverUpdateID** The Windows Update ID of the applicable uplevel driver.
+- **WuPopulatedFromID** The expected uplevel driver matching ID based on driver coverage from Windows Update.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
+
+This event indicates that the DatasourceDevicePnp object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
+
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
+
+This event sends compatibility database data about driver packages to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** An array of fields indicating the SDB entries that apply to this driver package.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
+
+This event indicates that the DatasourceDriverPackage object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
+
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
+
+This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** An array of fields indicating the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
+
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
+
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
+
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** An array of fields indicating the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
+
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** An array of fields indicating the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
+
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
+
+This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **SdbEntries** An array of fields indicating the SDB entries that apply to this BIOS.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
+
+This event indicates that the DatasourceSystemBios object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
+
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
+
+This event sends compatibility decision data about a file to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS.
+- **BlockingApplication** Are there any application issues that interfere with upgrade due to the file in question?
+- **DisplayGenericMessage** Will be a generic message be shown for this file?
+- **HardBlock** This file is blocked in the SDB.
+- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB?
+- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode?
+- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
+- **NeedsDismissAction** Will the file cause an action that can be dimissed?
+- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app.
+- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade?
+- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app.
+- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade.
+- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB,
+- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade.
+- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed.
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade.
+- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
+- **SoftBlock** The file is softblocked in the SDB and has a warning.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
+
+This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
+
+This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
+
+This event sends compatibility decision data about a PNP device to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked?
+- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked?
+- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS?
+- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device?
+- **BlockingDevice** Is this PNP device blocking upgrade?
+- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device?
+- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
+- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
+- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
+- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden?
+- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
+- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
+- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
+- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
+
+This event indicates that the DecisionDevicePnp object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
+
+This event indicates that the DecisionDevicePnp object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
+
+This event sends decision data about driver package compatibility to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block?
+- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block?
+- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade?
+- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
+
+This event indicates that the DecisionDriverPackage object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
+
+This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
+
+This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks?
+- **DisplayGenericMessage** Will a generic message be shown for this block?
+- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block?
+- **SdbBlockUpgrade** Is a matching info block blocking upgrade?
+- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag?
+- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
+
+This event indicates that the DecisionMatchingInfoBlock object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
+
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
+
+This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks?
+- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
+
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
+
+This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app?
+- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade?
+- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app?
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
+
+This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
+
+This event sends decision data about the presence of Windows Media Center, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center?
+- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true?
+- **MediaCenterInUse** Is Windows Media Center actively being used?
+- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use?
+- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition?
+- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
+
+This event indicates that the DecisionMediaCenter object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
+
+This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
+
+This event sends compatibility decision data about the BIOS to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the device blocked from upgrade due to a BIOS block?
+- **HasBiosBlock** Does the device have a BIOS block?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
+
+This event indicates that the DecisionSystemBios object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
+
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.EnterpriseScenarioWithDiagTrackServiceRunning
+
+The event that indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario.
+
+The following fields are available:
+
+- **Time** The client time of the event.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+
+
+### Microsoft.Windows.Appraiser.General.GatedRegChange
+
+This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date.
+
+The following fields are available:
+
+- **Time** The client time of the event.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **RegKey** The registry key name for which a result is being sent.
+- **RegValue** The registry value for which a result is being sent.
+- **OldData** The previous data in the registry value before the scan ran.
+- **NewData** The data in the registry value after the scan completed.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
+
+This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or are part of an anti-virus program.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
+- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
+- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
+- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **CompanyName** The company name of the vendor who developed this file.
+- **FileId** A hash that uniquely identifies a file.
+- **FileVersion** The File version field from the file metadata under Properties -> Details.
+- **LinkDate** The date and time that this file was linked on.
+- **LowerCaseLongPath** The full file path to the file that was inventoried on the device.
+- **Name** The name of the file that was inventoried.
+- **ProductName** The Product name field from the file metadata under Properties -> Details.
+- **ProductVersion** The Product version field from the file metadata under Properties -> Details.
+- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it.
+- **Size** The size of the file (in hexadecimal bytes).
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
+
+This event indicates that the InventoryApplicationFile object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
+
+This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
+
+This event sends data about the number of language packs installed on the system, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **HasLanguagePack** Does this device have 2 or more language packs?
+- **LanguagePackCount** How many language packs are installed?
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
+
+This event indicates that the InventoryLanguagePack object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
+
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
+
+This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **EverLaunched** Has Windows Media Center ever been launched?
+- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center?
+- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured?
+- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch?
+- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files?
+- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
+- **IsSupported** Does the running OS support Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
+
+This event indicates that the InventoryMediaCenter object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
+
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
+
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BiosDate** The release date of the BIOS in UTC format.
+- **BiosName** The name field from Win32_BIOS.
+- **Manufacturer** The manufacturer field from Win32_ComputerSystem.
+- **Model** The model field from Win32_ComputerSystem.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
+
+This event indicates that the InventorySystemBios object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
+
+This event indicates that a new set of InventorySystemBiosAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
+
+This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BootCritical** Is the driver package marked as boot critical?
+- **Build** The build value from the driver package.
+- **CatalogFile** The name of the catalog file within the driver package.
+- **ClassGuid** The device class GUID from the driver package.
+- **Class** The device class from the driver package.
+- **Date** The date from the driver package.
+- **SignatureStatus** Indicates if the driver package is signed. Unknown:0, Unsigned:1, Signed: 2
+- **Inbox** Is the driver package of a driver that is included with Windows?
+- **VersionMajor** The major version of the driver package.
+- **VersionMinor** The minor version of the driver package.
+- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU
+- **Provider** The provider of the driver package.
+- **PublishedName** The name of the INF file, post-rename.
+- **Revision** The revision of the driver package.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
+
+This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
+
+This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.IsOnlineTelemetryOutputter
+
+This event indicates if Appraiser was able to connect successfully to Windows Update to get driver availability information.
+
+The following fields are available:
+
+- **Time** The client time of the event.
+- **PCFP** A unique hardware identifier that is calculated by hashing hardware identifiers.
+- **IsOnlineRun** Was the device able to connect to Windows Update to get driver availability information?
+
+
+### Microsoft.Windows.Appraiser.General.IsOnlineWuDriverDataSource
+
+This event indicates if Appraiser was able to connect to Windows Update to gather driver coverage information.
+
+The following fields are available:
+
+- **Time** The client time of the event.
+- **PCFP** A unique hardware identifier that is calculated by hashing hardware identifiers.
+- **IsOnlineRun** Was the device able to connect to Windows Update to get driver availability information?
+- **TargetVersion** The abbreviated name for the OS version against which Windows Update was queried.
+
+
+### Microsoft.Windows.Appraiser.General.RunContext
+
+This event indicates what should be expected in the data payload.
+
+The following fields are available:
+
+- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built.
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
+- **Time** The client time of the event.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+
+
+### Microsoft.Windows.Appraiser.General.SetupAdlStatus
+
+This event indicates if Appraiser used data files from the setup image or more up-to-date data files downloaded from a Microsoft server.
+
+The following fields are available:
+
+- **Time** The client time of the event.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **Result** The last result of the operation to determine if there is a data file to download.
+- **OneSettingsInitialized** Was the query to OneSettings, where the information is stored on if there is a data file to download, initialized?
+- **Url** The URL of the data file to download. This will be an empty string if there is no data file to download.
+- **UsingAlternateData** Is the client using alternate data file or using the data file in the setup image?
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
+
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the device from upgrade due to memory restrictions?
+- **MemoryRequirementViolated** Was a memory requirement violated?
+- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes).
+- **ram** The amount of memory on the device.
+- **ramKB** The amount of memory (in KB).
+- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes).
+- **virtualKB** The amount of virtual memory (in KB).
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
+
+This event that the SystemMemory object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
+
+This event indicates that a new set of SystemMemoryAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
+
+This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **CompareExchange128Support** Does the CPU support CompareExchange128?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
+
+This event indicates that the SystemProcessorCompareExchange object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
+
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
+
+This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **LahfSahfSupport** Does the CPU support LAHF/SAHF?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
+
+This event indicates that the SystemProcessorLahfSahf object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
+
+This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
+
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support.
+- **NXProcessorSupport** Does the processor support NX?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
+
+This event indicates that the SystemProcessorNx object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
+
+This event indicates that a new set of SystemProcessorNxAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
+
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **PrefetchWSupport** Does the processor support PrefetchW?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
+
+This event indicates that the SystemProcessorPrefetchW object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
+
+This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
+
+This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **SSE2ProcessorSupport** Does the processor support SSE2?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
+
+This event indicates that the SystemProcessorSse2 object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
+
+This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchAdd
+
+This event sends data indicating whether the system supports touch, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer?
+- **MaximumTouches** The maximum number of touch points supported by the device hardware.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchRemove
+
+This event indicates that the SystemTouch object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
+
+This event indicates that a new set of SystemTouchAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimAdd
+
+This event sends data indicating whether the operating system is running from a compressed WIM file, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IsWimBoot** Is the current operating system running from a compressed WIM file?
+- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimRemove
+
+This event indicates that the SystemWim object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimStartSync
+
+This event indicates that a new set of SystemWimAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
+
+This event sends data indicating whether the current operating system is activated, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated.
+- **WindowsNotActivatedDecision** Is the current operating system activated?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
+
+This event indicates that the SystemWindowsActivationStatus object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
+
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanAdd
+
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked because of an emulated WLAN driver?
+- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block?
+- **WlanEmulatedDriver** Does the device have an emulated WLAN driver?
+- **WlanExists** Does the device support WLAN at all?
+- **WlanModulePresent** Are any WLAN modules present?
+- **WlanNativeDriver** Does the device have a non-emulated WLAN driver?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanRemove
+
+This event indicates that the SystemWlan object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
+
+This event indicates that a new set of SystemWlanAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
+
+A summary event indicating the parameters and result of a telemetry run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
+
+The following fields are available:
+
+- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
+- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
+- **Time** The client time of the event.
+- **RunDate** The date that the telemetry run was stated, expressed as a filetime.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
+- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run.
+- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
+- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
+- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
+- **AuxFinal** Obsolete, always set to false
+- **StoreHandleIsNotNull** Obsolete, always set to false
+- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
+- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run.
+- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
+- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **TelementrySent** Indicates if telemetry was successfully sent.
+- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated.
+- **RunResult** The hresult of the Appraiser telemetry run.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmAdd
+
+This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
+- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses.
+- **WmdrmPurchased** Indicates if the system has any files with permanent licenses.
+- **WmdrmApiResult** Raw value of the API used to gather DRM state.
+- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed.
+- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased
+- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
+- **BlockingApplication** Same as NeedsDismissAction
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmRemove
+
+This event indicates that the Wmdrm object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmStartSync
+
+This event indicates that a new set of WmdrmAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+## Census events
+
+### Census.App
+
+This event sends version data about the Apps running on this device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **IEVersion** Retrieves which version of Internet Explorer is running on this device.
+- **CensusVersion** The version of Census that generated the current data for this device.
+
+
+### Census.Battery
+
+This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date.
+
+The following fields are available:
+
+- **InternalBatteryCapablities** Represents information about what the battery is capable of doing.
+- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity to estimate the battery's wear.
+- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh.
+- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
+- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance.
+
+
+### Census.Camera
+
+This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
+- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
+
+
+### Census.Enterprise
+
+This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment.
+
+The following fields are available:
+
+- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
+- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers.
+- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
+- **AzureOSIDPresent** Represents the field used to identify an Azure machine.
+- **IsDomainJoined** Indicates whether a machine is joined to a domain.
+- **HashedDomain** The hashed representation of the user domain used for login.
+- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
+- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
+- **CDJType** Represents the type of cloud domain joined for the machine.
+- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption
+- **IsDERequirementMet** Represents if the device can do device encryption.
+- **IsEDPEnabled** Represents if Enterprise data protected on the device.
+- **ContainerType** The type of container, such as process or virtual machine hosted.
+
+
+### Census.Firmware
+
+This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS).
+- **FirmwareReleaseDate** Represents the date the current firmware was released.
+- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI.
+- **FirmwareVersion** Represents the version of the current firmware.
+
+
+### Census.Flighting
+
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **FlightIds** A list of the different Windows Insider builds on this device.
+- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device.
+- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program.
+- **FlightingBranchName** The name of the Windows Insider branch currently used by the device.
+- **DeviceSampleRate** The telemetry sample rate assigned to the device.
+- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device.
+- **SSRK** Retrieves the mobile targeting settings.
+
+
+### Census.Hardware
+
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
+- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields.
+- **DeviceColor** Indicates a color of the device.
+- **DeviceName** The device name that is set by the user.
+- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device.
+- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date.
+- **OEMModelNumber** The device model number.
+- **OEMModelName** The device model name.
+- **OEMModelSKU** The device edition that is defined by the manufacturer.
+- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary.
+- **OEMSerialNumber** The serial number of the device that is set by the manufacturer.
+- **PhoneManufacturer** The friendly name of the phone manufacturer.
+- **SoCName** The firmware manufacturer of the device.
+- **DUID** The device unique ID.
+- **InventoryId** The device ID used for compatibility testing.
+- **VoiceSupported** Does the device have a cellular radio capable of making voice calls?
+- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
+- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
+- **StudyID** Used to identify retail and non-retail device.
+- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced.
+- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user.
+- **DeviceForm** Indicates the form as per the device classification.
+- **DigitizerSupport** Is a digitizer supported?
+- **OEMModelBaseBoard** The baseboard model used by the OEM.
+- **OEMModelSystemFamily** The system family set on the device by an OEM.
+- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices.
+- **ActiveMicCount** The number of active microphones attached to the device.
+- **OEMModelSystemVersion** The system model version set on the device by the OEM.
+
+
+### Census.Memory
+
+This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date.
+
+The following fields are available:
+
+- **TotalPhysicalRAM** Represents the physical memory (in MB).
+- **TotalVisibleMemory** Represents the memory that is not reserved by the system.
+
+
+### Census.Network
+
+This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date.
+
+The following fields are available:
+
+- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users.
+- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US.
+- **NetworkCost** Represents the network cost associated with a connection.
+- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user.
+- **NetworkAdapterGUID** The GUID of the primary network adapter.
+
+
+### Census.OS
+
+This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **GenuineState** Retrieves the ID Value specifying the OS Genuine check.
+- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go
+- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI.
+- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
+- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
+- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
+- **OSSKU** Retrieves the Friendly Name of OS Edition.
+- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine.
+- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS.
+- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability.
+- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled.
+- **Signature** Retrieves if it is a signature machine sold by Microsoft store.
+- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode.
+- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine.
+- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
+- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
+- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key.
+- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy.
+- **ServiceProductKeyID** Retrieves the License key of the KMS
+- **LanguagePacks** The list of language packages installed on the device.
+- **InstallLanguage** The first language installed on the user machine.
+- **IsEduData** Returns Boolean if the education data policy is enabled.
+- **SharedPCMode** Returns Boolean for education devices used as shared cart
+- **SLICVersion** Returns OS type/version from SLIC table.
+- **SLICStatus** Whether a SLIC table exists on the device.
+- **OSEdition** Retrieves the version of the current OS.
+- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues.
+- **ProductActivationResult** Returns Boolean if the OS Activation was successful.
+- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines.
+- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines.
+- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy.
+- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time
+- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy.
+
+
+### Census.Processor
+
+This event sends data about the processor (architecture, speed, number of cores, manufacturer, and model number), to help keep Windows up to date.
+
+The following fields are available:
+
+- **ProcessorCores** Retrieves the number of cores in the processor.
+- **ProcessorPhysicalCores** Number of physical cores in the processor.
+- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. The complete list of values can be found in DimProcessorArchitecture.
+- **ProcessorClockSpeed** Retrieves the clock speed of the processor in MHz.
+- **ProcessorManufacturer** Retrieves the name of the processor's manufacturer.
+- **ProcessorModel** Retrieves the name of the processor model.
+- **SocketCount** Number of physical CPU sockets of the machine.
+- **ProcessorIdentifier** The processor identifier of a manufacturer.
+
+
+### Census.Speech
+
+This event is used to gather basic speech settings on the device.
+
+The following fields are available:
+
+- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device.
+- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
+- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
+- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked.
+- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities.
+- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
+- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices.
+- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities.
+- **RemotelyManaged** Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities.
+
+
+### Census.Storage
+
+This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date.
+
+The following fields are available:
+
+- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB.
+- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB.
+- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any).
+
+
+### Census.Userdefault
+
+This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DefaultBrowserProgId** The ProgramId of the current user's default browser
+- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html,.htm,.jpg,.jpeg,.png,.mp3,.mp4, .mov,.pdf
+
+
+### Census.UserDisplay
+
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
+
+The following fields are available:
+
+- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display.
+- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display.
+- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
+- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine.
+- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine
+- **VRAMDedicated** Retrieves the video RAM in MB.
+- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card.
+- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use.
+
+
+### Census.UserNLS
+
+This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DefaultAppLanguage** The current user Default App Language.
+- **HomeLocation** The current user location, which is populated using GetUserGeoId() function.
+- **DisplayLanguage** The current user preferred Windows Display Language.
+- **SpeechInputLanguages** The Speech Input languages installed on the device.
+- **KeyboardInputLanguages** The Keyboard input languages installed on the device.
+
+
+### Census.VM
+
+This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
+
+The following fields are available:
+
+- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware.
+- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
+- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present.
+- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors.
+- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor.
+
+
+### Census.WU
+
+This event sends data about the Windows update server and other App store policies, to help keep Windows up to date.
+
+The following fields are available:
+
+- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier.
+- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
+- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device.
+- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
+- **AppStoreAutoUpdatePolicy** Retrieves the Windows Store App Auto Update group policy setting
+- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
+- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades.
+- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS).
+- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades
+- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates
+- **WUPauseState** Retrieves WU setting to determine if updates are paused
+- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device .
+- **OSRolledBack** A flag that represents when a feature update has rolled back during setup.
+- **OSRollbackCount** The number of times feature updates have rolled back on the device.
+- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently.
+- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading.
+
+
+### Census.Xbox
+
+This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date.
+
+The following fields are available:
+
+- **XboxLiveDeviceId** Retrieves the unique device id of the console.
+- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console.
+- **XboxLiveSandboxId** Retrieves the developer sandbox id if the device is internal to MS.
+- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console.
+
+
+## Diagnostic data events
+
+### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
+
+This event sends data indicating that a device has undergone a change of telemetry opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
+
+The following fields are available:
+
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
+- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
+- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
+- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
+- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
+- **CanPerformScripting** True if UTC is allowed to perform scripting.
+- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
+- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry opt-in level was last changed.
+
+
+### TelClientSynthetic.AuthorizationInfo_Startup
+
+This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date.
+
+The following fields are available:
+
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
+- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
+- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
+- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
+- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
+- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
+- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
+- **CanPerformScripting** True if UTC is allowed to perform scripting.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry client was last started.
+
+
+### TelClientSynthetic.ConnectivityHeartBeat_0
+
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+
+The following fields are available:
+
+- **CensusExitCode** Returns last execution codes from census client run.
+- **CensusStartTime** Returns timestamp corresponding to last successful census run.
+- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine.
+- **LastConnectivityLossTime** Retrieves the last time the device lost free network.
+- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network.
+- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds.
+- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds.
+- **LastConntectivityLossTime** Retrieves the last time the device lost free network.
+
+
+### TelClientSynthetic.HeartBeat_5
+
+This event sends data about the health and quality of the telemetry data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
+
+The following fields are available:
+
+- **PreviousHeartBeatTime** The time of last heartbeat event. This allows chaining of events.
+- **EtwDroppedCount** The number of events dropped by the ETW layer of the telemetry client.
+- **ConsumerDroppedCount** The number of events dropped by the consumer layer of the telemetry client.
+- **DecodingDroppedCount** The number of events dropped because of decoding failures.
+- **ThrottledDroppedCount** The number of events dropped due to throttling of noisy providers.
+- **DbDroppedCount** The number of events that were dropped because the database was full.
+- **EventSubStoreResetCounter** The number of times the event database was reset.
+- **EventSubStoreResetSizeSum** The total size of the event database across all resets reports in this instance.
+- **CriticalOverflowEntersCounter** The number of times a critical overflow mode was entered into the event database.
+- **EnteringCriticalOverflowDroppedCounter** The number of events that was dropped because a critical overflow mode was initiated.
+- **UploaderDroppedCount** The number of events dropped by the uploader layer of the telemetry client.
+- **InvalidHttpCodeCount** The number of invalid HTTP codes received from Vortex.
+- **LastInvalidHttpCode** The last invalid HTTP code received from Vortex.
+- **MaxInUseScenarioCounter** The soft maximum number of scenarios loaded by the Connected User Experience and Telemetry component.
+- **LastEventSizeOffender** The name of the last event that exceeded the maximum event size.
+- **SettingsHttpAttempts** The number of attempts to contact the OneSettings service.
+- **SettingsHttpFailures** The number of failures from contacting the OneSettings service.
+- **VortexHttpAttempts** The number of attempts to contact the Vortex service.
+- **EventsUploaded** The number of events that have been uploaded.
+- **DbCriticalDroppedCount** The total number of dropped critical events in the event database.
+- **VortexHttpFailures4xx** The number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx** The number of 500-599 error codes received from Vortex.
+- **VortexFailuresTimeout** The number of timeout failures received from Vortex.
+- **HeartBeatSequenceNumber** A monotonically increasing heartbeat counter.
+- **EtwDroppedBufferCount** The number of buffers dropped in the CUET ETW session.
+- **FullTriggerBufferDroppedCount** The number of events that were dropped because the trigger buffer was full.
+- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling.
+- **CriticalDataDbDroppedCount** The number of critical data sampled events that were dropped at the database layer.
+- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe.
+- **AgentConnectionErrorsCount** The number of non-timeout errors associated with the host/agent channel.
+- **LastAgentConnectionError** The last non-timeout error that happened in the host/agent channel.
+- **Flags** Flags that indicate device state, such as network, battery, and opt-in state.
+- **CensusTaskEnabled** Indicates whether Census is enabled.
+- **CensusExitCode** The last exit code of the Census task.
+- **CensusStartTime** The time of the last Census run.
+
+
+### TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate
+
+This event sends basic data on privacy settings before and after a feature update. This is used to ensure that customer privacy settings are correctly migrated across feature updates.
+
+The following fields are available:
+
+- **PostUpgradeSettings** The privacy settings after a feature update.
+- **PreUpgradeSettings** The privacy settings before a feature update.
+
+
+## DxgKernelTelemetry events
+
+### DxgKrnlTelemetry.GPUAdapterInventoryV2
+
+This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
+
+The following fields are available:
+
+- **version** The event version.
+- **bootId** The system boot ID.
+- **aiSeqId** The event sequence ID.
+- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES?
+- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
+- **InterfaceId** The GPU interface ID.
+- **GPUVendorID** The GPU vendor ID.
+- **GPUDeviceID** The GPU device ID.
+- **SubVendorID** The GPU sub vendor ID.
+- **SubSystemID** The subsystem ID.
+- **GPURevisionID** The GPU revision ID.
+- **DriverVersion** The display driver version.
+- **DriverDate** The date of the display driver.
+- **DriverRank** The rank of the display driver.
+- **IsMiracastSupported** Does the GPU support Miracast?
+- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution?
+- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device?
+- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device?
+- **IsMPOSupported** Does the GPU support Multi-Plane Overlays?
+- **IsLDA** Is the GPU comprised of Linked Display Adapters?
+- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor?
+- **IsPostAdapter** Is this GPU the POST GPU in the device?
+- **IsSoftwareDevice** Is this a software implementation of the GPU?
+- **IsRenderDevice** Does the GPU have rendering capabilities?
+- **IsDisplayDevice** Does the GPU have displaying capabilities?
+- **WDDMVersion** The Windows Display Driver Model version.
+- **DisplayAdapterLuid** The display adapter LUID.
+- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload.
+- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload.
+- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
+- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes).
+- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes).
+- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes).
+- **NumVidPnSources** The number of supported display output sources.
+- **NumVidPnTargets** The number of supported display output targets.
+
+
+## Fault Reporting events
+
+### Microsoft.Windows.FaultReporting.AppCrashEvent
+
+This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes" by a user DO NOT emit this event.
+
+The following fields are available:
+
+- **ProcessId** The ID of the process that has crashed.
+- **ProcessCreateTime** The time of creation of the process that has crashed.
+- **ExceptionCode** The exception code returned by the process that has crashed.
+- **ExceptionOffset** The address where the exception had occurred.
+- **AppName** The name of the app that has crashed.
+- **AppVersion** The version of the app that has crashed.
+- **AppTimeStamp** The date/time stamp of the app.
+- **ModName** Exception module name (e.g. bar.dll).
+- **ModVersion** The version of the module that has crashed.
+- **ModTimeStamp** The date/time stamp of the module.
+- **PackageFullName** Store application identity.
+- **PackageRelativeAppId** Store application identity.
+- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
+- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
+- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **TargetAppId** The kernel reported AppId of the application being reported.
+- **TargetAppVer** The specific version of the application being reported
+- **TargetAsId** The sequence number for the hanging process.
+
+
+## Hang Reporting events
+
+### Microsoft.Windows.HangReporting.AppHangEvent
+
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
+
+The following fields are available:
+
+- **AppName** The name of the app that has hung.
+- **TypeCode** Bitmap describing the hang type.
+- **ProcessId** The ID of the process that has hung.
+- **UTCReplace_TargetAppId** The kernel reported AppId of the application being reported.
+- **ProcessCreateTime** The time of creation of the process that has hung.
+- **UTCReplace_TargetAppVer** The specific version of the application being reported.
+- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application.
+- **PackageRelativeAppId** Store application identity.
+- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package.
+- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting.
+- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend.
+- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
+- **PackageFullName** Store application identity.
+- **AppVersion** The version of the app that has hung.
+- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId** The kernel reported AppId of the application being reported.
+- **TargetAppVer** The specific version of the application being reported.
+- **TargetAsId** The sequence number for the hanging process.
+
+
+## Inventory events
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
+
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
+
+The following fields are available:
+
+- **Device** A count of device objects in cache
+- **DeviceCensus** A count of devicecensus objects in cache
+- **DriverPackageExtended** A count of driverpackageextended objects in cache
+- **File** A count of file objects in cache
+- **Generic** A count of generic objects in cache
+- **HwItem** A count of hwitem objects in cache
+- **InventoryApplication** A count of application objects in cache
+- **InventoryApplicationFile** A count of application file objects in cache
+- **InventoryDeviceContainer** A count of device container objects in cache
+- **InventoryDeviceMediaClass** A count of device media objects in cache
+- **InventoryDevicePnp** A count of devicepnp objects in cache
+- **InventoryDriverBinary** A count of driver binary objects in cache
+- **InventoryDriverPackage** A count of device objects in cache
+- **Metadata** A count of metadata objects in cache
+- **Orphan** A count of orphan file objects in cache
+- **Programs** A count of program objects in cache
+- **FileSigningInfo** A count of file signing info objects in cache.
+- **InventoryDeviceInterface** A count of inventory device interface objects in cache.
+
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
+
+This event sends inventory component versions for the Device Inventory data.
+
+The following fields are available:
+
+- **aeinv** The version of the App inventory component.
+- **devinv** The file version of the Device inventory component.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
+
+This event sends basic metadata about an application on the system to help keep Windows up to date.
+
+The following fields are available:
+
+- **ProgramInstanceId** A hash of the file IDs in an app.
+- **Name** The name of the application. Location pulled from depends on 'Source' field.
+- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen.
+- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field.
+- **Version** The version number of the program.
+- **Language** The language code of the program.
+- **Source** How the program was installed (ARP, MSI, Appx, etc...)
+- **MsiProductCode** A GUID that describe the MSI Product.
+- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
+- **HiddenArp** Indicates whether a program hides itself from showing up in ARP.
+- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install.
+- **RootDirPath** The path to the root directory where the program was installed.
+- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics)
+- **InstallDateMsi** The install date if the application was installed via MSI. Passed as an array.
+- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array.
+- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array.
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **objectInstanceId** ProgramId (a hash of Name, Version, Publisher, and Language of an application used to identify it).
+- **PackageFullName** The package full name for a Store application.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **StoreAppType** A sub-classification for the type of Windows Store app, such as UWP or Win8StoreApp.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
+
+This event indicates that a new set of InventoryApplicationAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
+
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a PNP device) to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ModelName** The model name.
+- **ModelId** A model GUID.
+- **PrimaryCategory** The primary category for the device container.
+- **Categories** A comma separated list of functional categories in which the container belongs.
+- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
+- **IsActive** Is the device connected, or has it been seen in the last 14 days?
+- **IsPaired** Does the device container require pairing?
+- **IsNetworked** Is this a networked device?
+- **IsMachineContainer** Is the container the root device itself?
+- **FriendlyName** The name of the device container.
+- **DiscoveryMethod** The discovery method for the device container.
+- **ModelNumber** The model number for the device container.
+- **Manufacturer** The manufacturer name for the device container.
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **objectInstanceId** ContainerId
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
+
+This event indicates that the InventoryDeviceContainer object is no longer present.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
+
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
+
+This event retrieves information about what sensor interfaces are available on the device.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Accelerometer3D** Indicates if an Accelerator3D sensor is found.
+- **ActivityDetection** Indicates if an Activity Detection sensor is found.
+- **AmbientLight** Indicates if an Ambient Light sensor is found.
+- **Barometer** Indicates if a Barometer sensor is found.
+- **Custom** Indicates if a Custom sensor is found.
+- **FloorElevation** Indicates if a Floor Elevation sensor is found.
+- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found.
+- **GravityVector** Indicates if a Gravity Detector sensor is found.
+- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found.
+- **Humidity** Indicates if a Humidity sensor is found.
+- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found.
+- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found.
+- **Orientation** Indicates if an Orientation sensor is found.
+- **Pedometer** Indicates if a Pedometer sensor is found.
+- **Proximity** Indicates if a Proximity sensor is found.
+- **RelativeOrientation** Indicates if a Relative Orientation sensor is found.
+- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found.
+- **Temperature** Indicates if a Temperature sensor is found.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
+
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
+
+This event sends additional metadata about a PNP device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Audio_CaptureDriver** The Audio device capture driver endpoint.
+- **Audio_RenderDriver** The Audio device render driver endpoint.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
+
+This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
+
+This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
+
+This event sends basic metadata about a PNP device and its associated driver to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **HWID** A JSON array that provides the value and order of the HWID tree for the device.
+- **COMPID** A JSON array the provides the value and order of the compatible ID tree for the device.
+- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **Enumerator** The bus that enumerated the device.
+- **ContainerId** A system-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the device.
+- **DeviceState** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present.
+- **ParentId** Device instance id of the parent of the device.
+- **STACKID** A JSON array that provides the value and order of the STACKID tree for the device.
+- **Description** The device description.
+- **MatchingID** Represents the hardware ID or compatible ID that Windows uses to install a device instance.
+- **Class** The device setup class of the driver loaded for the device.
+- **ClassGuid** The device setup class guid of the driver loaded for the device.
+- **Manufacturer** The device manufacturer.
+- **Model** The device model.
+- **Inf** The INF file name.
+- **DriverVerVersion** The version of the driver loaded for the device.
+- **DriverVerDate** The date of the driver loaded for the device.
+- **Provider** The device provider.
+- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage.
+- **Service** The device service name.
+- **LowerClassFilters** Lower filter class drivers IDs installed for the device.
+- **LowerFilters** Lower filter drivers IDs installed for the device.
+- **UpperClassFilters** Upper filter class drivers IDs installed for the device.
+- **UpperFilters** Upper filter drivers IDs installed for the device.
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **DriverId** A unique identifier for the installed device.
+- **DriverName** The name of the driver image file.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **ProblemCode** The current error code for the device.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
+
+This event indicates that the InventoryDevicePnpRemove object is no longer present.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
+
+This event sends basic metadata about driver files running on the system to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **DriverName** The file name of the driver.
+- **Inf** The name of the INF file.
+- **DriverPackageStrongName** The strong name of the driver package.
+- **DriverCompany** The company name that developed the driver.
+- **DriverCheckSum** The checksum of the driver file.
+- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file.
+- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
+- **DriverInBox** Is the driver included with the operating system?
+- **DriverSigned** Is the driver signed?
+- **DriverIsKernelMode** Is it a kernel mode driver?
+- **DriverVersion** The version of the driver file.
+- **ImageSize** The size of the driver file.
+- **Product** The product name that is included in the driver file.
+- **ProductVersion** The product version that is included in the driver file.
+- **WdfVersion** The Windows Driver Framework version.
+- **Service** The name of the service that is installed for the device.
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
+
+This event indicates that the InventoryDriverBinary object is no longer present.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
+
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
+
+This event sends basic metadata about drive packages installed on the system to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **Inf** The INF name of the driver package.
+- **ClassGuid** The class GUID for the device driver.
+- **Class** The class name for the device driver.
+- **Directory** The path to the driver package.
+- **Date** The driver package date.
+- **Version** The version of the driver package.
+- **Provider** The provider for the driver package.
+- **SubmissionId** The HLK submission ID for the driver package.
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
+
+This event indicates that the InventoryDriverPackageRemove object is no longer present.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
+
+This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Indicators.Checksum
+
+This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
+
+The following fields are available:
+
+- **ChecksumDictionary** A count of each operating system indicator.
+- **PCFP** Equivalent to the InventoryId field that is found in other core events.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
+
+These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up-to-date.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **IndicatorValue** The indicator value
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
+
+This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd, indicating that the item has been removed. There are no additional unique fields in this event.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
+
+This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+
+
+## OneDrive events
+
+### Microsoft.OneDrive.Sync.Setup.APIOperation
+
+This event includes basic data about install and uninstall OneDrive API operations.
+
+The following fields are available:
+
+- **APIName** The name of the API.
+- **ScenarioName** The name of the scenario.
+- **Duration** How long the operation took.
+- **isSuccess** Was the operation successful?
+- **ResultCode** The result code.
+
+
+### Microsoft.OneDrive.Sync.Setup.EndExperience
+
+This event includes a success or failure summary of the installation.
+
+The following fields are available:
+
+- **APIName** The name of the API.
+- **ScenarioName** The name of the scenario.
+- **Hresult** The HResult of the operation.
+- **isSuccess** Was the operation successful?
+
+
+### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
+
+This event is related to the OS version when the OS is upgraded with OneDrive installed.
+
+The following fields are available:
+
+- **HResult** The HResult of the operation.
+- **SourceOSVersion** The source version of the operating system.
+- **SourceOSBuildNumber** The source build number of the operating system.
+- **SourceOSBuildBranch** The source branch of the operating system.
+- **CurrentOSVersion** The current version of the operating system.
+- **CurrentOSBuildNumber** The current build number of the operating system.
+- **CurrentOSBuildBranch** The current branch of the operating system.
+- **CurrentOneDriveVersion** The current version of OneDrive.
+
+
+### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
+
+This event is related to registering or unregistering the OneDrive update task.
+
+The following fields are available:
+
+- **APIName** The name of the API.
+- **ScenarioName** The name of the scenario.
+- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation.
+- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation.
+- **isSuccess** Was the operation successful?
+
+
+### Microsoft.OneDrive.Sync.Setup.SetupCommonData
+
+This event contains basic OneDrive configuration data that helps to diagnose failures.
+
+The following fields are available:
+
+- **AppVersion** The version of the app.
+- **OfficeVersion** The version of Office that is installed.
+- **BuildArch** Is the architecture x86 or x64?
+- **Market** Which market is this in?
+- **OneDriveDeviceId** The OneDrive device ID.
+- **MachineGuid** The CEIP machine ID.
+- **IsMSFTInternal** Is this an internal Microsoft device?
+- **OSDeviceName** Only if the device is internal to Microsoft, the device name.
+- **OSUserName** Only if the device is internal to Microsoft, the user name.
+- **Environment** Is the device on the production or int service?
+- **OfficeVersionString** The version of Office that is installed.
+- **BuildArchitecture** Is the architecture x86 or x64?
+- **UserGuid** The CEIP user ID.
+- **MSFTInternal** Is this an internal Microsoft device?
+
+
+### Microsoft.OneDrive.Sync.Updater.CommonData
+
+This event contains basic OneDrive configuration data that helps to diagnose failures.
+
+The following fields are available:
+
+- **AppVersion** The version of the app.
+- **OfficeVersion** The version of Office that is installed.
+- **BuildArch** Is the architecture x86 or x64?
+- **Market** Which market is this in?
+- **OneDriveDeviceId** The OneDrive device ID.
+- **MachineGuid** The CEIP machine ID.
+- **IsMSFTInternal** Is this an internal Microsoft device?
+- **OSDeviceName** Only if the device is internal to Microsoft, the device name.
+- **OSUserName** Only if the device is internal to Microsoft, the user name.
+- **Environment** Is the device on the production or int service?
+- **UserGuid** A unique global user identifier.
+
+
+### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
+
+This event determines the installation state of dependent OneDrive components.
+
+The following fields are available:
+
+- **ComponentName** The name of the dependent component.
+- **isInstalled** Is the dependent component installed?
+
+
+### Microsoft.OneDrive.Sync.Updater.OfficeRegistration
+
+This event determines the status of the OneDrive integration with Microsoft Office.
+
+The following fields are available:
+
+- **isValid** Is the Microsoft Office registration valid?
+
+
+### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
+
+This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
+
+The following fields are available:
+
+- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system.
+- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system.
+
+
+### Microsoft.OneDrive.Sync.Updater.RepairResult
+
+The event determines the result of the installation repair.
+
+The following fields are available:
+
+- **hr** The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.SetupBinaryDownloadHResult
+
+This event indicates the status when downloading the OneDrive setup file.
+
+The following fields are available:
+
+- **hr** The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
+
+This event determines the outcome of the operation.
+
+The following fields are available:
+
+- **UpdaterVersion** The version of the updater.
+- **IsLoggingEnabled** Is logging enabled?
+- **hr** The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateTierReg
+
+This event determines status of the update tier registry values.
+
+The following fields are available:
+
+- **regReadEnterpriseHr** The HResult of the enterprise reg read value.
+- **regReadTeamHr** The HResult of the team reg read value.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
+
+This event determines the status when downloading the OneDrive update configuration file.
+
+The following fields are available:
+
+- **hr** The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
+
+This event determines the error code that was returned when verifying Internet connectivity.
+
+The following fields are available:
+
+- **winInetError** The HResult of the operation.
+
+
+## Setup events
+
+### SetupPlatformTel.SetupPlatformTelActivityEvent
+
+This event sends a unique ID that can be used to bind Setup Platform events together, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **Value** Retrieves the value associated with the corresponding event name. For example: For time-related events, this will include the system time.
+- **ActivityId** Provides a unique Id to correlate events that occur between a activity start event, and a stop event
+- **ActivityName** Provides a friendly name of the package type that belongs to the ActivityId (Setup, LanguagePack, GDR, Driver, etc.)
+
+
+### SetupPlatformTel.SetupPlatformTelActivityStarted
+
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
+
+The following fields are available:
+
+- **Name** The name of the dynamic update type. Example: GDR driver
+
+
+### SetupPlatformTel.SetupPlatformTelActivityStopped
+
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
+
+
+
+### SetupPlatformTel.SetupPlatformTelEvent
+
+This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
+
+The following fields are available:
+
+- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
+- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+
+
+## Shared PC events
+
+### Microsoft.Windows.SharedPC.AccountManager.DeleteUserAccount
+
+Activity for deletion of a user account for devices set up for Shared PC mode as part of the Transient Account Manager to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates.
+
+The following fields are available:
+
+- **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager.
+- **userSid** The security identifier of the account.
+- **accountType** The type of account that was deleted. Example: AD, AAD, or Local
+
+
+### Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
+
+Activity for run of the Transient Account Manager that determines if any user accounts should be deleted for devices set up for Shared PC mode to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates
+
+The following fields are available:
+
+- **wilActivity** Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager.
+- **totalAccountCount** The number of accounts on a device after running the Transient Account Manager policies.
+- **evaluationTrigger** When was the Transient Account Manager policies ran? Example: At log off or during maintenance hours
+
+
+## Software update events
+
+### SoftwareUpdateClientTelemetry.CheckForUpdates
+
+This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date
+
+The following fields are available:
+
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **DeviceModel** What is the device model.
+- **BiosName** The name of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **ClientVersion** The version number of the software distribution client.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.).
+- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **CurrentMobileOperator** The mobile operator the device is currently connected to.
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
+- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
+- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
+- **SyncType** Describes the type of scan the event was
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6
+- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked
+- **ScanDurationInSeconds** The number of seconds a scan took
+- **ScanEnqueueTime** The number of seconds it took to initialize a scan
+- **NumberOfLoop** The number of round trips the scan required
+- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan
+- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan
+- **ServiceUrl** The environment URL a device is configured to scan with
+- **Online** Indicates if this was an online scan.
+- **AllowCachedResults** Indicates if the scan allowed using cached results.
+- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down.
+- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down.
+- **MSIError** The last error that was encountered during a scan for updates.
+- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered.
+- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan.
+- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
+- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated.
+- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
+- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **CDNCountryCode** Two letter country abbreviation for the CDN's location.
+- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
+- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
+- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation.
+- **DeferredUpdates** Update IDs which are currently being deferred until a later time
+- **BranchReadinessLevel** The servicing branch configured on the device.
+- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
+- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days).
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days).
+- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days).
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days).
+- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
+- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **SearchFilter** Contains information indicating filters applied while checking for content applicable to the device. For example, to filter out all content which may require a reboot.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **PausedUpdates** A list of UpdateIds which that currently being paused.
+- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
+- **DriverSyncPassPerformed** Were drivers scanned this time?
+
+
+### SoftwareUpdateClientTelemetry.Commit
+
+This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **EventScenario** State of call
+- **EventInstanceID** A globally unique identifier for event instance.
+- **DeviceModel** What is the device model.
+- **BiosName** The name of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **ClientVersion** The version number of the software distribution client.
+- **WUDeviceID** UniqueDeviceID
+- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Windows Store.
+- **EventType** Possible values are "Child", "Bundle", or "Driver".
+- **UpdateId** Unique Update ID
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **RevisionNumber** Unique revision number of Update
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
+- **BundleRevisionNumber** Identifies the revision number of the content bundle
+- **FlightId** The specific id of the flight the device is getting
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
+
+
+### SoftwareUpdateClientTelemetry.Download
+
+This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date.
+
+The following fields are available:
+
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **DeviceModel** What is the device model.
+- **BiosName** The name of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **ClientVersion** The version number of the software distribution client.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **CurrentMobileOperator** The mobile operator the device is currently connected to.
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
+- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6.
+- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
+- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
+- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded.
+- **HostName** The hostname URL the content is downloading from.
+- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
+- **CDNCountryCode** Two letter country abbreviation for the CDN's location.
+- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
+- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
+- **BytesDownloaded** How many bytes were downloaded for an individual piece of content (not the entire bundle).
+- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
+- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
+- **EventType** Possible values are Child, Bundle, or Driver.
+- **UpdateId** An identifier associated with the specific piece of content.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
+- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
+- **FlightId** The specific id of the flight (pre-release build) the device is getting.
+- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
+- **UsedDO** Whether the download used the delivery optimization service.
+- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download.
+- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
+- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight.
+- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle.
+- **BundleRepeatFailFlag** Indicates whether this particular update bundle had previously failed to download.
+- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
+- **PackageFullName** The package name of the content.
+- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded.
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **DownloadType** Differentiates the download type of SIH downloads between Metadata and Payload downloads.
+- **WUSetting** Indicates the users' current updating settings.
+- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM).
+- **PlatformRole** The PowerPlatformRole as defined on MSDN
+- **IsAOACDevice** Is it Always On, Always Connected?
+- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
+- **Edition** Indicates the edition of Windows being used.
+- **DeviceOEM** What OEM does this device belong to.
+- **ClientManagedByWSUSServer** Indicates whether the client is managed by Windows Server Update Services (WSUS).
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
+
+
+### SoftwareUpdateClientTelemetry.Install
+
+This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date.
+
+The following fields are available:
+
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **DeviceModel** What is the device model.
+- **BiosName** The name of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **ClientVersion** The version number of the software distribution client.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult).
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FlightRing** The ring that a device is on if participating in the Windows Insider Program.
+- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **IsWUfBEnabled** Is Windows Update for Business enabled on the device?
+- **IsWUfBDualScanEnabled** Is Windows Update for Business dual scan enabled on the device?
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **CurrentMobileOperator** Mobile operator that device is currently connected to.
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
+- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced.
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install.
+- **EventType** Possible values are Child, Bundle, or Driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **IsFirmware** Is this update a firmware update?
+- **IsFinalOutcomeEvent** Does this event signal the end of the update/upgrade process?
+- **IsDependentSet** Is the driver part of a larger System Hardware/Firmware update?
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **ExtendedErrorCode** The extended error code.
+- **CSIErrorType** The stage of CBS installation where it failed.
+- **MsiAction** The stage of MSI installation where it failed.
+- **MsiProductCode** The unique identifier of the MSI installer.
+- **TransactionCode** The ID which represents a given MSI installation
+- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **IsSuccessFailurePostReboot** Did it succeed and then fail after a restart?
+- **UpdateId** Unique update ID
+- **RevisionNumber** The revision number of this specific piece of content.
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **HandlerType** Indicates what kind of content is being installed. Example: app, driver, Windows update
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
+- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
+- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build.
+- **BundleRepeatFailFlag** Has this particular update bundle previously failed to install?
+- **PackageFullName** The package name of the content being installed.
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle?
+- **CbsDownloadMethod** Was the download a full download or a partial download?
+- **ClientManagedByWSUSServer** Is the client managed by Windows Server Update Services (WSUS)?
+- **DeviceOEM** What OEM does this device belong to.
+- **DownloadPriority** The priority of the download activity.
+- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
+- **Edition** Indicates the edition of Windows being used.
+- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
+- **IsAOACDevice** Is it Always On, Always Connected? (Mobile device usage model)
+- **PlatformRole** The PowerPlatformRole as defined on MSDN.
+- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM).
+- **RepeatSuccessInstallFlag** Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it.
+- **WUSetting** Indicates the user's current updating settings.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **QualityUpdatePause** Are quality OS updates paused on the device?
+- **FeatureUpdatePause** Are feature OS updates paused on the device?
+- **MergedUpdate** Was the OS update and a BSP update merged for installation?
+
+
+### SoftwareUpdateClientTelemetry.SLSDiscovery
+
+This event sends data about the ability of Windows to discover the location of a backend server with which it must connect to perform updates or content acquisition, in order to determine disruptions in availability of update services and provide context for Windows Update errors.
+
+The following fields are available:
+
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **SusClientId** The unique device ID controlled by the software distribution client
+- **WUAVersion** The version number of the software distribution client
+- **ServiceID** An ID which represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.)
+- **UrlPath** Path to the SLS cab that was downloaded
+- **HResult** Indicates the result code of the event (success, cancellation, failure code HResult)
+- **IsBackground** Indicates whether the SLS discovery event took place in the foreground or background
+- **NextExpirationTime** Indicates when the SLS cab expires
+
+
+### SoftwareUpdateClientTelemetry.UpdateDetected
+
+This event sends data about an AppX app that has been updated from the Windows Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
+
+The following fields are available:
+
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
+- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **WUDeviceID** The unique device ID controlled by the software distribution client
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **EventInstanceID** A globally unique identifier for event instance
+- **DeviceModel** The device's model as defined in system bios
+- **BiosName** The name of the device's system bios
+- **BIOSVendor** The vendor of the device's system bios
+- **BiosVersion** The version of the device's system bios
+- **BiosReleaseDate** The release date of the device's system bios
+- **SystemBIOSMajorRelease** The major release version of the device's system system
+- **SystemBIOSMinorRelease** The minor release version of the device's system system
+- **BiosFamily** The device's family as defined in system bios
+- **BiosSKUNumber** The device's SKU as defined in system bios
+- **ClientVersion** The version number of the software distribution client
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided
+- **ServiceGuid** An ID which represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.)
+- **StatusCode** Indicates the result code of the event (success, cancellation, failure code HResult)
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough
+- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **CurrentMobileOperator** The mobile operator the device is currently connected to.
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with
+- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
+- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion
+- **SyncType** Describes the type of scan the event was
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6
+- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked
+- **ScanDurationInSeconds** The number of seconds a scan took
+- **ScanEnqueueTime** The number of seconds it took to initialize a scan
+- **NumberOfLoop** The number of round trips the scan required
+- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan
+- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan
+- **ServiceUrl** The environment URL a device is configured to scan with
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+
+
+### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
+
+This event identifies whether updates have been tampered with and protects against man-in-the-middle attacks.
+
+The following fields are available:
+
+- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed.
+- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store
+- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
+- **StatusCode** The status code of the event.
+- **ExtendedStatusCode** The secondary status code of the event.
+- **RevisionId** The revision ID for a specific piece of content.
+- **UpdateId** The update ID for a specific piece of content.
+- **RevisionNumber** The revision number for a specific piece of content.
+- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
+- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed.
+- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
+- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
+- **SignatureAlgorithm** The hash algorithm for the metadata signature.
+- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob.
+- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp.
+- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token.
+- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable.
+- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
+- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
+- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
+- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
+- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast
+
+
+## Update events
+
+### Update360Telemetry.UpdateAgent_DownloadRequest
+
+This event sends data during the download request phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current download request phase.
+- **PackageCountTotal** Total number of packages needed.
+- **PackageCountRequired** Number of required packages requested.
+- **PackageCountOptional** Number of optional packages requested.
+- **ObjectId** Unique value for each Update Agent mode.
+- **SessionId** Unique value for each Update Agent mode attempt.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Result of the download request phase of update.
+- **PackageSizeCanonical** Size of canonical packages in bytes
+- **PackageSizeDiff** Size of diff packages in bytes
+- **PackageSizeExpress** Size of express packages in bytes
+- **FlightId** Unique ID for each flight.
+- **UpdateId** Unique ID for each update.
+- **PackageCountTotalCanonical** Total number of canonical packages.
+- **PackageCountTotalDiff** Total number of diff packages.
+- **PackageCountTotalExpress** Total number of express packages.
+- **RangeRequestState** Represents the state of the download range request.
+- **DeletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+
+
+### Update360Telemetry.UpdateAgent_Initialize
+
+This event sends data during the initialize phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current initialize phase.
+- **SessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **UpdateId** Unique ID for each update.
+- **FlightId** Unique ID for each flight.
+- **FlightMetadata** Contains the FlightId and the build being flighted.
+- **ObjectId** Unique value for each Update Agent mode.
+- **SessionId** Unique value for each Update Agent mode attempt .
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+
+
+### Update360Telemetry.UpdateAgent_Install
+
+This event sends data during the install phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current install phase.
+- **ObjectId** Unique value for each Update Agent mode.
+- **SessionId** Unique value for each Update Agent mode attempt.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **RelatedCV** Correlation vector value generated from the latest scan.
+- **Result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+- **FlightId** Unique ID for each flight.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgent_ModeStart
+
+This event sends data for the start of each mode during the process of updating Windows.
+
+The following fields are available:
+
+- **Mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
+- **ObjectId** Unique value for each Update Agent mode.
+- **SessionId** Unique value for each Update Agent mode attempt.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **RelatedCV** The correlation vector value generated from the latest scan.
+- **FlightId** Unique ID for each flight.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgent_SetupBoxLaunch
+
+This event sends data during the launching of the setup box when updating Windows.
+
+The following fields are available:
+
+- **Quiet** Indicates whether setup is running in quiet mode. 0 = false 1 = true
+- **ObjectId** Unique value for each Update Agent mode.
+- **SessionId** Unique value for each Update Agent mode attempt.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **RelatedCV** Correlation vector value generated from the latest scan.
+- **FlightId** Unique ID for each flight.
+- **UpdateId** Unique ID for each update.
+- **SetupMode** Setup mode 1 = predownload, 2 = install, 3 = finalize
+- **SandboxSize** The size of the sandbox folder on the device.
+
+
+## Upgrade events
+
+### Setup360Telemetry.Downlevel
+
+This event sends data indicating that the device has invoked the downlevel phase of the upgrade. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
+- **TestId** A string that uniquely identifies a group of events.
+- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS).
+- **HostOSBuildNumber** The build number of the downlevel OS.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. It's an HRESULT error code that can be used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
+
+
+### Setup360Telemetry.Finalize
+
+This event sends data indicating that the device has invoked the finalize phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **HostOSBuildNumber** The build number of the previous OS.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+
+
+### Setup360Telemetry.OsUninstall
+
+The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.OSUninstall indicates the outcome of an OS uninstall.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **WuId** Windows Update client ID.
+- **TestId** A string to uniquely identify a group of events.
+- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
+- **HostOSBuildNumber** The build number of the previous OS.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+
+
+### Setup360Telemetry.PostRebootInstall
+
+This event sends data indicating that the device has invoked the postrebootinstall phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
+- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **HostOSBuildNumber** The build number of the previous OS.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+
+
+### Setup360Telemetry.PreDownloadQuiet
+
+This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
+- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system).
+- **HostOSBuildNumber** The build number of the previous OS.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+
+
+### Setup360Telemetry.PreDownloadUX
+
+The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PredownloadUX indicates the outcome of the PredownloadUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **WuId** Windows Update client ID.
+- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system).
+- **HostOSBuildNumber** The build number of the previous operating system.
+- **Setup360Scenario** The Setup360 flow type. Examplle: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
+
+
+### Setup360Telemetry.PreInstallQuiet
+
+This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **HostOSBuildNumber** The build number of the previous OS.
+- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT)
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback etc.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+
+
+### Setup360Telemetry.PreInstallUX
+
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PreinstallUX indicates the outcome of the PreinstallUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **WuId** Windows Update client ID.
+- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
+- **HostOSBuildNumber** The build number of the previous OS.
+- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+
+
+### Setup360Telemetry.Setup360
+
+This event sends data about OS deployment scenarios, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **InstanceId** Retrieves a unique identifier for each instance of a setup session.
+- **ReportId** Retrieves the report ID.
+- **FlightData** Specifies a unique identifier for each group of Windows Insider builds.
+- **ScenarioId** Retrieves the deployment scenario.
+- **FieldName** Retrieves the data point.
+- **Value** Retrieves the value associated with the corresponding FieldName.
+- **ClientId** Retrieves the upgrade ID: Upgrades via Windows Update - specifies the WU clientID. All other deployment - static string.
+
+
+### Setup360Telemetry.UnexpectedEvent
+
+This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **HostOSBuildNumber** The build number of the previous OS.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+
+
+## Windows Error Reporting events
+
+### Microsoft.Windows.WERVertical.OSCrash
+
+This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+
+The following fields are available:
+
+- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
+- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check.
+- **BugCheckParameter1** Uint64 parameter providing additional information.
+- **BootId** Uint32 identifying the boot number for this device.
+- **BugCheckParameter2** Uint64 parameter providing additional information.
+- **BugCheckParameter4** Uint64 parameter providing additional information.
+- **BugCheckParameter3** Uint64 parameter providing additional information.
+- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise
+- **DumpFileSize** Size of the dump file
+- **DumpFileAttributes** Codes that identify the type of data contained in the dump file
+
+
+## Windows Store events
+
+### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
+
+This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure.
+
+The following fields are available:
+
+- **PFN** The product family name of the product being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed before this operation.
+- **IsUpdate** Flag indicating if this is an update.
+- **AttemptNumber** Number of retry attempts before it was canceled.
+- **CategoryId** The Item Category ID.
+- **ProductId** The identity of the package or packages being installed.
+- **IsInteractive** Was this requested by a user?
+- **IsRemediation** Was this a remediation install?
+- **BundleId** The Item Bundle ID.
+- **IsMandatory** Was this a mandatory update?
+- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled.
+- **UserAttemptNumber** The total number of user attempts at installation before it was canceled.
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds
+
+This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure.
+
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare
+
+This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure.
+
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation
+
+This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **IsInteractive** Was this requested by a user?
+- **AttemptNumber** Total number of installation attempts.
+- **BundleId** The identity of the Windows Insider build that is associated with this product.
+- **PreviousHResult** The previous HResult code.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **CategoryId** The identity of the package or packages being installed.
+- **PFN** The name of all packages to be downloaded and installed.
+- **ProductId** The name of the package or packages requested for installation.
+- **IsUpdate** Is this a product update?
+- **IsRemediation** Is this repairing a previous installation?
+- **RelatedCV** Correlation Vector of a previous performed action on this product.
+- **PreviousInstallState** Previous installation state before it was canceled.
+- **IsMandatory** Is this a mandatory update?
+- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled.
+- **UserAttemptNumber** Total number of user attempts to install before it was canceled.
+- **IsRestore** Is this an automatic restore of a previously acquired product?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
+
+This event is sent after the app installations or updates. It's used to help keep Windows up-to-date and secure
+
+The following fields are available:
+
+- **IsBundle** Is this a bundle?
+- **ProductId** The Store Product ID of the product being installed.
+- **SkuId** Specific edition of the item being installed.
+- **CatalogId** The Store Product ID of the app being installed.
+- **PackageFamilyName** The name of the package being installed.
+- **HResult** HResult code of the action being performed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
+
+This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **PFN** Product Family Name of the product being installed.
+- **HResult** HResult code to show the result of the operation (success/failure).
+- **ProductId** The Store Product ID for the product being installed.
+- **IsInteractive** Did the user initiate the installation?
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsRemediation** Is this repairing a previous installation?
+- **UpdateId** The update ID (if this is an update)
+- **AttemptNumber** The total number of attempts to acquire this product.
+- **IsUpdate** Is this an update?
+- **IsMandatory** Is this a mandatory update?
+- **SystemAttemptNumber** The number of attempts by the system to acquire this product.
+- **UserAttemptNumber** The number of attempts by the user to acquire this product
+- **IsRestore** Is this happening after a device restore?
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **ParentBundledId** The product's parent bundle ID.
+- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
+
+This event happens during the app update or installation when content is being downloaded at the end of the process to report success or failure. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **PFN** The Product Family Name of the app being download.
+- **IsRemediation** Is this repairing a previous installation?
+- **DownloadSize** The total size of the download.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **CategoryId** The identity of the package or packages being installed.
+- **IsUpdate** Is this an update?
+- **HResult** The result code of the last action performed.
+- **IsInteractive** Is this initiated by the user?
+- **AttemptNumber** Number of retry attempts before it was canceled.
+- **BundleId** The identity of the Windows Insider build associated with this product.
+- **ProductId** The Store Product ID for the product being installed.
+- **IsMandatory** Is this a mandatory installation?
+- **SystemAttemptNumber** The number of attempts by the system to download.
+- **UserAttemptNumber** The number of attempts by the user to download.
+- **IsRestore** Is this a restore of a previously acquired product?
+- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID.
+- **ExtendedHResult** Any extended HResult error codes.
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
+
+This event happens when an app update requires an updated Framework package and the process starts to download it. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds
+
+This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
+
+This event is sent after a product has been installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **BundleId** The identity of the build associated with this product.
+- **PFN** Product Family Name of the product being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **CategoryId** The identity of the package or packages being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **HResult** The result code of the last action performed.
+- **IsRemediation** Is this repairing a previous installation?
+- **IsInteractive** Is this an interactive installation?
+- **IsUpdate** Is this an update?
+- **IsMandatory** Is this a mandatory installation?
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **ExtendedHResult** The extended HResult error code.
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
+
+This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed.
+- **IsApplicability** Is this request to only check if there are any applicable packages to install?
+- **IsInteractive** Is this user requested?
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsOnline** Is the request doing an online check?
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
+
+This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **IsRemediation** Is this repairing a previous installation?
+- **IsUpdate** Is this an update?
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **ProductId** The Store Product ID for the product being installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **IsInteractive** Is this user requested?
+- **PFN** The name of the package or packages requested for install.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **IsMandatory** Is this a mandatory update?
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **IsRestore** Is this restoring previously acquired content?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
+
+This event is sent between download and installation to see if there is app data that needs to be restored from the cloud. It's used to keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **IsInteractive** Is this user requested?
+- **PFN** The name of the package or packages requested for install.
+- **IsUpdate** Is this an update?
+- **CategoryId** The identity of the package or packages being installed.
+- **HResult** The result code of the last action performed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **ProductId** The Store Product ID for the product being installed.
+- **BundleId** The identity of the build associated with this product.
+- **IsRemediation** Is this repairing a previous installation?
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsMandatory** Is this a mandatory update?
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of system attempts.
+- **IsRestore** Is this restoring previously acquired content?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
+
+This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
+
+This event is sent at the end of an app install or update and is used to track the very end of the install or update process.
+
+The following fields are available:
+
+- **ProductId** The product ID of the app that is being updated or installed.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **FailedRetry** Was the installation or update retry successful?
+- **HResult** The HResult code of the operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
+
+This event is sent at the beginning of an app install or update and is used to track the very beginning of the install or update process.
+
+The following fields are available:
+
+- **ProductId** The product ID of the app that is being updated or installed.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
+
+This event happens at the beginning of the install process when an app update or new app is installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed.
+- **BundleId** The identity of the build associated with this product.
+- **SkuId** Specific edition ID being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **VolumePath** The disk path of the installation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
+
+This event is sent when a product install or update is paused either by a user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **RelatedCV** Correlation Vector of a previous performed action on this product.
+- **IsRemediation** Is this repairing a previous installation?
+- **PreviousHResult** The result code of the last action performed before this operation.
+- **ProductId** The Store Product ID for the product being installed.
+- **IsUpdate** Is this an update?
+- **PreviousInstallState** Previous state before the installation or update was paused.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **IsInteractive** Is this user requested?
+- **BundleId** The identity of the build associated with this product.
+- **PFN** The Product Full Name.
+- **IsMandatory** Is this a mandatory update?
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **IsRestore** Is this restoring previously acquired content?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
+
+This event happens when a product install or update is resumed either by a user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **RelatedCV** Correlation Vector for the original install before it was resumed.
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **PreviousHResult** The previous HResult error code.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **CategoryId** The identity of the package or packages being installed.
+- **PFN** The name of the package or packages requested for install.
+- **IsUpdate** Is this an update?
+- **PreviousInstallState** Previous state before the installation was paused.
+- **IsRemediation** Is this repairing a previous installation?
+- **IsInteractive** Is this user requested?
+- **ProductId** The Store Product ID for the product being installed.
+- **IsMandatory** Is this a mandatory update?
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **IsRestore** Is this restoring previously acquired content?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **IsUserRetry** Did the user initiate the retry?
+- **HResult** The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
+
+This event happens when a product install or update is resumed by a user and on installation retries. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ProductId** The Store Product ID for the product being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
+
+This event is sent when searching for update packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ProductId** The Store Product ID for the product being installed.
+- **SkuId** Specfic edition of the app being updated.
+- **CatalogId** The Store Product ID for the product being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
+
+This event happens an app for a user needs to be updated. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **PFamN** The name of the product that is requested for update.
+
+
+## Windows Update Delivery Optimization events
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
+
+This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group.
+- **fileID** The ID of the file being downloaded.
+- **sessionID** The ID of the file download session.
+- **scenarioID** The ID of the scenario.
+- **bytesFromCDN** The number of bytes received from a CDN source.
+- **updateID** The ID of the update being downloaded.
+- **background** Is the download being done in the background?
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
+- **clientTelId** A random number used for device sampling.
+- **bytesFromGroupPeers** The number of bytes received from a peer in the same group.
+- **errorCode** The error code that was returned.
+- **doErrorCode** The Delivery Optimization error code that was returned.
+- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
+- **experimentId** When running a test, this is used to correlate events that are part of the same test.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **usedMemoryStream** Did the download use memory streaming?
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
+
+This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **sessionID** The ID of the download session.
+- **scenarioID** The ID of the scenario.
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group.
+- **updateID** The ID of the update being downloaded.
+- **fileSize** The size of the file being downloaded.
+- **bytesFromCDN** The number of bytes received from a CDN source.
+- **fileID** The ID of the file being downloaded.
+- **background** Is the download a background download?
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
+- **totalTime** How long did the download take (in seconds)?
+- **restrictedUpload** Is the upload restricted?
+- **clientTelId** A random number used for device sampling.
+- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group.
+- **downloadMode** The download mode used for this file download session.
+- **doErrorCode** The Delivery Optimization error code that was returned.
+- **numPeers** The total number of peers used for this download.
+- **cdnConnectionCount** The total number of connections made to the CDN.
+- **lanConnectionCount** The total number of connections made to peers in the same LAN.
+- **groupConnectionCount** The total number of connections made to peers in the same group.
+- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group.
+- **cdnIp** The IP address of the source CDN.
+- **downlinkBps** The maximum measured available download bandwidth (in bytes per second).
+- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second).
+- **downlinkUsageBps** The download speed (in bytes per second).
+- **uplinkUsageBps** The upload speed (in bytes per second).
+- **totalTimeMs** Duration of the download (in seconds).
+- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
+- **bytesRequested** The total number of bytes requested for download.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **usedMemoryStream** Did the download use memory streaming?
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused
+
+This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **updateID** The ID of the update being paused.
+- **errorCode** The error code that was returned.
+- **scenarioID** The ID of the scenario.
+- **background** Is the download a background download?
+- **sessionID** The ID of the download session.
+- **clientTelId** A random number used for device sampling.
+- **reasonCode** The reason for pausing the download.
+- **fileID** The ID of the file being paused.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **isVpn** Is the device connected to a Virtual Private Network?
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
+
+This event describes the start of a new download with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **errorCode** The error code that was returned.
+- **doErrorCode** The Delivery Optimization error code that was returned.
+- **peerID** The ID for this Delivery Optimization client.
+- **doClientVersion** The version of the Delivery Optimization client.
+- **jobID** The ID of the Windows Update job.
+- **sessionID** The ID of the download session.
+- **updateID** The ID of the update being downloaded.
+- **scenarioID** The ID of the scenario.
+- **fileID** The ID of the file being downloaded.
+- **cdnUrl** The URL of the CDN.
+- **filePath** The path where the file will be written.
+- **groupID** ID for the group.
+- **background** Is the download a background download?
+- **downloadMode** The download mode used for this file download session.
+- **minFileSizePolicy** The minimum content file size policy to allow the download using Peering.
+- **diceRoll** The dice roll value used in sampling events.
+- **deviceProfile** Identifies the usage or form factor. Example: Desktop or Xbox
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **usedMemoryStream** Did the download use memory streaming?
+- **minDiskSizePolicyEnforced** Is the minimum disk size enforced via policy?
+- **minDiskSizeGB** The minimum disk size (in GB) required for Peering.
+- **clientTelId** A random number used for device sampling.
+- **costFlags** A set of flags representing network cost.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
+
+This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **errorCode** The error code that was returned.
+- **httpStatusCode** The HTTP status code returned by the CDN.
+- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
+- **sessionID** The ID of the download session.
+- **cdnUrl** The URL of the CDN.
+- **cdnIp** The IP address of the CDN.
+- **cdnHeaders** The HTTP headers returned by the CDN.
+- **clientTelId** A random number used for device sampling.
+- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET
+- **requestSize** The size of the range requested from the CDN.
+- **responseSize** The size of the range response received from the CDN.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.JobError
+
+This event represents a Windows Update job error. It allows for investigation of top errors.
+
+The following fields are available:
+
+- **jobID** The Windows Update job ID.
+- **fileID** The ID of the file being downloaded.
+- **errorCode** The error code returned.
+- **clientTelId** A random number used for device sampling.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+
+
+## Windows Update events
+
+### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationCompleted
+
+This event sends data collected at the end of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
+
+The following fields are available:
+
+- **MigrationEndtime** A system timestamp of when the DMF migration completed.
+- **UpdateIds** A collection of GUIDs for updates that are associated with the DMF session.
+- **WuClientid** The GUID of the Windows Update client responsible for triggering the DMF migration.
+- **MigrationDurationinmilliseconds** How long the DMF migration took (in milliseconds).
+- **RevisionNumbers** A collection of revision numbers for the updates associated with the DMF session.
+
+
+### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted
+
+This event sends data collected at the beginning of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
+
+The following fields are available:
+
+- **UpdateIds** A collection of GUIDs identifying the upgrades that are running.
+- **MigrationStarttime** The timestamp representing the beginning of the DMF migration.
+- **MigrationOEMphases** The number of OEM-authored migrators scheduled to be ran by DMF for this upgrade.
+- **WuClientid** The GUID of the Windows Update client invoking DMF.
+- **MigrationMicrosoftphases** The number of Microsoft-authored migrators scheduled to be ran by DMF for this upgrade.
+- **RevisionNumbers** A collection of the revision numbers associated with the UpdateIds.
+
+
+### Microsoft.Windows.Update.DataMigrationFramework.MigratorResult
+
+This event sends DMF migrator data to help keep Windows up to date.
+
+The following fields are available:
+
+- **MigratorGuid** A GUID identifying the migrator that just completed.
+- **RunDurationInSeconds** The time it took for the migrator to complete.
+- **CurrentStep** This is the last step the migrator reported before returning a result. This tells us how far through the individual migrator the device was before failure.
+- **MigratorName** The name of the migrator that just completed.
+- **MigratorId** A GUID identifying the migrator that just completed.
+- **ErrorCode** The result (as an HRESULT) of the migrator that just completed.
+- **TotalSteps** Migrators report progress in number of completed steps against the total steps. This is the total number of steps.
+
+
+### Microsoft.Windows.Update.Orchestrator.CommitFailed
+
+This events tracks when a device needs to restart after an update but did not.
+
+The following fields are available:
+
+- **wuDeviceid** The Windows Update device GUID.
+- **errorCode** The error code that was returned.
+
+
+### Microsoft.Windows.Update.Orchestrator.Detection
+
+This event sends launch data for a Windows Update scan to help keep Windows up to date.
+
+The following fields are available:
+
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **revisionNumber** Update revision number.
+- **eventScenario** End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **deferReason** Reason why the device could not check for updates.
+- **detectionBlockreason** Reason for detection not completing.
+- **interactive** Identifies if session is User Initiated.
+- **updateId** Update ID.
+- **detectionDeferreason** A log of deferral reasons for every update state.
+- **flightID** A unique update ID.
+- **updateScenarioType** The update session type.
+- **errorCode** The returned error code.
+
+
+### Microsoft.Windows.Update.Orchestrator.Download
+
+This event sends launch data for a Windows Update download to help keep Windows up to date.
+
+The following fields are available:
+
+- **detectionDeferreason** Reason for download not completing
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **interactive** Identifies if session is user initiated.
+- **revisionNumber** Update revision number.
+- **deferReason** Reason for download not completing
+- **updateId** Update ID.
+- **eventScenario** End to end update session ID.
+- **errorCode** An error code represented as a hexadecimal value
+- **flightID** Unique update ID.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
+
+This event sends data on whether the update was applicable to the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **updateId** Unique Update ID
+- **revisionNumber** Revision Number of the Update
+- **UpdateStatus** Integer that describes Update state
+- **EventPublishedTime** time that the event was generated
+- **wuDeviceid** Unique Device ID
+- **flightID** Unique Update ID
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
+
+This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date.
+
+The following fields are available:
+
+- **revisionNumber** Revision number of the update.
+- **EventPublishedTime** Time of the event.
+- **updateId** Update ID.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **flightID** Unique update ID
+- **interactive** Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
+- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.Install
+
+This event sends launch data for a Windows Update install to help keep Windows up to date.
+
+The following fields are available:
+
+- **eventScenario** End to end update session ID.
+- **deferReason** Reason for install not completing.
+- **interactive** Identifies if session is user initiated.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **batteryLevel** Current battery capacity in mWh or percentage left.
+- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress.
+- **errorCode** The error code reppresented by a hexadecimal value.
+- **updateId** Update ID.
+- **revisionNumber** Update revision number.
+- **flightID** Unique update ID
+- **installRebootinitiatetime** The time it took for a reboot to be attempted.
+- **flightUpdate** Flight update
+- **minutesToCommit** The time it took to install updates.
+- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates.
+- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.PostInstall
+
+This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows up to date.
+
+The following fields are available:
+
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **eventScenario** End to end update session ID.
+- **sessionType** Interactive vs. Background.
+- **bundleRevisionnumber** Bundle revision number.
+- **batteryLevel** Current battery capacity in mWh or percentage left.
+- **bundleId** Update grouping ID.
+- **errorCode** Hex code for the error message, to allow lookup of the specific error.
+- **flightID** Unique update ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.RebootFailed
+
+This event sends information about whether an update required a reboot and reasons for failure to help keep Windows up to date.
+
+The following fields are available:
+
+- **updateId** Update ID.
+- **batteryLevel** Current battery capacity in mWh or percentage left.
+- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
+- **installRebootDeferreason** Reason for reboot not occurring.
+- **revisionNumber** Update revision number.
+- **EventPublishedTime** The time that the reboot failure occurred.
+- **deferReason** Reason for install not completing.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **flightID** Unique update ID.
+- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
+
+This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date.
+
+The following fields are available:
+
+- **RebootTaskRestoredTime** Time at which this reboot task was restored.
+- **wuDeviceid** Device id on which the reboot is restored
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.SystemNeeded
+
+This event sends data about why a device is unable to reboot, to help keep Windows up to date.
+
+The following fields are available:
+
+- **eventScenario** End to end update session ID.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **systemNeededReason** Reason ID
+- **updateId** Update ID.
+- **revisionNumber** Update revision number.
+- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
+
+This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **policyCacherefreshtime** Refresh time
+- **policiesNamevaluesource** Policy Name
+- **updateInstalluxsetting** This shows whether a user has set policies via UX option
+- **configuredPoliciescount** Policy Count
+
+
+### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired
+
+This event sends data about whether an update required a reboot to help keep Windows up to date.
+
+The following fields are available:
+
+- **updateId** Update ID.
+- **revisionNumber** Update revision number.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **flightID** Unique update ID.
+- **interactive** Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.UpdateStackServicing.CheckForUpdates
+
+This event sends data about the UpdateStackServicing check for updates, to help keep Windows up to date.
+
+The following fields are available:
+
+- **EventScenario** The scenario of the event. Example: Started, Failed, or Succeeded
+- **StatusCode** The HRESULT code of the operation.
+- **CallerApplicationName** The name of the USS scheduled task. Example UssScheduled or UssBoot
+- **ClientVersion** The version of the client.
+- **EventInstanceID** The USS session ID.
+- **WUDeviceID** The Windows Update device ID.
+- **ServiceGuid** The GUID of the service.
+- **BspVersion** The version of the BSP.
+- **OemName** The name of the manufacturer.
+- **DeviceName** The name of the device.
+- **CommercializationOperator** The name of the operator.
+- **DetectionVersion** The string returned from the GetDetectionVersion export of the downloaded detection DLL.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
+
+This event is sent when a security update has successfully completed.
+
+The following fields are available:
+
+- **UtcTime** The Coordinated Universal Time that the restart was no longer needed.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
+
+This event sends data about a required reboot that is scheduled with no user interaction, to help keep Windows up to date.
+
+The following fields are available:
+
+- **updateId** Update ID of the update that is getting installed with this reboot.
+- **ScheduledRebootTime** Time of the scheduled reboot.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **revisionNumber** Revision number of the update that is getting installed with this reboot.
+- **forcedreboot** True, if a reboot is forced on the device. False, otherwise.
+- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action.
+- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
+- **activeHoursApplicable** True, If Active Hours applicable on this device. False, otherwise.
+- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise.
+- **rebootState** The state of the reboot.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.ToastDisplayedToScheduleReboot
+
+This event is sent when a toast notification is shown to the user about scheduling a device restart.
+
+The following fields are available:
+
+- **UtcTime** The Coordinated Universal Time when the toast notification was shown.
+
+
+### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
+
+This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ScheduledRebootTime** The time that the device was restarted.
+- **updateId** The Windows Update device GUID.
+- **revisionNumber** The revision number of the OS being updated.
+- **wuDeviceid** The Windows Update device GUID.
+- **forcedreboot** Is the restart that's being scheduled a forced restart?
+- **rebootArgument** The arguments that are passed to the OS for the restarted.
+- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
+- **activeHoursApplicable** Is the restart respecting Active Hours?
+- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours?
+- **rebootState** The state of the restart.
+
+
+## Winlogon events
+
+### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
+
+This event signals the completion of the setup process. It happens only once during the first logon.
+
+
+
diff --git a/windows/configure/change-history-for-configure-windows-10.md b/windows/configure/change-history-for-configure-windows-10.md
index aa5be0aab7..7f36bcbec3 100644
--- a/windows/configure/change-history-for-configure-windows-10.md
+++ b/windows/configure/change-history-for-configure-windows-10.md
@@ -21,4 +21,6 @@ The topics in this library have been updated for Windows 10, version 1703 (also
- [Use the Lockdown Designer app to create a Lockdown XML file](mobile-lockdown-designer.md)
- [Add image for secondary tiles](start-secondary-tiles.md)
-- [Provision PCs with apps](provision-pcs-with-apps.md)
\ No newline at end of file
+- [Provision PCs with apps](provision-pcs-with-apps.md)
+- [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
+- [Windows 10, version 1703 Diagnostic Data](windows-diagnostic-data.md)
\ No newline at end of file
diff --git a/windows/configure/cortana-at-work-feedback.md b/windows/configure/cortana-at-work-feedback.md
index 38e531cdca..d27d30e1cf 100644
--- a/windows/configure/cortana-at-work-feedback.md
+++ b/windows/configure/cortana-at-work-feedback.md
@@ -18,5 +18,5 @@ We ask that you report bugs and issues. To provide feedback, you can click the *
-If you don't want to use the feedback tool in Cortana, you can add feedback through the general Windows Insider Preview feedback app. For info about the Insider Preview feedback app, see [How to use Windows Insider Preview – Updates and feedback](http://windows.microsoft.com/en-us/windows/preview-updates-feedback-pc).
+If you don't want to use the feedback tool in Cortana, you can add feedback through the general Windows Insider Program feedback app. For info about the feedback app, see [How to use Windows Insider Preview – Updates and feedback](http://windows.microsoft.com/en-us/windows/preview-updates-feedback-pc).
diff --git a/windows/configure/cortana-at-work-policy-settings.md b/windows/configure/cortana-at-work-policy-settings.md
index fabe225293..06a4b3cf08 100644
--- a/windows/configure/cortana-at-work-policy-settings.md
+++ b/windows/configure/cortana-at-work-policy-settings.md
@@ -11,23 +11,23 @@ localizationpriority: high
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
**Applies to:**
-- Windows 10, version 1703
-- Windows 10 Mobile, version 1703
+- Windows 10
+- Windows 10 Mobile
>[!NOTE]
>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381).
|Group policy |MDM policy |Description |
|-------------|-----------|------------|
-|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked.**NOTE**
This setting only applies to Windows 10 for desktop devices. |
+|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
**Note**
This setting only applies to Windows 10 for desktop devices. |
|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization|Privacy/AllowInputPersonalization|Specifies whether an employee can use voice commands with Cortana in your organization.
**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).
**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled).|
|None|System/AllowLocation|Specifies whether to allow app access to the Location service.
**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).
**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled).|
|None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
Use this setting if you only want to support Azure AD in your organization.|
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.
**NOTE**
This setting only applies to Windows 10 Mobile.|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.
**Note**
This setting only applies to Windows 10 Mobile.|
|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.|
|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.
**In Windows 10 Pro edition**
This setting can’t be managed.
**In Windows 10 Enterprise edition**
Cortana won't work if this setting is turned off (disabled).|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.
**IMPORTANT**
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.
**Important**
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.|
diff --git a/windows/configure/cortana-at-work-powerbi.md b/windows/configure/cortana-at-work-powerbi.md
index a4245062b7..d5fce7c38e 100644
--- a/windows/configure/cortana-at-work-powerbi.md
+++ b/windows/configure/cortana-at-work-powerbi.md
@@ -82,8 +82,8 @@ You must create special reports, known as _Answer Pages_, to display the most co
After you’ve finished creating your Answer Page, you can continue to the included testing scenarios.
- >[!NOTE]
- >It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.
+>[!NOTE]
+>It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.
**To create a custom sales data Answer Page for Cortana**
1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**.
diff --git a/windows/configure/cortana-at-work-voice-commands.md b/windows/configure/cortana-at-work-voice-commands.md
index e15752085d..7c4ea66ce4 100644
--- a/windows/configure/cortana-at-work-voice-commands.md
+++ b/windows/configure/cortana-at-work-voice-commands.md
@@ -28,13 +28,13 @@ To enable voice commands in Cortana
Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background.
- - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana).
+ - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana).
- - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana).
+ - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana).
2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
-## Test Scenario: Use voice commands in a Windows Store app
+## Test scenario: Use voice commands in a Windows Store app
While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization.
**To get a Windows Store app**
diff --git a/windows/configure/images/oobe.jpg b/windows/configure/images/oobe.jpg
index 53a5dab6bf..2e700971c1 100644
Binary files a/windows/configure/images/oobe.jpg and b/windows/configure/images/oobe.jpg differ
diff --git a/windows/configure/images/setupmsg.jpg b/windows/configure/images/setupmsg.jpg
index 12935483c5..06348dd2b8 100644
Binary files a/windows/configure/images/setupmsg.jpg and b/windows/configure/images/setupmsg.jpg differ
diff --git a/windows/configure/index.md b/windows/configure/index.md
index bbe9b61e15..41f72b3b92 100644
--- a/windows/configure/index.md
+++ b/windows/configure/index.md
@@ -19,6 +19,8 @@ Enterprises often need to apply custom configurations to devices for their users
| Topic | Description |
| --- | --- |
| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows telemetry in your organization. |
+| [Basic level Windows diagnostic data](windows-diagnostic-data.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703. |
+| [Windows 10, version 1703 diagnostic data](windows-diagnostic-data.md) | Learn about the types of data that is collected at the full level in Windows 10, version 1703. |
| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. |
| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. |
diff --git a/windows/configure/kiosk-shared-pc.md b/windows/configure/kiosk-shared-pc.md
index 2afc67e022..d5d72c26b4 100644
--- a/windows/configure/kiosk-shared-pc.md
+++ b/windows/configure/kiosk-shared-pc.md
@@ -17,7 +17,7 @@ Some desktop devices in an enterprise serve a special purpose, such as a common
| Topic | Description |
| --- | --- |
-| [Set up a shared or guest PC with Windows 10](set-up-a-device-for-anyone-to-use.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. |
+| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. |
| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. |
| [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
\ No newline at end of file
diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 86503c42e8..8f0ddba047 100644
--- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -290,7 +290,7 @@ You can prevent Windows from setting the time automatically.
-or -
-- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** to 0 (zero).
+- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** to 0 (zero).
-or-
@@ -420,6 +420,7 @@ You can also use registry entries to set these Group Policies.
| Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead!Enabled
REG_DWORD: 0|
| Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds!BackgroundSyncStatus
DWORD:0 |
+To turn off the home page, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings**
### 8.1 ActiveX control blocking
@@ -445,6 +446,8 @@ To turn off Live Tiles:
- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one).
+You must also unpin all tiles that are pinned to Start.
+
### 10. Mail synchronization
To turn off mail synchronization for Microsoft Accounts that are configured on a device:
@@ -495,7 +498,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions.
Default: Enabled |
| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)
Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off.
Default: Enabled |
| Allow web content on New Tab page | Choose whether a new tab page appears.
Default: Enabled |
-| Configure Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** |
+| Configure Start pages | Choose the Start page for domain-joined devices.
Set this to **about:blank** |
The Windows 10, version 1511 Microsoft Edge Group Policy names are:
diff --git a/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
index 3ef7f7e374..9cb47b71cd 100644
--- a/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+++ b/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
@@ -165,7 +165,7 @@ Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or
1. On Start , swipe over to the App list, then tap **Settings**  > **Accounts** > **Apps Corner**.
-2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done 
+2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done .
3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back**  to the Apps Corner settings.
diff --git a/windows/configure/set-up-shared-or-guest-pc.md b/windows/configure/set-up-shared-or-guest-pc.md
index d0998d18c6..23d35abc14 100644
--- a/windows/configure/set-up-shared-or-guest-pc.md
+++ b/windows/configure/set-up-shared-or-guest-pc.md
@@ -16,24 +16,26 @@ localizationpriority: high
- Windows 10
-Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise.
+Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise.
> [!NOTE]
> If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
##Shared PC mode concepts
-A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. Users who sign-in are signed in as standard users, not admin users.
+A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen.
###Account models
-It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC as a standard user. The user who originally joined the PC to the domain will have administrative rights when they sign in. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Start without an account** option on the sign-in screen, which doesn't require any user credentials or authentication and creates a new local account.
+It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Guest** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used. Windows 10, version 1703, introduces a **kiosk mode** account. Shared PC mode can be configured to enable a **Kiosk** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used to run a specified app in assigned access (kiosk) mode.
###Account management
-When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Start without an account** option. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low.
+When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows 10, version 1703, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days.
###Maintenance and sleep
Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not is use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods.
-While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates. Use one of the following methods to configure Windows Update:
+While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates.
+
+Use one of the following methods to configure Windows Update:
- Group Policy: Set **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** to `4` and check **Install during automatic maintenance**.
- MDM: Set **Update/AllowAutoUpdate** to `4`.
@@ -43,21 +45,31 @@ While shared PC mode does not configure Windows Update itself, it is strongly re
###App behavior
-Apps can take advantage of shared PC mode by changing their app behavior to align with temporary use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences. For information on how an app can query for shared PC mode, see [SharedModeSettings class](https://msdn.microsoft.com/en-us/library/windows/apps/windows.system.profile.sharedmodesettings.aspx).
+Apps can take advantage of shared PC mode with the following three APIs:
+
+- [IsEnabled](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured for shared use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences.
+- [ShouldAvoidLocalStorage](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured to not allow the user to save to the local storage of the PC. Instead, only cloud save locations should be offered by the app or saved automatically by the app.
+- [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) - This informs apps when the PC is used in an education environment. Apps may want to handle telemetry differently or hide advertising functionality.
+
###Customization
Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table.
| Setting | Value |
|:---|:---|
-| EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**. |
-| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the **Start without an account** option to the sign-in screen and enable anonymous guest access to the PC.
- **Only guest** allows anyone to use the PC as a local standard (non-admin) account.
- **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.
- **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. |
-| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.
- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.
Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. |
+| EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**. |
+| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the **Guest** option to the sign-in screen and enable anonymous guest access to the PC.
- **Only guest** allows anyone to use the PC as a local standard (non-admin) account.
- **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.
- **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. |
+| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.
- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.
Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not.
- **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold** |
| AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. |
| AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. |
+| AccountManagement: InactiveThreshold | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted. |
| AccountManagement: EnableAccountManager | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. |
+| AccountManagement: KioskModeAUMID | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign-in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. Note that the app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](https://msdn.microsoft.com/library/dn449300.aspx) |
+| AccountManagement: KioskModeUserTileDisplayText | Sets the display text on the kiosk account if **KioskModeAUMID** has been set. |
| Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. |
-| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. When **SetEduPolicies** is **True**, the following additional settings are applied:
- Local storage locations are restricted. Users can only save files to the cloud.
- Custom Start and taskbar layouts are set.\*
- A custom sign-in screen background image is set.\*
- Additional educational policies are applied (see full list below).
\*Only applies to Windows 10 Pro Education, Enterprise, and Education |
+| Customization: MaxPageFileSizeMB | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs. |
+| Customization: RestrictLocalStorage | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) |
+| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. This setting controls this API: [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) |
| Customization: SetPowerPolicies | When set as **True**:
- Prevents users from changing power settings
- Turns off hibernate
- Overrides all power state transitions to sleep (e.g. lid close) |
| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
@@ -73,6 +85,7 @@ You can configure Windows to be in shared PC mode in a couple different ways:
+- WMI bridge: Environments that use Group Policy can use the WMI bridge to configure the [SharedPC CSP](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx).
### Create a provisioning package for shared use
@@ -86,7 +99,7 @@ You can configure Windows to be in shared PC mode in a couple different ways:
4. Select **All Windows desktop editions**, and click **Next**.
-5. Click **Finish**. Your project opens in Windows ICD.
+5. Click **Finish**. Your project opens in Windows Configuration Designer.
6. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization)
@@ -104,7 +117,7 @@ You can configure Windows to be in shared PC mode in a couple different ways:
> [!IMPORTANT]
> We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
-12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
@@ -127,45 +140,20 @@ You can configure Windows to be in shared PC mode in a couple different ways:
You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up.
**During initial setup**
-1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+1. Start with a PC on the setup screen.
-2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. If there is only one provisioning package on the USB drive, you don't need to press the Windows key five times, Windows will automatically ask you if you want to set up the device. Select **Set up**.
+2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times.
+
+ - If there is only one provisioning package on the USB drive, the provisioning package is applied.
+
+ - If there is more than one provisioning package on the USB drive, the **Set up device?** message displays. Click **Set up**, and select the provisioning package that you want to install.
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
-
- 
-
-4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
-
- 
-
-5. Select **Yes, add it**.
-
- 
-
-6. Read and accept the Microsoft Software License Terms.
-
- 
-
-7. Select **Use Express settings**.
-
- 
-
-8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
-
- 
-
-9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
-
- 
-
-10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
-
- 
+3. Complete the setup process.
**After setup**
@@ -180,11 +168,11 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
## Guidance for accounts on shared PCs
* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
-* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out.
+* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will also be deleted automatically at sign out.
* On a Windows PC joined to Azure Active Directory:
* By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
* With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
-* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out.
+* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out.
* If admin accounts are necessary on the PC
* Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
* Create admin accounts before setting up shared PC mode, or
@@ -209,7 +197,7 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
> [!IMPORTANT]
-> It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
+> It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
@@ -240,6 +228,8 @@ Shared PC mode sets local group policies to configure the device. Some of these
| Admin Templates>System>Power Management>Video and Display Settings |
| Turn off the display (plugged in) | *SleepTimeout* | SetPowerPolicies=True |
| Turn off the display (on battery | *SleepTimeout* | SetPowerPolicies=True |
+ | Admin Templates>System>Power Management>Energy Saver Settings |
+ | Energy Saver Battery Threshold (on battery) | 70 | SetPowerPolicies=True |
| Admin Templates>System>Logon |
| Show first sign-in animation | Disabled | Always |
| Hide entry points for Fast User Switching | Enabled | Always |
@@ -252,8 +242,8 @@ Shared PC mode sets local group policies to configure the device. Some of these
| Admin Templates>System>User Profiles |
| Turn off the advertising ID | Enabled | SetEduPolicies=True |
| Admin Templates>Windows Components |
- | Do not show Windows Tips *Only on Pro, Enterprise, Pro Education, and Education* | Enabled | SetEduPolicies=True |
- | Turn off Microsoft consumer experiences *Only on Pro, Enterprise, Pro Education, and Education* | Enabled | SetEduPolicies=True |
+ | Do not show Windows Tips | Enabled | SetEduPolicies=True |
+ | Turn off Microsoft consumer experiences | Enabled | SetEduPolicies=True |
| Microsoft Passport for Work | Disabled | Always |
| Prevent the usage of OneDrive for file storage | Enabled | Always |
| Admin Templates>Windows Components>Biometrics |
@@ -264,17 +254,19 @@ Shared PC mode sets local group policies to configure the device. Some of these
| Toggle user control over Insider builds | Disabled | Always |
| Disable pre-release features or settings | Disabled | Always |
| Do not show feedback notifications | Enabled | Always |
+| Allow Telemetry | Basic, 0 | SetEduPolicies=True |
| Admin Templates>Windows Components>File Explorer |
| Show lock in the user tile menu | Disabled | Always |
| Admin Templates>Windows Components>Maintenance Scheduler |
| Automatic Maintenance Activation Boundary | *MaintenanceStartTime* | Always |
| Automatic Maintenance Random Delay | Enabled, 2 hours | Always |
| Automatic Maintenance WakeUp Policy | Enabled | Always |
- | Admin Templates>Windows Components>Microsoft Edge |
- | Open a new tab with an empty tab | Disabled | SetEduPolicies=True |
- | Configure corporate home pages | Enabled, about:blank | SetEduPolicies=True |
- | Admin Templates>Windows Components>Search |
- | Allow Cortana | Disabled | SetEduPolicies=True |
+ | Admin Templates>Windows Components>Windows Hello for Business |
+ | Use phone sign-in | Disabled | Always |
+ | Use Windows Hello for Business | Disabled | Always |
+ | Use biometrics | Disabled | Always |
+ | Admin Templates>Windows Components>OneDrive |
+ | Prevent the usage of OneDrive for file storage | Enabled | Always |
| Windows Settings>Security Settings>Local Policies>Security Options |
| Interactive logon: Do not display last user name | Enabled, Disabled when account model is only guest | Always |
diff --git a/windows/configure/start-secondary-tiles.md b/windows/configure/start-secondary-tiles.md
index 4e9328e91b..2fb633a235 100644
--- a/windows/configure/start-secondary-tiles.md
+++ b/windows/configure/start-secondary-tiles.md
@@ -82,7 +82,7 @@ In addition to the `./User/Vendor/MSFT/Policy/Config/Start/StartLayout` setting,
### Using a provisioning package
-
+
#### Prepare the Start layout and Edge assets XML files
The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce XML files. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout and Edge assets sections to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout and Edge assets sections to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters.
diff --git a/windows/configure/windows-diagnostic-data.md b/windows/configure/windows-diagnostic-data.md
new file mode 100644
index 0000000000..7818844702
--- /dev/null
+++ b/windows/configure/windows-diagnostic-data.md
@@ -0,0 +1,117 @@
+---
+title: Windows 10, version 1703 Diagnostic Data (Windows 10)
+description: Use this article to learn about the types of that is collected the the Full telemetry level.
+keywords: privacy,Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Windows 10, version 1703 Diagnostic Data
+
+Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full telemetry level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md).
+
+
+The data covered in this article is grouped into the following categories:
+
+- Common Data (diagnostic header information)
+- Device, Connectivity, and Configuration data
+- Product and Service Usage data
+- Product and Service Performance data
+- Software Setup and Inventory data
+- Content Consumption data
+- Browsing, Search and Query data
+- Inking, Typing, and Speech Utterance data
+- Licensing and Purchase data
+
+> [!NOTE]
+> The majority of diagnostic data falls into the first four categories.
+
+## Common data
+
+Most diagnostic events contain a header of common data:
+
+| Category Name | Examples |
+| - | - |
+| Common Data | Information that is added to most diagnostic events, if relevant and available:
- OS name, version, build, and [locale](https://msdn.microsoft.com/library/windows/desktop/dd318716.aspx)
- User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data
- Xbox UserID
- Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.
- The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags
- HTTP header information including IP address. This is not the IP address of the device but the source address in the network packet header received by the diagnostics ingestion service.
- Various IDs that are used to correlate and sequence related events together.
- Device ID. This is not the user provided device name, but an ID that is unique for that device.
- Device class -- Desktop, Server, or Mobile
- Event collection time
- Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into
|
+
+## Device, Connectivity, and Configuration data
+
+This type of data includes details about the device, its configuration and connectivity capabilities, and status.
+
+| Category Name | Examples |
+| - | - |
+| Device properties | Information about the OS and device hardware, such as:
- OS - version name, Edition
- Installation type, subscription status, and genuine OS status
- Processor architecture, speed, number of cores, manufacturer, and model
- OEM details --manufacturer, model, and serial number
- Device identifier and Xbox serial number
- Firmware/BIOS -- type, manufacturer, model, and version
- Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
- Storage -- total capacity and disk type
- Battery -- charge capacity and InstantOn support
- Hardware chassis type, color, and form factor
- Is this a virtual machine?
|
+| Device capabilities | Information about the specific device capabilities such as:
- Camera -- whether the device has a front facing, a rear facing camera, or both.
- Touch screen -- does the device include a touch screen? If so, how many hardware touch points are supported?
- Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
- Trusted Platform Module (TPM) – whether present and what version
- Virtualization hardware -- whether an IOMMU is present, SLAT support, is virtualization enabled in the firmware
- Voice – whether voice interaction is supported and the number of active microphones
- Number of displays, resolutions, DPI
- Wireless capabilities
- OEM or platform face detection
- OEM or platform video stabilization and quality level set
- Advanced Camera Capture mode (HDR vs. LowLight), OEM vs. platform implementation, HDR probability, and Low Light probability
|
+| Device preferences and settings | Information about the device settings and user preferences such as:
- User Settings – System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
- User-provided device name
- Whether device is domain-joined, or cloud-domain joined (i.e. part of a company-managed network)
- Hashed representation of the domain name
- MDM (mobile device management) enrollment settings and status
- BitLocker, Secure Boot, encryption settings, and status
- Windows Update settings and status
- Developer Unlock settings and status
- Default app choices
- Default browser choice
- Default language settings for app, input, keyboard, speech, and display
- App store update settings
- Enterprise OrganizationID, Commercial ID
|
+| Device peripherals | Information about the device peripherals such as:
- Peripheral name, device model, class, manufacturer and description
- Peripheral device state, install state, and checksum
- Driver name, package name, version, and manufacturer
- HWID - A hardware vendor defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)
- Driver state, problem code, and checksum
- Whether driver is kernel mode, signed, and image size
|
+| Device network info | Information about the device network configuration such as:
- Network system capabilities
- Local or Internet connectivity status
- Proxy, gateway, DHCP, DNS details and addresses
- Paid or free network
- Wireless driver is emulated or not
- Access point mode capable
- Access point manufacturer, model, and MAC address
- WDI Version
- Name of networking driver service
- Wi-Fi Direct details
- Wi-Fi device hardware ID and manufacturer
- Wi-Fi scan attempt counts and item counts
- Mac randomization is supported/enabled or not
- Number of spatial streams and channel frequencies supported
- Manual or Auto Connect enabled
- Time and result of each connection attempt
- Airplane mode status and attempts
- Interface description provided by the manufacturer
- Data transfer rates
- Cipher algorithm
- Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
- Mobile operator and service provider name
- Available SSIDs and BSSIDs
- IP Address type -- IPv4 or IPv6
- Signal Quality percentage and changes
- Hotspot presence detection and success rate
- TCP connection performance
- Miracast device names
- Hashed IP address
+
+## Product and Service Usage data
+
+This type of data includes details about the usage of the device, operating system, applications and services.
+
+| Category Name | Examples |
+| - | - |
+| App usage | Information about Windows and application usage such as:- OS component and app feature usage
- User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites.
- Time of and count of app/component launches, duration of use, session GUID, and process ID
- App time in various states – running foreground or background, sleeping, or receiving active user interaction
- User interaction method and duration – whether and length of time user used the keyboard, mouse, pen, touch, speech, or game controller
- Cortana launch entry point/reason
- Notification delivery requests and status
- Apps used to edit images and videos
- SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary line
- Incoming and Outgoing calls and Voicemail usage statistics on primary or secondary line
- Emergency alerts are received or displayed statistics
- Content searches within an app
- Reading activity -- bookmarking used, print used, layout changed
|
+| App or product state | Information about Windows and application state such as:- Start Menu and Taskbar pins
- Online/Offline status
- App launch state –- with deep-link such as Groove launched with an audio track to play, or share contract such as MMS launched to share a picture.
- Personalization impressions delivered
- Whether the user clicked or hovered on UI controls or hotspots
- User feedback Like or Dislike or rating was provided
- Caret location or position within documents and media files -- how much of a book has been read in a single session or how much of a song has been listened to.
|
+| Login properties | - Login success or failure
- Login sessions and state
|
+
+
+## Product and Service Performance data
+
+This type of data includes details about the health of the device, operating system, apps and drivers.
+
+| Category Name | Description and Examples |
+| - | - |
+| Device health and crash data | Information about the device and software health such as:
- Error codes and error messages, name and ID of the app, and process reporting the error
- DLL library predicted to be the source of the error -- xyz.dll
- System generated files -- app or product logs and trace files to help diagnose a crash or hang
- System settings such as registry keys
- User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
- Details and counts of abnormal shutdowns, hangs, and crashes
- Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
- Crash and Hang dumps
- The recorded state of the working memory at the point of the crash.
- Memory in use by the kernel at the point of the crash.
- Memory in use by the application at the point of the crash.
- All the physical memory used by Windows at the point of the crash.
- Class and function name within the module that failed.
|
+| Device performance and reliability data | Information about the device and software performance such as:
- User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
- Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Windows Store transaction.
- User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
- UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
- Disk footprint -- Free disk space, out of memory conditions, and disk score.
- Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
- Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
- Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
- Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
- Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
- Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
+
+## Software Setup and Inventory data
+
+This type of data includes software installation and update information on the device.
+
+| Category Name | Data Examples |
+| - | - |
+| Installed Applications and Install History | Information about apps, drivers, update packages, or OS components installed on the device such as:
- App, driver, update package, or component’s Name, ID, or Package Family Name
- Product, SKU, availability, catalog, content, and Bundle IDs
- OS component, app or driver publisher, language, version and type (Win32 or UWP)
- Install date, method, and install directory, count of install attempts
- MSI package code and product code
- Original OS version at install time
- User or administrator or mandatory installation/update
- Installation type – clean install, repair, restore, OEM, retail, upgrade, and update
|
+| Device update information | Information about Windows Update such as:
- Update Readiness analysis of device hardware, OS components, apps, and drivers (progress, status, and results)
- Number of applicable updates, importance, type
- Update download size and source -- CDN or LAN peers
- Delay upgrade status and configuration
- OS uninstall and rollback status and count
- Windows Update server and service URL
- Windows Update machine ID
- Windows Insider build details
+
+## Content Consumption data
+
+This type of data includes diagnostic details about Microsoft applications that provide media consumption functionality (such as Groove Music), and is not intended to capture user viewing, listening or reading habits.
+
+| Category Name | Examples |
+| - | - |
+| Movies | Information about movie consumption functionality on the device such as:
- Video Width, height, color pallet, encoding (compression) type, and encryption type
- Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
- URL for a specific two second chunk of content if there is an error
- Full screen viewing mode details
|
+| Music & TV | Information about music and TV consumption on the device such as:
- Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
- Content type (video, audio, surround audio)
- Local media library collection statistics -- number of purchased tracks, number of playlists
- Region mismatch -- User OS Region, and Xbox Live region
|
+| Reading | Information about reading consumption functionality on the device such as:
- App accessing content and status and options used to open a Windows Store book
- Language of the book
- Time spent reading content
- Content type and size details
|
+| Photos App | Information about photos usage on the device such as:
- File source data -- local, SD card, network device, and OneDrive
- Image & video resolution, video length, file sizes types and encoding
- Collection view or full screen viewer use and duration of view
+
+## Browsing, Search and Query data
+
+This type of data includes details about web browsing, search and query activity in the Microsoft browsers and Cortana, and local file searches on the device.
+
+| Category Name | Description and Examples |
+| - | - |
+| Microsoft browser data | Information about Address bar and search box performance on the device such as:- Text typed in address bar and search box
- Text selected for Ask Cortana search
- Service response time
- Auto-completed text if there was an auto-complete
- Navigation suggestions provided based on local history and favorites
- Browser ID
- URLs (which may include search terms)
- Page title
|
+| On-device file query | Information about local search activity on the device such as: - Kind of query issued and index type (ConstraintIndex, SystemIndex)
- Number of items requested and retrieved
- File extension of search result user interacted with
- Launched item kind, file extension, index of origin, and the App ID of the opening app.
- Name of process calling the indexer and time to service the query.
- A hash of the search scope (file, Outlook, OneNote, IE history)
- The state of the indices (fully optimized, partially optimized, being built)
|
+
+
+## Inking Typing and Speech Utterance data
+
+This type of data gathers details about the voice, inking, and typing input features on the device.
+
+| Category Name | Description and Examples |
+| - | - |
+| Voice, inking, and typing | Information about voice, inking and typing features such as:
- Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
- Pen gestures (click, double click, pan, zoom, rotate)
- Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
- Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as names, email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text of speech recognition results -- result codes and recognized text
- Language and model of the recognizer, System Speech language
- App ID using speech features
- Whether user is known to be a child
- Confidence and Success/Failure of speech recognition
|
+
+## Licensing and Purchase data
+
+This type of data includes diagnostic details about the purchase and entitlement activity on the device.
+
+| Category Name | Data Examples |
+| - | - |
+| Purchase history | Information about purchases made on the device such as:
- Product ID, edition ID and product URI
- Offer details -- price
- Order requested date/time
- Store client type -- web or native client
- Purchase quantity and price
- Payment type -- credit card type and PayPal
|
+| Entitlements | Information about entitlements on the device such as:
- Service subscription status and errors
- DRM and license rights details -- Groove subscription or OS volume license
- Entitlement ID, lease ID, and package ID of the install package
- Entitlement revocation
- License type (trial, offline vs online) and duration
- License usage session
|
\ No newline at end of file
diff --git a/windows/images/W10-WaaS-poster.PNG b/windows/images/W10-WaaS-poster.PNG
index 76f843c1b8..d3887faf89 100644
Binary files a/windows/images/W10-WaaS-poster.PNG and b/windows/images/W10-WaaS-poster.PNG differ
diff --git a/windows/index.md b/windows/index.md
index 50d0140341..5935b2a3a7 100644
--- a/windows/index.md
+++ b/windows/index.md
@@ -11,7 +11,8 @@ author: brianlic-msft
This library provides the core content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile.
-
+
+
@@ -76,15 +77,14 @@ This library provides the core content that IT pros need to evaluate, plan, depl
## Get to know Windows as a Service (WaaS)
- | The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
+ |  |
+ The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
- - [Read more about Windows as a Service](manage/waas-overview.md)
-
- - Download the WaaS infographic
+
+ - Read more about Windows as a Service
|
- |
@@ -93,4 +93,5 @@ This library provides the core content that IT pros need to evaluate, plan, depl
+
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index bc1d1edae3..38d5a79370 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -26,9 +26,9 @@
### [How Credential Guard works](credential-guard-how-it-works.md)
### [Credential Guard Requirements](credential-guard-requirements.md)
### [Manage Credential Guard](credential-guard-manage.md)
-### [Scenarios not protected by Credential Guard](credential-guard-not-protected-scenarios.md)
+### [Credential Guard protection limits](credential-guard-protection-limits.md)
### [Considerations when using Credential Guard](credential-guard-considerations.md)
-### [Scripts for Certificate Authority Issuance Policies](credential-guard-scripts.md)
+### [Credential Guard: Additional mitigations](additional-mitigations.md)
## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md)
### [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
@@ -46,7 +46,7 @@
#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md)
#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md)
-#### [Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md)
+#### [Using Outlook on the web with Windows Information Protection (WIP)](using-owa-with-wip.md)
## [Windows Defender SmartScreen](windows-defender-smartscreen-overview.md)
### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md)
### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen-set-individual-device.md)
@@ -781,11 +781,12 @@
######## [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
######## [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
#### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
-##### [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-##### [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-##### [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+##### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+##### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
-##### [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+##### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
#### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
index ca83fa4210..1bf6c06da4 100644
--- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
+++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
@@ -39,14 +39,15 @@ You can add apps to your Windows Information Protection (WIP) protected app list
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
-
+ >[!Note]
>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
- >**Important**
Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+ >[!Important]
+ >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
@@ -86,15 +87,18 @@ After saving the policy, you’ll need to deploy it to your employee’s devices
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
- >**Important**
You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
+ >[!Important]
+ >You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
- >**Note**
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
+ >[!Note]
+ >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
- >**Important**
Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+ >[!Important]
+ >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
diff --git a/windows/keep-secure/additional-mitigations.md b/windows/keep-secure/additional-mitigations.md
new file mode 100644
index 0000000000..706bdef10b
--- /dev/null
+++ b/windows/keep-secure/additional-mitigations.md
@@ -0,0 +1,612 @@
+---
+title: Scripts for Certificate Issuance Policies in Credential Guard (Windows 10)
+description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Credential Guard on Windows 10.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+## Additional mitigations
+
+Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
+
+### Restricting domain users to specific domain-joined devices
+
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
+
+#### Kerberos armoring
+
+Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
+
+**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
+
+- Users need to be in domains that are running Windows Server 2012 R2 or higher
+- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
+- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
+
+#### Protecting domain-joined device secrets
+
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
+
+Domain-joined device certificate authentication has the following requirements:
+- Devices' accounts are in Windows Server 2012 domain functional level or higher.
+- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
+ - KDC EKU present
+ - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
+- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
+- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
+
+##### Deploying domain-joined device certificates
+
+To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
+
+For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template.
+
+**Creating a new certificate template**
+
+1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
+2. Right-click **Workstation Authentication**, and then click **Duplicate Template**.
+3. Right-click the new template, and then click **Properties**.
+4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
+5. Click **Client Authentication**, and then click **Remove**.
+6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
+ - Name: Kerberos Client Auth
+ - Object Identifier: 1.3.6.1.5.2.3.4
+7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
+8. Under **Issuance Policies**, click**High Assurance**.
+9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
+
+Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
+
+**Enrolling devices in a certificate**
+
+Run the following command:
+``` syntax
+CertReq -EnrollCredGuardCert MachineAuthentication
+```
+
+> [!NOTE]
+> You must restart the device after enrolling the machine authentication certificate.
+
+##### How a certificate issuance policy can be used for access control
+
+Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet.
+
+**To see the issuance policies available**
+
+- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
+ From a Windows PowerShell command prompt, run the following command:
+
+ ``` syntax
+ .\get-IssuancePolicy.ps1 –LinkedToGroup:All
+ ```
+
+**To link an issuance policy to a universal security group**
+
+- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
+ From a Windows PowerShell command prompt, run the following command:
+
+ ``` syntax
+ .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”"
+ ```
+
+#### Restricting user sign on
+
+So we now have completed the following:
+
+- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
+- Mapped that policy to a universal security group or claim
+- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
+
+Authentication policies have the following requirements:
+- User accounts are in a Windows Server 2012 domain functional level or higher domain.
+
+**Creating an authentication policy restricting users to the specific universal security group**
+
+1. Open Active Directory Administrative Center.
+2. Click **Authentication**, click **New**, and then click **Authentication Policy**.
+3. In the **Display name** box, enter a name for this authentication policy.
+4. Under the **Accounts** heading, click **Add**.
+5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**.
+6. Under the **User Sign On** heading, click the **Edit** button.
+7. Click **Add a condition**.
+8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**.
+9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
+10. Click **OK** to close the **Edit Access Control Conditions** box.
+11. Click **OK** to create the authentication policy.
+12. Close Active Directory Administrative Center.
+
+> [!NOTE]
+> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
+
+##### Discovering authentication failures due to authentication policies
+
+To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
+
+To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
+
+### Appendix: Scripts
+
+Here is a list of scripts mentioned in this topic.
+
+#### Get the available issuance policies on the certificate authority
+
+Save this script file as get-IssuancePolicy.ps1.
+
+``` syntax
+#######################################
+## Parameters to be defined ##
+## by the user ##
+#######################################
+Param (
+$Identity,
+$LinkedToGroup
+)
+#######################################
+## Strings definitions ##
+#######################################
+Data getIP_strings {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted.
+help2 = Usage:
+help3 = The following parameter is mandatory:
+help4 = -LinkedToGroup:
+help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups.
+help6 = "no" will return only Issuance Policies that are not currently linked to any group.
+help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups.
+help8 = The following parameter is optional:
+help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
+help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters.
+help11 = Examples:
+errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
+ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
+ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
+ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members:
+LinkedIPs = The following Issuance Policies are linked to groups:
+displayName = displayName : {0}
+Name = Name : {0}
+dn = distinguishedName : {0}
+ InfoName = Linked Group Name: {0}
+ InfoDN = Linked Group DN: {0}
+NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
+'@
+}
+##Import-LocalizedData getIP_strings
+import-module ActiveDirectory
+#######################################
+## Help ##
+#######################################
+function Display-Help {
+ ""
+ $getIP_strings.help1
+ ""
+$getIP_strings.help2
+""
+$getIP_strings.help3
+" " + $getIP_strings.help4
+" " + $getIP_strings.help5
+ " " + $getIP_strings.help6
+ " " + $getIP_strings.help7
+""
+$getIP_strings.help8
+ " " + $getIP_strings.help9
+ ""
+ $getIP_strings.help10
+""
+""
+$getIP_strings.help11
+ " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
+ " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
+ " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
+""
+}
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+$configNCDN = [String]$root.configurationNamingContext
+if ( !($Identity) -and !($LinkedToGroup) ) {
+display-Help
+break
+}
+if ($Identity) {
+ $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
+ if ($OIDs -eq $null) {
+$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
+write-host $errormsg -ForegroundColor Red
+ }
+ foreach ($OID in $OIDs) {
+ if ($OID."msDS-OIDToGroupLink") {
+# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping.
+ $groupDN = $OID."msDS-OIDToGroupLink"
+ $group = get-adgroup -Identity $groupDN
+ $groupName = $group.Name
+# Analyze the group
+ if ($group.groupCategory -ne "Security") {
+$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ if ($group.groupScope -ne "Universal") {
+ $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+ }
+ $members = Get-ADGroupMember -Identity $group
+ if ($members) {
+ $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+ foreach ($member in $members) {
+ write-host " " $member -ForeGroundColor Red
+ }
+ }
+ }
+ }
+ return $OIDs
+ break
+}
+if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
+ $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
+ $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+ write-host ""
+ write-host "*****************************************************"
+ write-host $getIP_strings.LinkedIPs
+ write-host "*****************************************************"
+ write-host ""
+ if ($LinkedOIDs -ne $null){
+ foreach ($OID in $LinkedOIDs) {
+# Display basic information about the Issuance Policies
+ ""
+ $getIP_strings.displayName -f $OID.displayName
+ $getIP_strings.Name -f $OID.Name
+ $getIP_strings.dn -f $OID.distinguishedName
+# Get the linked group.
+ $groupDN = $OID."msDS-OIDToGroupLink"
+ $group = get-adgroup -Identity $groupDN
+ $getIP_strings.InfoName -f $group.Name
+ $getIP_strings.InfoDN -f $groupDN
+# Analyze the group
+ $OIDName = $OID.displayName
+ $groupName = $group.Name
+ if ($group.groupCategory -ne "Security") {
+ $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ if ($group.groupScope -ne "Universal") {
+ $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ $members = Get-ADGroupMember -Identity $group
+ if ($members) {
+ $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ foreach ($member in $members) {
+ write-host " " $member -ForeGroundColor Red
+ }
+ }
+ write-host ""
+ }
+ }else{
+write-host "There are no issuance policies that are mapped to a group"
+ }
+ if ($LinkedToGroup -eq "yes") {
+ return $LinkedOIDs
+ break
+ }
+}
+if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {
+ $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
+ $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+ write-host ""
+ write-host "*********************************************************"
+ write-host $getIP_strings.NonLinkedIPs
+ write-host "*********************************************************"
+ write-host ""
+ if ($NonLinkedOIDs -ne $null) {
+ foreach ($OID in $NonLinkedOIDs) {
+# Display basic information about the Issuance Policies
+write-host ""
+$getIP_strings.displayName -f $OID.displayName
+$getIP_strings.Name -f $OID.Name
+$getIP_strings.dn -f $OID.distinguishedName
+write-host ""
+ }
+ }else{
+write-host "There are no issuance policies which are not mapped to groups"
+ }
+ if ($LinkedToGroup -eq "no") {
+ return $NonLinkedOIDs
+ break
+ }
+}
+```
+> [!NOTE]
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+
+#### Link an issuance policy to a group
+
+Save the script file as set-IssuancePolicyToGroupLink.ps1.
+
+``` syntax
+#######################################
+## Parameters to be defined ##
+## by the user ##
+#######################################
+Param (
+$IssuancePolicyName,
+$groupOU,
+$groupName
+)
+#######################################
+## Strings definitions ##
+#######################################
+Data ErrorMsg {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to set the link between a certificate issuance policy and a universal security group.
+help2 = Usage:
+help3 = The following parameters are required:
+help4 = -IssuancePolicyName:
+help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy.
+help6 = The following parameter is optional:
+help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container.
+help8 = Examples:
+help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them.
+help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group.
+MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}"
+NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
+IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
+MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
+confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it?
+OUCreationSuccess = Organizational Unit "{0}" successfully created.
+OUcreationError = Error: Organizational Unit "{0}" could not be created.
+OUFoundSuccess = Organizational Unit "{0}" was successfully found.
+multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".
+confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
+groupCreationSuccess = Univeral Security group "{0}" successfully created.
+groupCreationError = Error: Univeral Security group "{0}" could not be created.
+GroupFound = Group "{0}" was successfully found.
+confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link?
+UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
+UnlinkError = Removing the link failed.
+UnlinkExit = Exiting without removing the link from the issuance policy to the group.
+IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script.
+ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security".
+ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal".
+ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members:
+ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"?
+LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
+LinkError = The certificate issuance policy could not be linked to the specified group.
+ExitNoLinkReplacement = Exiting without setting the new link.
+'@
+}
+# import-localizeddata ErrorMsg
+function Display-Help {
+""
+write-host $ErrorMsg.help1
+""
+write-host $ErrorMsg.help2
+""
+write-host $ErrorMsg.help3
+write-host "`t" $ErrorMsg.help4
+write-host "`t" $ErrorMsg.help5
+""
+write-host $ErrorMsg.help6
+write-host "`t" $ErrorMsg.help7
+""
+""
+write-host $ErrorMsg.help8
+""
+write-host $ErrorMsg.help9
+".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
+""
+write-host $ErrorMsg.help10
+'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null '
+""
+}
+# Assumption: The group to which the Issuance Policy is going
+# to be linked is (or is going to be created) in
+# the domain the user running this script is a member of.
+import-module ActiveDirectory
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+if ( !($IssuancePolicyName) ) {
+display-Help
+break
+}
+#######################################
+## Find the OID object ##
+## (aka Issuance Policy) ##
+#######################################
+$searchBase = [String]$root.configurationnamingcontext
+$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
+if ($OID -eq $null) {
+$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($OID.GetType().IsArray) {
+$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+else {
+$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
+write-host $tmp -ForeGroundColor Green
+}
+#######################################
+## Find the container of the group ##
+#######################################
+if ($groupOU -eq $null) {
+# default to the Users container
+$groupContainer = $domain.UsersContainer
+}
+else {
+$searchBase = [string]$domain.DistinguishedName
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+if ($groupContainer.count -gt 1) {
+$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
+write-host $tmp -ForegroundColor Red
+break;
+}
+elseif ($groupContainer -eq $null) {
+$tmp = $ErrorMsg.confirmOUcreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
+if ($?){
+$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
+write-host $tmp -ForegroundColor Green
+}
+else{
+$tmp = $ErrorMsg.OUCreationError -f $groupOU
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
+write-host $tmp -ForegroundColor Green
+}
+}
+#######################################
+## Find the group ##
+#######################################
+if (($groupName -ne $null) -and ($groupName -ne "")){
+##$searchBase = [String]$groupContainer.DistinguishedName
+$searchBase = $groupContainer
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+if ($group -ne $null -and $group.gettype().isarray) {
+$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($group -eq $null) {
+$tmp = $ErrorMsg.confirmGroupCreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security"
+if ($?){
+$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
+write-host $tmp -ForegroundColor Green
+}else{
+$tmp = $ErrorMsg.groupCreationError -f $groupName
+write-host $tmp -ForeGroundColor Red
+break
+}
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.GroupFound -f $group.Name
+write-host $tmp -ForegroundColor Green
+}
+}
+else {
+#####
+## If the group is not specified, we should remove the link if any exists
+#####
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
+if ($?) {
+$tmp = $ErrorMsg.UnlinkSuccess
+write-host $tmp -ForeGroundColor Green
+}else{
+$tmp = $ErrorMsg.UnlinkError
+write-host $tmp -ForeGroundColor Red
+}
+}
+else {
+$tmp = $ErrorMsg.UnlinkExit
+write-host $tmp
+break
+}
+}
+else {
+$tmp = $ErrorMsg.IPNotLinked
+write-host $tmp -ForeGroundColor Yellow
+}
+break;
+}
+#######################################
+## Verify that the group is ##
+## Universal, Security, and ##
+## has no members ##
+#######################################
+if ($group.GroupScope -ne "Universal") {
+$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+if ($group.GroupCategory -ne "Security") {
+$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$members = Get-ADGroupMember -Identity $group
+if ($members -ne $null) {
+$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red}
+break;
+}
+#######################################
+## We have verified everything. We ##
+## can create the link from the ##
+## Issuance Policy to the group. ##
+#######################################
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName
+write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Replace $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+} else {
+$tmp = $Errormsg.ExitNoLinkReplacement
+write-host $tmp
+break
+}
+}
+else {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Add $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+}
+```
+
+> [!NOTE]
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+
+## See also
+
+**Deep Dive into Credential Guard: Related videos**
+
+[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
diff --git a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
index 580f3684c9..f0976431f1 100644
--- a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -78,3 +78,4 @@ Portal label | SIEM field name | Description
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md
index 5761c7318a..e0f1bc14e9 100644
--- a/windows/keep-secure/bitlocker-frequently-asked-questions.md
+++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md
@@ -85,9 +85,9 @@ You should configure the startup options of your computer to have the hard disk
## Upgrading
-### Can I upgrade my Windows 7 or Windows 8 computer to Windows 10 with BitLocker enabled?
+### Can I upgrade to Windows 10 with BitLocker enabled?
-Yes. Open the **BitLocker Drive Encryption** Control Panel, click **Manage BitLocker**, and then and click **Suspend**. Suspending protection does not decrypt the drive; it disables the authentication mechanisms used by BitLocker and uses a clear key on the drive to enable access. After the upgrade has completed, open Windows Explorer, right-click the drive, and then click **Resume Protection**. This reapplies the BitLocker authentication methods and deletes the clear key.
+Yes.
### What is the difference between suspending and decrypting BitLocker?
@@ -97,44 +97,13 @@ Yes. Open the **BitLocker Drive Encryption** Control Panel, click **Manage BitLo
### Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades?
-The following table lists what action you need to take before you perform an upgrade or update installation.
+No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start).
+Users need to suspend BitLocker for Non-Microsoft software updates, such as:
+
+- Computer manufacturer firmware updates
+- TPM firmware updates
+- Non-Microsoft application updates that modify boot components
-
-
-
-
-
-
-
-
-
-
-Windows Anytime Upgrade |
-Decrypt |
-
-
-Upgrade to Windows 10 |
-Suspend |
-
-
-Non-Microsoft software updates, such as:
- |
-Suspend |
-
-
-Software and operating system updates from Windows Update |
-Nothing |
-
-
-
-
> **Note:** If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
## Deployment and administration
diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md
index c16db3871b..8f5aa0a1af 100644
--- a/windows/keep-secure/bitlocker-group-policy-settings.md
+++ b/windows/keep-secure/bitlocker-group-policy-settings.md
@@ -32,7 +32,7 @@ The following sections provide a comprehensive list of BitLocker Group Policy se
The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked.
-- [Allow devices with Secure Boot and protect DMA ports to opt out of preboot PIN](#bkmk-hstioptout)
+- [Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN](#bkmk-hstioptout)
- [Allow network unlock at startup](#bkmk-netunlock)
- [Require additional authentication at startup](#bkmk-unlockpol1)
- [Allow enhanced PINs for startup](#bkmk-unlockpol2)
@@ -86,7 +86,7 @@ The following policies are used to support customized deployment scenarios in yo
- [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4)
- [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5)
-### Allow devices with Secure Boot and protect DMA ports to opt out of preboot PIN
+### Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN
This policy setting allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
diff --git a/windows/keep-secure/bitlocker-recovery-guide-plan.md b/windows/keep-secure/bitlocker-recovery-guide-plan.md
index 1005d019ad..557719c15c 100644
--- a/windows/keep-secure/bitlocker-recovery-guide-plan.md
+++ b/windows/keep-secure/bitlocker-recovery-guide-plan.md
@@ -44,8 +44,8 @@ BitLocker recovery is the process by which you can restore access to a BitLocker
The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
-- On PCs that use either BitLocker or Device Encryption when an attack is detected the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
-- Changing the boot order to boot another drive in advance of the hard drive.
+- On PCs that use either BitLocker or Device Encryption, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
+- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
- Failing to boot from a network drive before booting from the hard drive.
- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 18f2048095..fc22dd555a 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -25,14 +25,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
|[Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)|New |
|[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md)|New |
|[Use Windows Defender Security Center to set Windows Defender SmartScreen for individual devices](windows-defender-smartscreen-set-individual-device.md)|New |
-
-
-## February 2017
-
-|New or changed topic |Description |
-|---------------------|------------|
-|[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Added information that maps the Enhanced Mitigation Experience Toolkit (EMET) to Windows 10 features. |
-
+|[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Explains how mitigations in the Enhanced Mitigation Experience Toolkit (EMET) relate to those in Windows 10. |
## January 2017
|New or changed topic |Description |
@@ -40,7 +33,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |New |
|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Updated to include info about USB drives and Azure RMS (Windows Insider Program only) and to add more info about Work Folders and Offline files. |
|[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |New |
-|[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |New |
+|[Using Outlook on the web with Windows Information Protection (WIP)](using-owa-with-wip.md) |New |
| Microsoft Passport guide | Content merged into [Windows Hello for Business](hello-identity-verification.md) topics |
## December 2016
diff --git a/windows/keep-secure/code/example-script.ps1 b/windows/keep-secure/code/example-script.ps1
deleted file mode 100644
index e6563c2378..0000000000
--- a/windows/keep-secure/code/example-script.ps1
+++ /dev/null
@@ -1,60 +0,0 @@
-$authUrl = 'Your Authorization URL'
-$clientId = 'Your Client ID'
-$clientSecret = 'Your Client Secret'
-
-
-Try
-{
- $tokenPayload = @{
- "resource" = 'https://graph.windows.net'
- "client_id" = $clientId
- "client_secret" = $clientSecret
- "grant_type"='client_credentials'}
-
- "Fetching an access token"
- $response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
- $token = $response.access_token
- "Token fetched successfully"
-
- $headers = @{
- "Content-Type" = "application/json"
- "Accept" = "application/json"
- "Authorization" = "Bearer {0}" -f $token }
-
- $apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
-
- $alertDefinitionPayload = @{
- "Name" = "Test Alert"
- "Severity" = "Medium"
- "InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature"
- "Title" = "Test alert."
- "UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled."
- "RecommendedAction" = "No recommended action for this test alert."
- "Category" = "SuspiciousNetworkTraffic"
- "Enabled" = "true"}
- "Creating an Alert Definition"
- $alertDefinition =
- Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
- -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
- "Alert Definition created successfully"
- $alertDefinitionId = $alertDefinition.Id
-
- $iocPayload = @{
- "Type"="IpAddress"
- "Value"="52.184.197.12"
- "DetectionFunction"="Equals"
- "Enabled"="true"
- "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
-
- "Creating an Indicator of Compromise"
- $ioc =
- Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
- -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
- "Indicator of Compromise created successfully"
-
- "All done!"
-}
-Catch
-{
- 'Something went wrong! Got the following exception message: {0}' -f $_.Exception.Message
-}
diff --git a/windows/keep-secure/code/example.ps1 b/windows/keep-secure/code/example.ps1
deleted file mode 100644
index 6941c80627..0000000000
--- a/windows/keep-secure/code/example.ps1
+++ /dev/null
@@ -1,50 +0,0 @@
-$authUrl = 'Your Authorization URL'
-$clientId = 'Your Client ID'
-$clientSecret = 'Your Client Secret'
-
-$tokenPayload = @{
- "resource"='https://graph.windows.net'
- "client_id" = $clientId
- "client_secret" = $clientSecret
- "grant_type"='client_credentials'}
-
-$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
-$token = $response.access_token
-
-$headers = @{
- "Content-Type"="application/json"
- "Accept"="application/json"
- "Authorization"="Bearer {0}" -f $token }
-
-$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
-
-$alertDefinitions =
- (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
-
-$alertDefinitionPayload = @{
- "Name"= "The alert's name"
- "Severity"= "Low"
- "InternalDescription"= "An internal description of the Alert"
- "Title"= "The Title"
- "UxDescription"= "Description of the alerts"
- "RecommendedAction"= "The alert's recommended action"
- "Category"= "Trojan"
- "Enabled"= "true"}
-
-$alertDefinition =
- Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
- -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
-
-$alertDefinitionId = $alertDefinition.Id
-
-$iocPayload = @{
- "Type"="Sha1"
- "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
- "DetectionFunction"="Equals"
- "Enabled"="true"
- "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
-
-
-$ioc =
- Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
- -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
diff --git a/windows/keep-secure/code/example.py b/windows/keep-secure/code/example.py
deleted file mode 100644
index 6203b5230b..0000000000
--- a/windows/keep-secure/code/example.py
+++ /dev/null
@@ -1,51 +0,0 @@
-import json
-import requests
-from pprint import pprint
-
-auth_url="Your Authorization URL"
-client_id="Your Client ID"
-client_secret="Your Client Secret"
-
-payload = {"resource": "https://graph.windows.net",
- "client_id": client_id,
- "client_secret": client_secret,
- "grant_type": "client_credentials"}
-
-response = requests.post(auth_url, payload)
-token = json.loads(response.text)["access_token"]
-
-with requests.Session() as session:
- session.headers = {
- 'Authorization': 'Bearer {}'.format(token),
- 'Content-Type': 'application/json',
- 'Accept': 'application/json'}
-
- response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
- pprint(json.loads(response.text))
-
- alert_definition = {"Name": "The alert's name",
- "Severity": "Low",
- "InternalDescription": "An internal description of the alert",
- "Title": "The Title",
- "UxDescription": "Description of the alerts",
- "RecommendedAction": "The alert's recommended action",
- "Category": "Trojan",
- "Enabled": True}
-
- response = session.post(
- "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
- json=alert_definition)
-
- alert_definition_id = json.loads(response.text)["Id"]
-
- ioc = {'Type': "Sha1",
- 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
- 'DetectionFunction': "Equals",
- 'Enabled': True,
- "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
-
- response = session.post(
- "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
- json=ioc)
-
- pprint(json.loads(response.text))
diff --git a/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
index 1f2fa78b86..18065e7b67 100644
--- a/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -50,15 +50,15 @@ For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.
Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
---|---|---|---
See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
-Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | `-DisableRestorePoint`
+Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available
Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`
- Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precendence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
+ Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles`
Scan packed executables | Scan > Scan packed executables | Enabled | Not available
Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning`
Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available
- Specify the maximum CPU load (as a percentage) during a scan. This a theoretical maximum - scans will not always use the maximum load defined here, but they will never exceed it | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor`
- Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies not limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
+ Specify the maximum CPU load (as a percentage) during a scan. This is a maximum - scans will not always use the maximum load defined here, but they will never exceed it | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor`
+ Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
**Use Configuration Manager to configure scanning options:**
@@ -77,16 +77,16 @@ See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Scan
### Email scanning limitations
We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
-Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended method for scanning emails.
+Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended setting for scanning emails.
You can use this Group Policy to also enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
- DBX
- MBX
- MIME
-PST files used by Outlook 2003 or older (where the archive type is set to non-uni-code) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
+PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
-If Windows Defender detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
+If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
- Email subject
- Attachment name
diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
index 636c697802..385a17c7b8 100644
--- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -182,3 +182,4 @@ Windows Defender ATP alerts will appear as discrete events, with "Microsoft” a
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md
index ab5f73d845..09874321a0 100644
--- a/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md
@@ -41,7 +41,7 @@ The default period that the file will be [blocked](configure-block-at-first-sigh
## Prerequisites to use the extended cloud block timeout
-The [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature and its prerequisites must be enabled before you can specifiy an extended timeout period.
+The [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature and its prerequisites must be enabled before you can specify an extended timeout period.
## Specify the extended timeout period
diff --git a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
index c4a85d0274..8084bd32aa 100644
--- a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -41,11 +41,16 @@ The email notifications feature is turned off by default. Turn it on to start re
- **High** – Select this level to send notifications for high-severity alerts.
- **Medium** – Select this level to send notifications for medium-severity alerts.
- **Low** - Select this level to send notifications for low-severity alerts.
+ - **Informational** - Select this level to send notification for alerts that might not be considered harmful but good to keep track of.
4. In **Email recipients to notify on new alerts**, type the email address then select the + sign.
5. Click **Save preferences** when you’ve completed adding all the recipients.
Check that email recipients are able to receive the email notifications by selecting **Send test email**. All recipients in the list will receive the test email.
+Here's an example email notification:
+
+
+
## Remove email recipients
1. Select the trash bin icon beside the email address you’d like to remove.
diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index 058966943e..3107054c50 100644
--- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -92,10 +92,11 @@ Health Status for onboarded machines: Sense Is Running | ./Device/Vendor/MSFT/Wi
Health Status for onboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
Health Status for onboarded machines: Organization ID | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1
Default value: 1 | Windows Defender ATP Sample sharing is enabled
-
+Configuration for onboarded machines: telemetry reporting frequency | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/TelemetryReportingFrequency | Integer | 1 or 2
1: Normal (default)
2: Expedite | Windows Defender ATP telemetry reporting
> [!NOTE]
-> The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
+> - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
+> - Configuration of telemetry reporting frequency is only available for machines on Windows 10, version 1703.
### Offboard and monitor endpoints
diff --git a/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
index 874d94951f..db1498b7bd 100644
--- a/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
@@ -35,7 +35,7 @@ author: iaanw
You can exclude certain files, folders, processes, and process-opened files from being scanned by Windows Defender Antivirus.
-The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only aply to real-time protection.
+The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization.
diff --git a/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
index 58d8075e0c..728b747ccb 100644
--- a/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -78,7 +78,7 @@ Scan | Configure local setting override for the scan type to use for a scheduled
You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md).
-By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate GPO that you have deployed on your network. Where there are conflicts, the globally defined list takes precendence.
+By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate GPO that you have deployed on your network. Where there are conflicts, the globally defined list takes precedence.
You can disable this setting to ensure that only globally defined lists (such as those from any deployed GPOs) are used.
diff --git a/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md b/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md
index 21303b1d7c..8abb221880 100644
--- a/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md
@@ -26,7 +26,7 @@ author: iaanw
To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
-This topic lists the connections that must be allowed, including firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-delivered protection services.
+This topic lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-delivered protection services.
See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity.
@@ -167,7 +167,7 @@ If you are using Microsoft Edge, you'll also see a notification message:
-A similar message occurs if you are uding Internet Explorer:
+A similar message occurs if you are using Internet Explorer:
diff --git a/windows/keep-secure/configure-notifications-windows-defender-antivirus.md b/windows/keep-secure/configure-notifications-windows-defender-antivirus.md
index 2244318943..a692199439 100644
--- a/windows/keep-secure/configure-notifications-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-notifications-windows-defender-antivirus.md
@@ -31,7 +31,7 @@ In Windows 10, application notifications about malware detection and remediation
Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals.
-You can also configure how standard notifications appear on endpoints, such as notfications for reboot or when a threat has been detected and remediated.
+You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated.
## Configure the additional notifications that appear on endpoints
diff --git a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index e1043e17fc..50dbbe12a6 100644
--- a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -89,7 +89,7 @@ You can [configure how locally and globally defined exclusions lists are merged]
**Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:**
-Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess' parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
+Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
The format for the cmdlets is:
diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 8ef29a6be5..399486b886 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -45,7 +45,7 @@ Configure a registry-based static proxy to allow only Windows Defender ATP senso
The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.
-The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DisableEnterpriseAuthProxy`.
+The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DisableEnterpriseAuthProxy\DataCollection`.
The registry value `TelemetryProxyServer` takes the following string format:
diff --git a/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md b/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
index 6b0d0a8a25..677e0883be 100644
--- a/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
@@ -37,7 +37,7 @@ author: iaanw
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
-These activities include events such as processes making unusual changes to existing files, modifiying or creating automatic startup registry keys and startup locations (also known as auto-start extensibilty points, or ASEPs), and other changes to the file system or file structure.
+These activities include events such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure.
## Configure and enable always-on protection
@@ -65,10 +65,10 @@ Real-time protection | Monitor file and program activity on your computer | The
Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to Windows Defender SmartScreen filter, which scans files before and during downloading | Enabled
Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the AV engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled
Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
-Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analysed by behavior monitoring | Enabled
+Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled
Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled
-Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes.
-Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the AV engine is asked to detect the activity | Enabled (both directions)
+Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions)
+Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the AV engine is asked to detect the activity | Enabled
Root | Allow antimalware service to startup with normal priority | You can lower the priority of the AV engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender AV to still run. This lowers the protection on the endpoint. | Disabled
@@ -81,7 +81,7 @@ Root | Allow antimalware service to remain running always | If protection update
The main real-time protection capability is enabled by default, but you can disable it with Group Policy:
-**Use Group Policy to diasble real-time protection:**
+**Use Group Policy to disable real-time protection:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
diff --git a/windows/keep-secure/configure-remediation-windows-defender-antivirus.md b/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
index ea6dd93746..b664d78cdf 100644
--- a/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
@@ -39,7 +39,7 @@ You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.micr
## Configure remediation options
-You can configure how remediation with the Group Policy settings described in this section.
+You can configure how remediation works with the Group Policy settings described in this section.
To configure these settings:
diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
index 011897e94c..5bd33553ac 100644
--- a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
@@ -34,8 +34,8 @@ To use either of these supported SIEM tools you'll need to:
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- Configure the supported SIEM tool:
- - [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- - [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+ - [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+ - [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
For more information on the list of fields exposed in the alerts API see, [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md).
@@ -51,7 +51,8 @@ For more information, see [Pull Windows Defender ATP alerts using REST API](pull
Topic | Description
:---|:---
[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
-[Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
-[Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
+[Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
+[Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API.
+[Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature.
diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
index 708ddc8854..24412f45b9 100644
--- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -138,3 +138,4 @@ Use the solution explorer to view alerts in Splunk.
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
index e24a68abfe..6fd0497318 100644
--- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
@@ -53,9 +53,9 @@ The recovery process included in this topic only works for desktop devices. WIP
3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
- cipher /c file_name
+ cipher /c filename
- Where *file_name* is the name of the file you created in Step 1.
+ Where *filename* is the name of the file you created in Step 1.
4. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
@@ -67,7 +67,7 @@ The recovery process included in this topic only works for desktop devices. WIP
3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
- cipher /d encryptedfile.extension>
+ cipher /d encryptedfile.extension
Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx.
diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md
index 5a51f50d60..91b8f3df68 100644
--- a/windows/keep-secure/create-wip-policy-using-sccm.md
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@@ -387,7 +387,7 @@ There are no default locations included with WIP, you must add each of your netw
| Enterprise Cloud Resources |
With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.comWithout proxy: contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ |
+ Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>. Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. |
| Enterprise Network Domain Names (Required) |
@@ -493,10 +493,10 @@ After you’ve created your WIP policy, you'll need to deploy it to your organiz
- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225)
- [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226)
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
## Related topics
- [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372)
- [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623)
-- [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624)
\ No newline at end of file
+- [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624)
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/keep-secure/credential-guard-considerations.md b/windows/keep-secure/credential-guard-considerations.md
index c2bc39226d..0adc21dd7f 100644
--- a/windows/keep-secure/credential-guard-considerations.md
+++ b/windows/keep-secure/credential-guard-considerations.md
@@ -1,4 +1,4 @@
----
+---
title: Considerations when using Credential Guard (Windows 10)
description: Considerations and recommendations for certain scenarios when using Credential Guard in Windows 10.
ms.prod: w10
@@ -17,19 +17,8 @@ author: brianlic-msft
Prefer video? See [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
in the Deep Dive into Credential Guard video series.
-
-- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain.
-- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
- - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run.
- - The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
- - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
- - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
- You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
-- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
+
+- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
@@ -38,7 +27,6 @@ in the Deep Dive into Credential Guard video series.
- Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
- You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
- Credential Guard uses hardware security so some features, such as Windows To Go, are not supported.
-
## NTLM and CHAP Considerations
diff --git a/windows/keep-secure/credential-guard-manage.md b/windows/keep-secure/credential-guard-manage.md
index a70d85eb17..e4081028d7 100644
--- a/windows/keep-secure/credential-guard-manage.md
+++ b/windows/keep-secure/credential-guard-manage.md
@@ -1,4 +1,4 @@
----
+---
title: Manage Credential Guard (Windows 10)
description: Deploying and managing Credential Guard using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool.
ms.prod: w10
@@ -19,7 +19,9 @@ Prefer video? See [Protecting privileged users with Credential Guard](https://mv
in the Deep Dive into Credential Guard video series.
## Enable Credential Guard
-Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool).
+Credential Guard can be enabled either by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
+The same set of procedures used to enable Credential Guard on physical machines applies also to virtual machines.
+
### Enable Credential Guard by using Group Policy
@@ -41,7 +43,7 @@ To enforce processing of the group policy, you can run ```gpupdate /force```.
If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
-### Add the virtualization-based security features
+#### Add the virtualization-based security features
Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
@@ -74,7 +76,7 @@ If you enable Credential Guard by using Group Policy, the steps to enable Window
> [!NOTE]
> You can also add these features to an online image by using either DISM or Configuration Manager.
-### Enable virtualization-based security and Credential Guard
+#### Enable virtualization-based security and Credential Guard
1. Open Registry Editor.
2. Enable virtualization-based security:
@@ -101,22 +103,18 @@ DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot
### Credential Guard deployment in virtual machines
-Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine.
+Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
-Credential Guard protects secrets from non-privileged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine:
+#### Requirements for running Credential Guard in Hyper-V virtual machines
-``` PowerShell
-Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
-```
-
-Requirements for running Credential Guard in Hyper-V virtual machines
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
+### Review Credential Guard performance
-### Check that Credential Guard is running
+**Is Credential Guard running?**
-You can use System Information to ensure that Credential Guard is running on a PC.
+You can view System Information to check that Credential Guard is running on a PC.
1. Click **Start**, type **msinfo32.exe**, and then click **System Information**.
2. Click **System Summary**.
@@ -132,10 +130,26 @@ You can also check that Credential Guard is running by using the [Device Guard a
DG_Readiness_Tool_v3.0.ps1 -Ready
```
+> [!NOTE]
-### Remove Credential Guard
+For client machines that are running Windows 10 1703, LSAIso is running whenever Virtualization based security is enabled for other features.
-If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
+- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard should be enabled before the PC is joined to a domain.
+
+- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
+ - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
+ - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
+ - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run.
+ - The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
+ - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
+ - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
+ - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
+ You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
+ - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+
+## Disable Credential Guard
+
+If you have to disable Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**).
2. Delete the following registry settings:
@@ -146,11 +160,7 @@ If you have to remove Credential Guard on a PC, you can use the following set of
> [!IMPORTANT]
> If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
-3. Delete the Credential Guard EFI variables by using bcdedit.
-
-**Delete the Credential Guard EFI variables**
-
-1. From an elevated command prompt, type the following commands:
+3. Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
``` syntax
mountvol X: /s
@@ -180,7 +190,7 @@ If you have to remove Credential Guard on a PC, you can use the following set of
For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
-#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
+#### Disable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
@@ -188,5 +198,15 @@ You can also disable Credential Guard by using the [Device Guard and Credential
DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
```
+#### Disable Credential Guard for a virtual machine
+
+From the host, you can disable Credential Guard for a virtual machine:
+
+``` PowerShell
+Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
+```
+
+
+
diff --git a/windows/keep-secure/credential-guard-not-protected-scenarios.md b/windows/keep-secure/credential-guard-not-protected-scenarios.md
index 6206dbe532..bce8580dfb 100644
--- a/windows/keep-secure/credential-guard-not-protected-scenarios.md
+++ b/windows/keep-secure/credential-guard-not-protected-scenarios.md
@@ -1,5 +1,5 @@
----
-title: Scenarios not protected by Credential Guard (Windows 10)
+---
+title: Credential Guard protection limits (Windows 10)
description: Scenarios not protected by Credential Guard in Windows 10.
ms.prod: w10
ms.mktglfcycl: explore
@@ -9,7 +9,7 @@ localizationpriority: high
author: brianlic-msft
---
-# Scenarios not protected by Credential Guard
+# Credential Guard protection limits
**Applies to**
- Windows 10
@@ -29,9 +29,10 @@ Some ways to store credentials are not protected by Credential Guard, including:
- Third-party security packages
- Digest and CredSSP credentials
- When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
-- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.
-
-For further information, see video: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.-
+- When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
+- Windows logon cached password verifiers (commonly called "cached credentials")
+do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
## Additional mitigations
@@ -41,7 +42,7 @@ Credential Guard can provide mitigations against attacks on derived credentials
Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
-### Kerberos armoring
+#### Kerberos armoring
Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
@@ -51,7 +52,7 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
-### Protecting domain-joined device secrets
+#### Protecting domain-joined device secrets
Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
@@ -63,7 +64,7 @@ Domain-joined device certificate authentication has the following requirements:
- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
-#### Deploying domain-joined device certificates
+##### Deploying domain-joined device certificates
To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
@@ -95,7 +96,7 @@ CertReq -EnrollCredGuardCert MachineAuthentication
> [!NOTE]
> You must restart the device after enrolling the machine authentication certificate.
-#### How a certificate issuance policy can be used for access control
+##### How a certificate issuance policy can be used for access control
Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet.
@@ -117,7 +118,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
.\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”"
```
-### Restricting user sign on
+#### Restricting user sign on
So we now have completed the following:
@@ -146,12 +147,493 @@ Authentication policies have the following requirements:
> [!NOTE]
> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
-#### Discovering authentication failures due to authentication policies
+##### Discovering authentication failures due to authentication policies
To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
+
+
+
+### Appendix: Scripts
+
+
+Here is a list of scripts mentioned in this topic.
+
+#### Get the available issuance policies on the certificate authority
+
+Save this script file as get-IssuancePolicy.ps1.
+
+``` syntax
+#######################################
+## Parameters to be defined ##
+## by the user ##
+#######################################
+Param (
+$Identity,
+$LinkedToGroup
+)
+#######################################
+## Strings definitions ##
+#######################################
+Data getIP_strings {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted.
+help2 = Usage:
+help3 = The following parameter is mandatory:
+help4 = -LinkedToGroup:
+help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups.
+help6 = "no" will return only Issuance Policies that are not currently linked to any group.
+help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups.
+help8 = The following parameter is optional:
+help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
+help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters.
+help11 = Examples:
+errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
+ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
+ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
+ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members:
+LinkedIPs = The following Issuance Policies are linked to groups:
+displayName = displayName : {0}
+Name = Name : {0}
+dn = distinguishedName : {0}
+ InfoName = Linked Group Name: {0}
+ InfoDN = Linked Group DN: {0}
+NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
+'@
+}
+##Import-LocalizedData getIP_strings
+import-module ActiveDirectory
+#######################################
+## Help ##
+#######################################
+function Display-Help {
+ ""
+ $getIP_strings.help1
+ ""
+$getIP_strings.help2
+""
+$getIP_strings.help3
+" " + $getIP_strings.help4
+" " + $getIP_strings.help5
+ " " + $getIP_strings.help6
+ " " + $getIP_strings.help7
+""
+$getIP_strings.help8
+ " " + $getIP_strings.help9
+ ""
+ $getIP_strings.help10
+""
+""
+$getIP_strings.help11
+ " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
+ " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
+ " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
+""
+}
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+$configNCDN = [String]$root.configurationNamingContext
+if ( !($Identity) -and !($LinkedToGroup) ) {
+display-Help
+break
+}
+if ($Identity) {
+ $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
+ if ($OIDs -eq $null) {
+$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
+write-host $errormsg -ForegroundColor Red
+ }
+ foreach ($OID in $OIDs) {
+ if ($OID."msDS-OIDToGroupLink") {
+# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping.
+ $groupDN = $OID."msDS-OIDToGroupLink"
+ $group = get-adgroup -Identity $groupDN
+ $groupName = $group.Name
+# Analyze the group
+ if ($group.groupCategory -ne "Security") {
+$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ if ($group.groupScope -ne "Universal") {
+ $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+ }
+ $members = Get-ADGroupMember -Identity $group
+ if ($members) {
+ $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+ foreach ($member in $members) {
+ write-host " " $member -ForeGroundColor Red
+ }
+ }
+ }
+ }
+ return $OIDs
+ break
+}
+if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
+ $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
+ $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+ write-host ""
+ write-host "*****************************************************"
+ write-host $getIP_strings.LinkedIPs
+ write-host "*****************************************************"
+ write-host ""
+ if ($LinkedOIDs -ne $null){
+ foreach ($OID in $LinkedOIDs) {
+# Display basic information about the Issuance Policies
+ ""
+ $getIP_strings.displayName -f $OID.displayName
+ $getIP_strings.Name -f $OID.Name
+ $getIP_strings.dn -f $OID.distinguishedName
+# Get the linked group.
+ $groupDN = $OID."msDS-OIDToGroupLink"
+ $group = get-adgroup -Identity $groupDN
+ $getIP_strings.InfoName -f $group.Name
+ $getIP_strings.InfoDN -f $groupDN
+# Analyze the group
+ $OIDName = $OID.displayName
+ $groupName = $group.Name
+ if ($group.groupCategory -ne "Security") {
+ $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ if ($group.groupScope -ne "Universal") {
+ $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ $members = Get-ADGroupMember -Identity $group
+ if ($members) {
+ $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ foreach ($member in $members) {
+ write-host " " $member -ForeGroundColor Red
+ }
+ }
+ write-host ""
+ }
+ }else{
+write-host "There are no issuance policies that are mapped to a group"
+ }
+ if ($LinkedToGroup -eq "yes") {
+ return $LinkedOIDs
+ break
+ }
+}
+if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {
+ $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
+ $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+ write-host ""
+ write-host "*********************************************************"
+ write-host $getIP_strings.NonLinkedIPs
+ write-host "*********************************************************"
+ write-host ""
+ if ($NonLinkedOIDs -ne $null) {
+ foreach ($OID in $NonLinkedOIDs) {
+# Display basic information about the Issuance Policies
+write-host ""
+$getIP_strings.displayName -f $OID.displayName
+$getIP_strings.Name -f $OID.Name
+$getIP_strings.dn -f $OID.distinguishedName
+write-host ""
+ }
+ }else{
+write-host "There are no issuance policies which are not mapped to groups"
+ }
+ if ($LinkedToGroup -eq "no") {
+ return $NonLinkedOIDs
+ break
+ }
+}
+```
+> [!NOTE]
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+
+#### Link an issuance policy to a group
+
+Save the script file as set-IssuancePolicyToGroupLink.ps1.
+
+``` syntax
+#######################################
+## Parameters to be defined ##
+## by the user ##
+#######################################
+Param (
+$IssuancePolicyName,
+$groupOU,
+$groupName
+)
+#######################################
+## Strings definitions ##
+#######################################
+Data ErrorMsg {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to set the link between a certificate issuance policy and a universal security group.
+help2 = Usage:
+help3 = The following parameters are required:
+help4 = -IssuancePolicyName:
+help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy.
+help6 = The following parameter is optional:
+help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container.
+help8 = Examples:
+help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them.
+help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group.
+MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}"
+NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
+IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
+MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
+confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it?
+OUCreationSuccess = Organizational Unit "{0}" successfully created.
+OUcreationError = Error: Organizational Unit "{0}" could not be created.
+OUFoundSuccess = Organizational Unit "{0}" was successfully found.
+multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".
+confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
+groupCreationSuccess = Univeral Security group "{0}" successfully created.
+groupCreationError = Error: Univeral Security group "{0}" could not be created.
+GroupFound = Group "{0}" was successfully found.
+confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link?
+UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
+UnlinkError = Removing the link failed.
+UnlinkExit = Exiting without removing the link from the issuance policy to the group.
+IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script.
+ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security".
+ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal".
+ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members:
+ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"?
+LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
+LinkError = The certificate issuance policy could not be linked to the specified group.
+ExitNoLinkReplacement = Exiting without setting the new link.
+'@
+}
+# import-localizeddata ErrorMsg
+function Display-Help {
+""
+write-host $ErrorMsg.help1
+""
+write-host $ErrorMsg.help2
+""
+write-host $ErrorMsg.help3
+write-host "`t" $ErrorMsg.help4
+write-host "`t" $ErrorMsg.help5
+""
+write-host $ErrorMsg.help6
+write-host "`t" $ErrorMsg.help7
+""
+""
+write-host $ErrorMsg.help8
+""
+write-host $ErrorMsg.help9
+".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
+""
+write-host $ErrorMsg.help10
+'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null '
+""
+}
+# Assumption: The group to which the Issuance Policy is going
+# to be linked is (or is going to be created) in
+# the domain the user running this script is a member of.
+import-module ActiveDirectory
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+if ( !($IssuancePolicyName) ) {
+display-Help
+break
+}
+#######################################
+## Find the OID object ##
+## (aka Issuance Policy) ##
+#######################################
+$searchBase = [String]$root.configurationnamingcontext
+$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
+if ($OID -eq $null) {
+$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($OID.GetType().IsArray) {
+$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+else {
+$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
+write-host $tmp -ForeGroundColor Green
+}
+#######################################
+## Find the container of the group ##
+#######################################
+if ($groupOU -eq $null) {
+# default to the Users container
+$groupContainer = $domain.UsersContainer
+}
+else {
+$searchBase = [string]$domain.DistinguishedName
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+if ($groupContainer.count -gt 1) {
+$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
+write-host $tmp -ForegroundColor Red
+break;
+}
+elseif ($groupContainer -eq $null) {
+$tmp = $ErrorMsg.confirmOUcreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
+if ($?){
+$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
+write-host $tmp -ForegroundColor Green
+}
+else{
+$tmp = $ErrorMsg.OUCreationError -f $groupOU
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
+write-host $tmp -ForegroundColor Green
+}
+}
+#######################################
+## Find the group ##
+#######################################
+if (($groupName -ne $null) -and ($groupName -ne "")){
+##$searchBase = [String]$groupContainer.DistinguishedName
+$searchBase = $groupContainer
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+if ($group -ne $null -and $group.gettype().isarray) {
+$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($group -eq $null) {
+$tmp = $ErrorMsg.confirmGroupCreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security"
+if ($?){
+$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
+write-host $tmp -ForegroundColor Green
+}else{
+$tmp = $ErrorMsg.groupCreationError -f $groupName
+write-host $tmp -ForeGroundColor Red
+break
+}
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.GroupFound -f $group.Name
+write-host $tmp -ForegroundColor Green
+}
+}
+else {
+#####
+## If the group is not specified, we should remove the link if any exists
+#####
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
+if ($?) {
+$tmp = $ErrorMsg.UnlinkSuccess
+write-host $tmp -ForeGroundColor Green
+}else{
+$tmp = $ErrorMsg.UnlinkError
+write-host $tmp -ForeGroundColor Red
+}
+}
+else {
+$tmp = $ErrorMsg.UnlinkExit
+write-host $tmp
+break
+}
+}
+else {
+$tmp = $ErrorMsg.IPNotLinked
+write-host $tmp -ForeGroundColor Yellow
+}
+break;
+}
+#######################################
+## Verify that the group is ##
+## Universal, Security, and ##
+## has no members ##
+#######################################
+if ($group.GroupScope -ne "Universal") {
+$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+if ($group.GroupCategory -ne "Security") {
+$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$members = Get-ADGroupMember -Identity $group
+if ($members -ne $null) {
+$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red}
+break;
+}
+#######################################
+## We have verified everything. We ##
+## can create the link from the ##
+## Issuance Policy to the group. ##
+#######################################
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName
+write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Replace $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+} else {
+$tmp = $Errormsg.ExitNoLinkReplacement
+write-host $tmp
+break
+}
+}
+else {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Add $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+}
+```
+
+> [!NOTE]
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+
## See also
**Deep Dive into Credential Guard: Related videos**
diff --git a/windows/keep-secure/credential-guard-protection-limits.md b/windows/keep-secure/credential-guard-protection-limits.md
new file mode 100644
index 0000000000..f159c931c3
--- /dev/null
+++ b/windows/keep-secure/credential-guard-protection-limits.md
@@ -0,0 +1,41 @@
+---
+title: Credential Guard protection limits (Windows 10)
+description: Scenarios not protected by Credential Guard in Windows 10.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Credential Guard protection limits
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+in the Deep Dive into Credential Guard video series.
+
+Some ways to store credentials are not protected by Credential Guard, including:
+
+- Software that manages credentials outside of Windows feature protection
+- Local accounts and Microsoft Accounts
+- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
+- Key loggers
+- Physical attacks
+- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
+- Third-party security packages
+- Digest and CredSSP credentials
+ - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
+- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.-
+- When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
+- Windows logon cached password verifiers (commonly called "cached credentials")
+do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
+
+## See also
+
+**Deep Dive into Credential Guard: Related videos**
+
+[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
diff --git a/windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md
index ac57f3e615..fb622e18eb 100644
--- a/windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -31,9 +31,9 @@ You can use Group Policy, PowerShell, and Windows Management Instrumentation (WM
Topic | Description
---|---
-[Exclude files and processes from scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
-[Configure email, removable storage, network, reparse point, and archive scanning](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender AV to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
-[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quaratine folder
+[Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
+[Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender AV to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
+[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
diff --git a/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md b/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
index 56578ebbbb..3a1c5ca1c6 100644
--- a/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
@@ -36,22 +36,20 @@ You'll also see additional links for:
> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-part antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus.
-Tool|Deployment options (1)|Management options (network-wide configuration and policy or baseline deployment) ([2](#fn2))|Reporting options
+Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
---|---|---|---
-System Center Configuration Manager ([3](#fn3))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
+System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
Microsoft Intune|[Deploy the Microsoft Intune client to endpoints][]|Use and deploy a [custom Intune policy][] and use the Intune console to [manage tasks][]|[Monitor endpoint protection in the Microsoft Intune administration console][]
Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][]
Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
-1. The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager, current branch (for example, System Center Configuration Manager 2016) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager, current branch (2016). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for a table that describes the major differences. [(Return to table)](#ref1)
-
-1. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
+1. The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager, current branch (for example, System Center Configuration Manager 2016) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager, current branch (2016). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for a table that describes the major differences. [(Return to table)](#ref2)
-1. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref3)
-
+2. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)
+3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
diff --git a/windows/keep-secure/deploy-windows-defender-antivirus.md b/windows/keep-secure/deploy-windows-defender-antivirus.md
index f81ce50c65..0f51f5cf85 100644
--- a/windows/keep-secure/deploy-windows-defender-antivirus.md
+++ b/windows/keep-secure/deploy-windows-defender-antivirus.md
@@ -27,7 +27,7 @@ author: iaanw
Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender AV protection.
-See the [(Deployment, managament, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref1) for instructions on how to enable protection with System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, Microsoft Intune, PowerShell cmdlets, and Windows Management Instruction (WMI).
+See the table in the [Deploy, manage, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md#ref2) topic for instructions on how to enable protection with System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, Microsoft Intune, PowerShell cmdlets, and Windows Management Instruction (WMI).
Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender AV protection, such as Virtual Desktop Infrastructure (VDI) environments.
@@ -37,4 +37,4 @@ The remaining topic in this section provides end-to-end advice and best practice
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
-- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrasructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
\ No newline at end of file
+- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
index 6c2984299b..edd4fc5d3e 100644
--- a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
@@ -58,7 +58,7 @@ There are three main steps in this guide to help roll out Windows Defender AV pr
- [Randomize scheduled scans](#randomize-scheduled-scans)
- [Use quick scans](#use-quick-scans)
- [Prevent notifications](#prevent-notifications)
- - [Disable scans from occuring after every update](#disable-scans-after-an-update)
+ - [Disable scans from occurring after every update](#disable-scans-after-an-update)
- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
>[!IMPORTANT]
@@ -147,7 +147,7 @@ There are a number of settings that can help ensure optimal performance on your
- [Randomize scheduled scans](#randomize-scheduled-scans)
- [Use quick scans](#use-quick-scans)
- [Prevent notifications](#prevent-notifications)
- - [Disable scans from occuring after every update](#disable-scans-after-an-update)
+ - [Disable scans from occurring after every update](#disable-scans-after-an-update)
- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
These settings can be configured as part of creating your base image, or as a day-to-day management function of your VDI infrastructure or network.
@@ -157,7 +157,7 @@ These settings can be configured as part of creating your base image, or as a da
### Randomize scheduled scans
-Windows Defender AV supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjuction with [Disable scans from occuring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline).
+Windows Defender AV supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjunction with [Disable scans from occurring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline).
Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md).
@@ -175,7 +175,7 @@ The start time of the scan itself is still based on the scheduled scan policy
5. Expand the tree to **Windows components > Windows Defender** and configure the following setting:
- 1. Double-click the **Randomize scheduled task times** setting and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the sechedule start time was set at 2.30pm, then enabling this setting could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm.
+ 1. Double-click the **Randomize scheduled task times** setting and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the schedule start time was set at 2.30pm, then enabling this setting could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm.
**Use Configuration Manager to randomize schedule scans:**
diff --git a/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md b/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md
index abdb360aef..98c5ae9865 100644
--- a/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md
@@ -113,7 +113,7 @@ See the following for more information and allowed parameters:
> [!WARNING]
> Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
-5. Scoll down to the **Microsoft Active Protection Service** section and set the following settings:
+5. Scroll down to the **Microsoft Active Protection Service** section and set the following settings:
Setting | Set to
--|--
@@ -139,7 +139,7 @@ See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](http
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
>[!NOTE]
->If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailble.
+>If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
## Related topics
@@ -150,4 +150,4 @@ See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](http
- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx)
- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
-- - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
index 9c83ea0f99..e995968888 100644
--- a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -53,3 +53,4 @@ You can now proceed with configuring your SIEM solution or connecting to the ale
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
index b7f9bce85f..df1301d438 100644
--- a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
@@ -45,7 +45,71 @@ This step will guide you in creating an alert definition and an IOC for a malici
NOTE:
Make sure you replace the `authUrl`, `clientId`, and `clientSecret` values with your details which you saved in when you enabled the threat intelligence application.
- [!code[ExampleScript](./code/example-script.ps1#L1-L60)]
+ ```
+ $authUrl = 'Your Authorization URL'
+ $clientId = 'Your Client ID'
+ $clientSecret = 'Your Client Secret'
+
+
+ Try
+ {
+ $tokenPayload = @{
+ "resource" = 'https://graph.windows.net'
+ "client_id" = $clientId
+ "client_secret" = $clientSecret
+ "grant_type"='client_credentials'}
+
+ "Fetching an access token"
+ $response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
+ $token = $response.access_token
+ "Token fetched successfully"
+
+ $headers = @{
+ "Content-Type" = "application/json"
+ "Accept" = "application/json"
+ "Authorization" = "Bearer {0}" -f $token }
+
+ $apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
+
+ $alertDefinitionPayload = @{
+ "Name" = "Test Alert"
+ "Severity" = "Medium"
+ "InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature"
+ "Title" = "Test alert."
+ "UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled."
+ "RecommendedAction" = "No recommended action for this test alert."
+ "Category" = "SuspiciousNetworkTraffic"
+ "Enabled" = "true"}
+
+ "Creating an Alert Definition"
+ $alertDefinition =
+ Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
+ -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
+
+ "Alert Definition created successfully"
+ $alertDefinitionId = $alertDefinition.Id
+
+ $iocPayload = @{
+ "Type"="IpAddress"
+ "Value"="52.184.197.12"
+ "DetectionFunction"="Equals"
+ "Enabled"="true"
+ "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
+
+ "Creating an Indicator of Compromise"
+ $ioc =
+ Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
+ -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
+ "Indicator of Compromise created successfully"
+
+ "All done!"
+ }
+ Catch
+ {
+ 'Something went wrong! Got the following exception message: {0}' -f $_.Exception.Message
+ }
+
+ ```
3. Run the script and verify that the operation succeeded in the results the window. Wait up to 20 minutes until the new or updated alert definition propagates to the detection engines.
diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md
index 3294599cd2..a0cabb4a95 100644
--- a/windows/keep-secure/guidance-and-best-practices-wip.md
+++ b/windows/keep-secure/guidance-and-best-practices-wip.md
@@ -25,7 +25,7 @@ This section includes info about the enlightened Microsoft apps, including how t
|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |Learn the difference between enlightened and unenlightened app behaviors. |
|[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |Recommended additions for the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). |
-|[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook Web Access (OWA) with Windows Information Protection (WIP). |
+|[Using Outlook on the web with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook on the web with Windows Information Protection (WIP). |
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/keep-secure/images/atp-example-email-notification.png b/windows/keep-secure/images/atp-example-email-notification.png
new file mode 100644
index 0000000000..c46cc214d7
Binary files /dev/null and b/windows/keep-secure/images/atp-example-email-notification.png differ
diff --git a/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md b/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md
index e1142eb8e3..9726dfceba 100644
--- a/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md
+++ b/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md
@@ -61,7 +61,7 @@ You can use Group Policy, Configuration Manager, PowerShell cmdlets, and WMI to
4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
-**Use PowerShell cmdlets to to check for protection updates before running a scan:**
+**Use PowerShell cmdlets to check for protection updates before running a scan:**
Use the following cmdlets:
@@ -72,7 +72,7 @@ Set-MpPreference -CheckForSignaturesBeforeRunningScan
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to to check for protection updates before running a scan**
+**Use Windows Management Instruction (WMI) to check for protection updates before running a scan**
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
diff --git a/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md
index 7228604795..32920b478d 100644
--- a/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -92,7 +92,7 @@ See the following for more information and allowed parameters:
## Set the number of days before protection is reported as out-of-date
-You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
+You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)).
**Use Group Policy to specify the number of days before protection is considered out-of-date:**
diff --git a/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md
index 28197fc0c6..feffc5c8b6 100644
--- a/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md
+++ b/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -52,7 +52,7 @@ You can also randomize the times when each endpoint checks and downloads protect
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
- 1. Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the nuber of hours between updates. Click **OK**.
+ 1. Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
diff --git a/windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
index 660d4049a7..6138bb8a05 100644
--- a/windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
+++ b/windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
@@ -35,7 +35,7 @@ There are two settings that are particularly useful for these devices:
- Opt-in to Microsoft Update on mobile computers without a WSUS connection
- Prevent definition updates when running on battery power
-The following topics may also be useful in this situations:
+The following topics may also be useful in these situations:
- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index 5498802fbb..b632c08944 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -23,6 +23,8 @@ localizationpriority: high
There are some minimum requirements for onboarding your network and endpoints.
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1)
+
## Minimum requirements
You must be on Windows 10, version 1607 at a minimum.
For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy).
@@ -114,3 +116,5 @@ When Windows Defender is not the active antimalware in your organization and you
If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy).
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-minreq-belowfoldlink1)
diff --git a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
index 1412786961..e207ba506e 100644
--- a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
@@ -28,8 +28,7 @@ The Group Policy settings in this topic are related to three types of process mi
- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection).
-- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization).
-
+- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization).
To find additional ASLR protections in the table below, look for `IMAGES` or `ASLR`.
The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings.
diff --git a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
index 718ca488fb..ff8d0da12b 100644
--- a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
@@ -14,32 +14,32 @@ author: justinha
**Applies to:**
- Windows 10
-This topic provides an overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related types of protection offered by Windows and Office, see [Related topics](#related-topics).
+This topic provides an overview of some of the software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related types of protection offered by Microsoft, see [Related topics](#related-topics).
| **Section** | **Contents** |
|--------------|-------------------------|
-| [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines the basic ways that Windows 10 is designed to mitigate software exploits and similar threats. |
+| [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines how Windows 10 is designed to mitigate software exploits and similar threats. |
| [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). |
-| [Windows 10 mitigations that need no configuration](#windows-10-mitigations-that-need-no-configuration) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. |
-| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | For IT professionals who are familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/en-us/kb/2458544), describes how the mitigations in EMET correspond to features built into Windows 10. It also describes how to convert an XML settings file created in EMET into mitigation policies for Windows 10. |
+| [Mitigations that are built in to Windows 10](#mitigations-that-are-built-in-to-windows-10) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. |
+| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | Describes how mitigations in the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544) correspond to features built into Windows 10 and how to convert EMET settings into mitigation policies for Windows 10. |
This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections work with other security defenses in Windows 10, as shown in the following illustration:
-**Figure 1. Device protection and threat resistance as part of the Windows 10 security defenses**
+*Figure 1. Device protection and threat resistance as part of the Windows 10 security defenses*
## The security threat landscape
-Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks and the personal enjoyment of temporarily taking a system offline. Since then, attacker’s motives have shifted toward monetizing their attacks, which includes holding machines and data hostage until the owners pay the demanded ransom, and exploiting the valuable information the attackers discover for monetary gain. Unlike these examples, modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that results in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets, seemingly unlimited human resources, and unknown motives. Threats like these require a different approach and mitigations that can meet the challenge.
+Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of of temporarily taking a system offline. Since then, attacker’s motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge.
-In recognition of this landscape, Windows 10, version 1703 includes multiple security features that were created to make it difficult (and costly) to find and exploit software vulnerabilities. These features are designed to:
+In recognition of this landscape, Windows 10 Creator's Update (Windows 10, version 1703) includes multiple security features that were created to make it difficult (and costly) to find and exploit many software vulnerabilities. These features are designed to:
- Eliminate entire classes of vulnerabilities
- Break exploitation techniques
-- Contain damage and prevent persistence
+- Contain the damage and prevent persistence
- Limit the window of opportunity to exploit
@@ -47,48 +47,46 @@ The following sections provide more detail about security mitigations in Windows
## Windows 10 mitigations that you can configure
-Windows 10 mitigations that you can configure are listed in the following two tables. The first table focuses on features such as Device Guard, and the second table describes memory protection options such as Data Execution Prevention. Memory protection options provide specific mitigations against malware that attempts to manipulate memory to gain control of a system.
+Windows 10 mitigations that you can configure are listed in the following two tables. The first table covers a wide array of protections for devices and users across the enterprise and the second table drills down into specific memory protections such as Data Execution Prevention. Memory protection options provide specific mitigations against malware that attempts to manipulate memory in order to gain control of a system.
**Table 1 Windows 10 mitigations that you can configure**
| Mitigation and corresponding threat | Description and links |
|---|---|
-| **Windows Defender SmartScreen**,
which helps prevent
malicious applications
from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.
**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic |
-| **Credential Guard**,
which helps keep attackers
from gaining access through
Pass-the-Hash or
Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.
Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Protect derived domain credentials with Credential Guard](credential-guard.md) |
-| **Enterprise certificate pinning**,
which helps keep users
from being deceived by
man-in-the-middle attacks
that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its legitimate Certification Authority, either root or leaf.
**More information**: [Enterprise Certificate Pinning](enterprise-certificate-pinning.md) |
-| **Device Guard**,
which helps keep a device
from running malware or
other untrusted apps | Device Guard includes Code Integrity policies, a whitelist you create of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows’ kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain entrance to the kernel.
Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Introduction to Device Guard](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) |
-| **Windows Defender Antivirus**,
which helps keep devices
free of viruses and other
known software threats | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.
**More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic |
-| **Blocking of untrusted fonts**,
which helps prevent fonts
from being used in
elevation-of-privilege attacks | The Block Untrusted Fonts setting allows you to prevent users from loading untrusted fonts onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).
**More information**: [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |
-| **Memory protections** listed in [Table 2](#table-2),
which help prevent malware
from using memory manipulation
techniques such as buffer
overruns | This set of mitigations helps to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system. For example, malware might use buffer overruns to inject malicious executable code into memory.
A minority of trusted apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing needed apps to run correctly.
**More information**: [Table 2](#table-2), later in this topic |
-| **UEFI Secure Boot**,
which helps protect
the platform from
bootkits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot helps to protect the boot process and firmware from tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.
**More information**: [UEFI and Secure Boot](bitlocker-countermeasures.md#uefi-and-secure-boot) |
-| **Early Launch Antimalware (ELAM)**,
which helps protect
the platform from
rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.
**More information**: [Early Launch Antimalware](bitlocker-countermeasures.md#protection-during-startup) |
-| **Device Health Attestation**,
which helps prevent
compromised devices from
accessing an organization’s
assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device’s actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.
**More information**: [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) and [Device Health Attestation](https://technet.microsoft.com/windows-server-docs/security/device-health-attestation) |
+| **Windows Defender SmartScreen**
helps prevent
malicious applications
from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.
**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic |
+| **Credential Guard**
helps keep attackers
from gaining access through
Pass-the-Hash or
Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.
Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Protect derived domain credentials with Credential Guard](credential-guard.md) |
+| **Enterprise certificate pinning**
helps prevent
man-in-the-middle attacks
that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.
**More information**: [Enterprise Certificate Pinning](enterprise-certificate-pinning.md) |
+| **Device Guard**
helps keep a device
from running malware or
other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows’ kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Introduction to Device Guard](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) |
+| **Windows Defender Antivirus**,
which helps keep devices
free of viruses and other
malware | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.
**More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic |
+| **Blocking of untrusted fonts**
helps prevent fonts
from being used in
elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).
**More information**: [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |
+| **Memory protections**
help prevent malware
from using memory manipulation
techniques such as buffer
overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:
A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.
**More information**: [Table 2](#table-2), later in this topic |
+| **UEFI Secure Boot**
helps protect
the platform from
bootkits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.
**More information**: [UEFI and Secure Boot](bitlocker-countermeasures.md#uefi-and-secure-boot) |
+| **Early Launch Antimalware (ELAM)**
helps protect
the platform from
rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.
**More information**: [Early Launch Antimalware](bitlocker-countermeasures.md#protection-during-startup) |
+| **Device Health Attestation**
helps prevent
compromised devices from
accessing an organization’s
assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device’s actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.
**More information**: [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) and [Device Health Attestation](https://technet.microsoft.com/windows-server-docs/security/device-health-attestation) |
-Configurable Windows 10 mitigations oriented specifically toward memory manipulation are listed in the following table. Detailed understanding of these threats and mitigations requires knowledge of how the operating system and applications handle memory—knowledge used by developers but not necessarily by IT professionals. However, from an IT professional’s perspective, the basic process for maximizing these types of mitigations is to work in a test lab to discover whether a given setting interferes with any needed applications. Then you can deploy settings that maximize protection while still allowing needed apps to run correctly.
+Configurable Windows 10 mitigations designed to help protect against memory manipulation require in-depth understanding of these threats and mitigations and knowledge about how the operating system and applications handle memory. The standard process for maximizing these types of mitigations is to work in a test lab to discover whether a given setting interferes with any applications that you use so that you can deploy settings that maximize protection while still allowing apps to run correctly.
-Also, as an IT professional, you can ask application developers and software vendors to deliver applications compiled with an additional protection called Control Flow Guard (CFG). No configuration is needed in the operating system—the protection is compiled into applications, as described in [Control Flow Guard](#control-flow-guard), later in this topic.
+As an IT professional, you can ask application developers and software vendors to deliver applications that include an additional protection called Control Flow Guard (CFG). No configuration is needed in the operating system—the protection is compiled into applications. More information can be found in [Control Flow Guard](#control-flow-guard).
-### Table 2 Configurable Windows 10 mitigations designed to protect against memory exploits
+### Table 2 Configurable Windows 10 mitigations designed to help protect against memory exploits
| Mitigation and corresponding threat | Description |
|---|---|
-| **Data Execution Prevention (DEP),**
which helps prevent
exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature that has been available in Windows operating systems for over a decade. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns.
DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, the vast majority of applications do not.
For more information, see [Data Execution Prevention](#data-execution-prevention), later in this topic.
**Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure additional DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
-| **SEHOP**,
which helps prevent
overwrites of the
Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. Although some applications have compatibility problems with SEHOP, the vast majority of applications do not.
For more information, see [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.
**Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure additional SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
-| **ASLR**,
which mitigates malware
attacks based on
expected memory locations | **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time. This mitigates malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded.
For more information, see [Address Space Layout Randomization](#address-space-layout-randomization), later in this topic.
**Group Policy settings**: ASLR is on by default for 64-bit applications, but you can configure additional ASLR protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
+| **Data Execution Prevention (DEP)**
helps prevent
exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature available in Windows operating systems. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns.
DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, the vast majority of applications do not.
**More information**: [Data Execution Prevention](#data-execution-prevention), later in this topic.
**Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure additional DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
+| **SEHOP**
helps prevent
overwrites of the
Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to help block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. A few applications have compatibility problems with SEHOP, so be sure to test for your environment.
**More information**: [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.
**Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure additional SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
+| **ASLR**
helps mitigate malware
attacks based on
expected memory locations | **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time. This helps mitigate malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded.
**More information**: [Address Space Layout Randomization](#address-space-layout-randomization), later in this topic.
**Group Policy settings**: ASLR is on by default for 64-bit applications, but you can configure additional ASLR protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
### Windows Defender SmartScreen
Windows Defender SmartScreen notifies users if they click on reported phishing and malware websites, and helps protect them against unsafe downloads or make informed decisions about downloads.
-Starting with Windows Internet Explorer 8, the SmartScreen Filter has helped protect users from both malicious applications and nefarious websites by using the SmartScreen Filter’s application and URL reputation services. The SmartScreen Filter in Internet Explorer would check URLs and newly downloaded apps against an online reputation service that Microsoft maintained. If the app or URL were not known to be safe, SmartScreen Filter would warn the user or even prevent the app or URL from loading, depending on how systems administrators had configured Group Policy settings.
-
-For Windows 10, Microsoft further developed SmartScreen, now called Windows Defender SmartScreen, by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings.
+For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings.
For more information, see [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md).
### Windows Defender Antivirus
-Windows included Windows Defender Antivirus, a robust inbox antimalware solution, starting with Windows 8, when it was called Windows Defender. With Windows 10, Microsoft significantly improved Windows Defender Antivirus. Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware:
+Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware:
- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates.
@@ -108,13 +106,11 @@ For information about Windows Defender Advanced Threat Protection, a service tha
### Data Execution Prevention
-Malware depends on its ability to put a malicious payload into memory with the hope that it will be executed later. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information?
+Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information?
-Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can’t be used to execute malicious code that may be inserted within through a vulnerability exploit.
+Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can’t be used to execute malicious code that may be inserted by means of a vulnerability exploit.
-Because of the importance of DEP, users cannot install Windows 10 on a computer that does not have DEP capability. Fortunately, most processors released since the mid-2000s support DEP.
-
-**To use Task Manager to see which apps use DEP**
+**To use Task Manager to see apps that use DEP**
1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen.
@@ -126,13 +122,13 @@ Because of the importance of DEP, users cannot install Windows 10 on a computer
5. Click **OK**.
-You can now see which processes have DEP enabled. Figure 2 shows the processes running on a Windows 10 PC with a single process that does not support DEP.
+You can now see which processes have DEP enabled.
-**Figure 2. Processes on which DEP has been enabled in Windows 10**
+*Figure 2. Processes on which DEP has been enabled in Windows 10*
You can use Control Panel to view or change DEP settings.
@@ -154,17 +150,17 @@ You can use Control Panel to view or change DEP settings.
#### To use Group Policy to control DEP settings
-You can use the Group Policy setting called **Process Mitigation Options** to control DEP settings. Although some applications have compatibility problems with DEP, the vast majority of applications do not. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md).
+You can use the Group Policy setting called **Process Mitigation Options** to control DEP settings. A few applications have compatibility problems with DEP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md).
### Structured Exception Handling Overwrite Protection
Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handler](https://msdn.microsoft.com/library/windows/desktop/ms680657(v=vs.85).aspx) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they have been compiled with the latest improvements.
-You can use the Group Policy setting called **Process Mitigation Options** to control the SEHOP setting. Although some applications have compatibility problems with SEHOP, the vast majority of applications do not. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md).
+You can use the Group Policy setting called **Process Mitigation Options** to control the SEHOP setting. A few applications have compatibility problems with SEHOP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md).
### Address Space Layout Randomization
-One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations.
+One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. Any malware that could write directly to the system memory could simply overwrite it in well-known and predictable locations.
Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts.
@@ -172,29 +168,27 @@ Address Space Layout Randomization (ASLR) makes that type of attack much more di
**Figure 3. ASLR at work**
-Although the ASLR implementation in Windows 7 was effective, it wasn’t applied holistically across the operating system, and the level of entropy (cryptographic randomization) wasn’t always at the highest possible level. To decrease the likelihood that sophisticated attacks such as heap spraying could succeed, starting with Windows 8, Microsoft applied ASLR holistically across the system and increased the level of entropy many times.
-
-The ASLR implementation in Windows 10 is greatly improved over Windows 7, especially with 64-bit system and application processes that can take advantage of a vastly increased memory space, which makes it even more difficult for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, which makes it even more difficult for a successful exploit that works on one system to work reliably on another.
+Windows 10 applies ASLR holistically across the system and increases the level of entropy many times compared with previous versions of Windows to combat sophisticated attacks such as heap spraying. 64-bit system and application processes can take advantage of a vastly increased memory space, which makes it even more difficult for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, which makes it even more difficult for a successful exploit that works on one system to work reliably on another.
You can use the Group Policy setting called **Process Mitigation Options** to control ASLR settings (“Force ASLR” and “Bottom-up ASLR”), as described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md).
-## Windows 10 mitigations that need no configuration
+## Mitigations that are built in to Windows 10
-Windows 10 provides many threat mitigations that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations.
+Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations.
-One of the mitigations, Control Flow Guard (CFG), needs no configuration within the operating system, but does require that the application developer configure the mitigation into the application when it’s compiled. CFG is built into Microsoft Edge, IE11, and other features in Windows 10, and can be built into many other applications when they are compiled.
+Control Flow Guard (CFG) is a mitigation that does not need configuration within the operating system, but does require that an application developer configure the mitigation into the application when it’s compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they are compiled.
### Table 3 Windows 10 mitigations to protect against memory exploits – no configuration needed
| Mitigation and corresponding threat | Description |
|---|---|
-| **SMB hardening for SYSVOL and NETLOGON shares**,
which mitigates
man-in-the-middle attacks | Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).
**More information**: [SMB hardening improvements for SYSVOL and NETLOGON shares](#smb-hardening-improvements-for-sysvol-and-netlogon-shares), later in this topic. |
-| **Protected Processes**,
which help prevent one process
from tampering with another
process | With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed.
**More information**: [Protected Processes](#protected-processes), later in this topic. |
-| **Universal Windows apps protections**,
which screen downloadable
apps and run them in
an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.
**More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. |
-| **Heap protections**,
which help prevent
exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.
**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. |
-| **Kernel pool protections**,
which help prevent
exploitation of pool memory
used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations to create an attack.
**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. |
-| **Control Flow Guard**,
which mitigates exploits
that are based on
flow between code locations
in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead can be built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other features in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. Administrators can request software vendors to deliver Windows applications compiled with CFG enabled.
**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. |
-| **Protections built into Microsoft Edge** (the browser),
which mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.
**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer-11), later in this topic. |
+| **SMB hardening for SYSVOL and NETLOGON shares**
helps mitigate
man-in-the-middle attacks | Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).
**More information**: [SMB hardening improvements for SYSVOL and NETLOGON shares](#smb-hardening-improvements-for-sysvol-and-netlogon-shares), later in this topic. |
+| **Protected Processes**
help prevent one process
from tampering with another
process | With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed.
**More information**: [Protected Processes](#protected-processes), later in this topic. |
+| **Universal Windows apps protections**
screen downloadable
apps and run them in
an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.
**More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. |
+| **Heap protections**
help prevent
exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.
**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. |
+| **Kernel pool protections**
help prevent
exploitation of pool memory
used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.
**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. |
+| **Control Flow Guard**
helps mitigate exploits
that are based on
flow between code locations
in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.
**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. |
+| **Protections built into Microsoft Edge** (the browser)
helps mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.
**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer-11), later in this topic. |
### SMB hardening improvements for SYSVOL and NETLOGON shares
@@ -205,15 +199,15 @@ In Windows 10 and Windows Server 2016, client connections to the Active Director
### Protected Processes
-Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on any malware that might be running. Protected Processes creates limits of this type.
+Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on malware that gets on the device. Protected Processes creates limits of this type.
With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://msdn.microsoft.com/library/windows/desktop/dn313124(v=vs.85).aspx). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system.
### Universal Windows apps protections
-When users download Universal Windows apps or even Windows Classic applications (Win32) from the Windows Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements.
+When users download Universal Windows apps from the Windows Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements.
-Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Unlike Windows Classic applications, which can run with elevated privileges and have potentially sweeping access to the system and data, Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission.
+Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission.
In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Windows Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher.
@@ -221,7 +215,7 @@ In addition, all Universal Windows apps follow the security principle of least p
The *heap* is a location in memory that Windows uses to store dynamic application data. Windows 10 continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that could be used as part of an attack.
-Windows 10 has several important improvements to the security of the heap over Windows 7:
+Windows 10 has several important improvements to the security of the heap:
- **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption.
@@ -241,9 +235,9 @@ In addition to pool hardening, Windows 10 includes other kernel hardening featur
- **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.)
-- **Supervisor Mode Execution Prevention (SMEP)**: Prevents the kernel (the “supervisor”) from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support.
+- **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the “supervisor”) from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support.
-- **Safe unlinking:** Protects against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process termination.
+- **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process termination.
- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques such as “NULL dereference” to overwrite critical system data structures in memory.
@@ -253,13 +247,13 @@ When applications are loaded into memory, they are allocated space based on the
This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk.
-An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Administrators should consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://msdn.microsoft.com/library/windows/desktop/mt637065(v=vs.85).aspx).
+An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://msdn.microsoft.com/library/windows/desktop/mt637065(v=vs.85).aspx).
Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG.
### Microsoft Edge and Internet Explorer 11
-Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks.
+Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks.
All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples of this are Flash and Java extensions that enable their respective applications to run inside a browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority.
@@ -277,7 +271,7 @@ Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is m
In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that do not work with Microsoft Edge. It should not be configured as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security.
-For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when users use Microsoft Edge and it identifies a site that requires IE11, they will automatically be switched to IE11.
+For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11.
### Functions that software vendors can use to build mitigations into apps
@@ -302,9 +296,9 @@ Some of the protections available in Windows 10 are provided through functions t
## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit
-You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. If you are familiar with EMET, you can use this section to understand how those mitigations map to Windows 10. Many of EMET’s mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, are not considered durable, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10.
+You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those in Windows 10. Many of EMET’s mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10.
-EMET has benefited many enterprise IT admins and other security enthusiasts and early adopters, yet has also fallen behind the pace of security innovation in Windows. For this reason and because many of EMET’s mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://technet.microsoft.com/security/jj653751)).
+Because many of EMET’s mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://technet.microsoft.com/security/jj653751)).
The following table lists EMET features in relation to Windows 10 features.
@@ -325,21 +319,21 @@ to Windows 10 features
SEHOP
ASLR (Force ASLR, Bottom-up ASLR)
-Included in Windows 10 as configurable features. See Table 2, earlier in this topic.
-Also see the section that follows for steps you can take to convert your EMET settings for these features into policies that you can apply to Windows 10. |
+DEP, SEHOP and ASLR are included in Windows 10 as configurable features. See Table 2, earlier in this topic.
+You can install the ProcessMitigations PowerShell module to convert your EMET settings for these features into policies that you can apply to Windows 10. |
|
-Supported in Windows 10, for all applications that are written to use these functions. See Table 4, earlier in this topic. |
+LoadLib and MemProt are supported in Windows 10, for all applications that are written to use these functions. See Table 4, earlier in this topic. |
|
-No action needed; mitigations for this threat are built into Windows 10, as described in the “Memory reservations” item in Kernel pool protections, earlier in this topic. |
+Mitigations for this threat are built into Windows 10, as described in the “Memory reservations” item in Kernel pool protections, earlier in this topic. |
@@ -347,7 +341,7 @@ to Windows 10 features
EAF EAF+ |
-Windows 10 does not include mitigations that map specifically to these EMET features, because they are seen as low impact in the current threat landscape, and do not significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them. |
+Windows 10 does not include mitigations that map specifically to these EMET features because they have low impact in the current threat landscape, and do not significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them. |
@@ -371,12 +365,64 @@ One of EMET’s strengths is that it allows you to import and export configurati
Install-Module -Name ProcessMitigations
```
-The ConvertTo-ProcessMitigationPolicy cmdlet can:
+The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process, or it can save all settings to an XML file.
-- **Convert EMET settings to Windows 10 settings**: You can run ConvertTo-ProcessMitigationPolicy and provide an EMET XML settings file as input, which will generate an output file of Windows 10 mitigation settings. For example:
+To get the current settings on all running instances of notepad.exe:
+
+```powershell
+Get-ProcessMitigation -Name notepad.exe -RunningProcess
+```
+
+To get the current settings in the registry for notepad.exe:
+
+```powershell
+Get-ProcessMitigation -Name notepad.exe
+```
+
+To get the current settings for the running process with pid 1304:
+
+```powershell
+Get-ProcessMitigation -Id 1304
+```
+
+To get the all process mitigation settings from the registry and save them to the xml file settings.xml:
+
+```powershell
+Get-ProcessMitigation -RegistryConfigFilePath settings.xml
+```
+
+The Set-ProcessMitigation cmdlet can enable and disable process mitigations or set them in bulk from an XML file.
+
+To get the current process mitigation for "notepad.exe" from the registry and then enable MicrosoftSignedOnly and disable MandatoryASLR:
+
+```powershell
+Set-ProcessMitigation -Name Notepad.exe -Enable MicrosoftSignedOnly -Disable MandatoryASLR
+```
+
+To set the process mitigations from an XML file (which can be generated from get-ProcessMitigation -RegistryConfigFilePath settings.xml):
+
+```powershell
+Set-ProcessMitigation -PolicyFilePath settings.xml
+```
+
+To set the system default to be MicrosoftSignedOnly:
+
+```powershell
+Set-ProcessMitigation -System -Enable MicrosoftSignedOnly
+```
+
+The ConvertTo-ProcessMitigationPolicy cmdlet converts mitigation policy file formats. The syntax is:
+
+```powershell
+ConvertTo-ProcessMitigationPolicy -EMETFilePath -OutputFilePath []
+```
+
+Examples:
+
+- **Convert EMET settings to Windows 10 settings**: You can run ConvertTo-ProcessMitigationPolicy and provide an EMET XML settings file as input, which will generate a result file of Windows 10 mitigation settings. For example:
```powershell
- ConvertTo-ProcessMitigationPolicy -EMETfile emetpolicy.xml -output newconfiguration.xml
+ ConvertTo-ProcessMitigationPolicy -EMETFilePath policy.xml -OutputFilePath result.xml
```
- **Audit and modify the converted settings (the output file)**: Additional cmdlets let you apply, enumerate, enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and disables MandatoryASLR and DEPATL registry settings for Notepad:
@@ -390,12 +436,12 @@ The ConvertTo-ProcessMitigationPolicy cmdlet can:
- **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](enterprise-certificate-pinning.md). For example:
```powershell
- ConvertTo-ProcessMitigationPolicy -EMETfile certtrustrules.xml -output enterprisecertpinningrules.xml
+ ConvertTo-ProcessMitigationPolicy -EMETfilePath certtrustrules.xml -OutputFilePath enterprisecertpinningrules.xml
```
#### EMET-related products
-Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineering (PFE) offer enterprise deliveries for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET Enterprise Reporting Service (ERS). For any enterprise customers who use such products today or who are interested in similar capabilities, we recommend evaluating [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (ATP).
+Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineering (PFE) offer a range of options for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET Enterprise Reporting Service (ERS). For any enterprise customers who use such products today or who are interested in similar capabilities, we recommend evaluating [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (ATP).
## Related topics
diff --git a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
index b41b8bdaae..9bf4342870 100644
--- a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
@@ -36,19 +36,43 @@ The following example demonstrates how to obtain an Azure AD access token that y
Replace the *authUrl*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal:
-[!code[CustomTIAPI](./code/example.ps1#L1-L14)]
+```powershell
+$authUrl = 'Your Authorization URL'
+$clientId = 'Your Client ID'
+$clientSecret = 'Your Client Secret'
+
+$tokenPayload = @{
+ "resource"='https://graph.windows.net'
+ "client_id" = $clientId
+ "client_secret" = $clientSecret
+ "grant_type"='client_credentials'}
+
+$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
+$token = $response.access_token
+
+```
## Step 2: Create headers used for the requests with the API
Use the following code to create the headers used for the requests with the API:
-[!code[CustomTIAPI](./code/example.ps1#L16-L19)]
+```powershell
+$headers = @{
+ "Content-Type"="application/json"
+ "Accept"="application/json"
+ "Authorization"="Bearer {0}" -f $token }
+
+$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
+```
## Step 3: Create calls to the custom threat intelligence API
After creating the headers, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities:
-[!code[CustomTIAPI](./code/example.ps1#L21-L24)]
+```powershell
+$alertDefinitions =
+ (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
+```
The response is empty on initial use of the API.
@@ -56,18 +80,96 @@ The response is empty on initial use of the API.
## Step 4: Create a new alert definition
The following example demonstrates how you to create a new alert definition.
-[!code[CustomTIAPI](./code/example.ps1#L26-L39)]
+```powershell
+$alertDefinitionPayload = @{
+ "Name"= "The alert's name"
+ "Severity"= "Low"
+ "InternalDescription"= "An internal description of the Alert"
+ "Title"= "The Title"
+ "UxDescription"= "Description of the alerts"
+ "RecommendedAction"= "The alert's recommended action"
+ "Category"= "Trojan"
+ "Enabled"= "true"}
+
+$alertDefinition =
+ Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
+ -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
+```
## Step 5: Create a new indicator of compromise
You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
-[!code[CustomTIAPI](./code/example.ps1#L43-L53)]
+```powershell
+$iocPayload = @{
+ "Type"="Sha1"
+ "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
+ "DetectionFunction"="Equals"
+ "Enabled"="true"
+ "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
+
+
+$ioc =
+ Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
+ -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
+```
## Complete code
You can use the complete code to create calls to the API.
-[!code[CustomTIAPI](./code/example.ps1#L1-L53)]
+```powershell
+$authUrl = 'Your Authorization URL'
+$clientId = 'Your Client ID'
+$clientSecret = 'Your Client Secret'
+
+$tokenPayload = @{
+ "resource"='https://graph.windows.net'
+ "client_id" = $clientId
+ "client_secret" = $clientSecret
+ "grant_type"='client_credentials'}
+
+$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
+$token = $response.access_token
+
+$headers = @{
+ "Content-Type"="application/json"
+ "Accept"="application/json"
+ "Authorization"="Bearer {0}" -f $token }
+
+$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
+
+$alertDefinitions =
+ (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
+
+$alertDefinitionPayload = @{
+ "Name"= "The alert's name"
+ "Severity"= "Low"
+ "InternalDescription"= "An internal description of the Alert"
+ "Title"= "The Title"
+ "UxDescription"= "Description of the alerts"
+ "RecommendedAction"= "The alert's recommended action"
+ "Category"= "Trojan"
+ "Enabled"= "true"}
+
+$alertDefinition =
+ Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
+ -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
+
+$alertDefinitionId = $alertDefinition.Id
+
+$iocPayload = @{
+ "Type"="Sha1"
+ "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
+ "DetectionFunction"="Equals"
+ "Enabled"="true"
+ "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
+
+
+$ioc =
+ Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
+ -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
+
+```
## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md
index 0306678e79..fb768346fe 100644
--- a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md
@@ -49,4 +49,4 @@ The following features are included in the preview release:
- [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) - Create custom threat intelligence alerts using the threat intelligence API to generate alerts that are applicable to your organization.
>[!NOTE]
-> All response actions require machines to be on the latest Windows 10 Insider Preview build.
+> All response actions require machines to be on the latest Windows 10, version 1703.
diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md
index 0a8a8d62ea..18106bc1bf 100644
--- a/windows/keep-secure/protect-enterprise-data-using-wip.md
+++ b/windows/keep-secure/protect-enterprise-data-using-wip.md
@@ -93,8 +93,9 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
- **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
-
- >**Note**
For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
+
+ >[!Note]
+ >For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
## How WIP works
WIP helps address your everyday challenges in the enterprise. Including:
diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index ac0409286d..9791688940 100644
--- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -365,7 +365,7 @@ The following table details the hardware requirements for both virtualization-ba
|
Trusted Platform Module (TPM) |
-Required to support health attestation and necessary for additional key protections for virtualization-based security. |
+Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported; TPM 1.2 is also supported beginnning with Windows 10, version 1703. |
diff --git a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
index 5e04c5302d..2c68f00d27 100644
--- a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -193,3 +193,4 @@ HTTP error code | Description
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
index a67b250923..dc44b7cbea 100644
--- a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
@@ -38,20 +38,45 @@ The following example demonstrates how to obtain an Azure AD access token that y
Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
-[!code[CustomTIAPI](./code/example.py#L1-L17)]
+```
+import json
+import requests
+from pprint import pprint
+
+auth_url="Your Authorization URL"
+client_id="Your Client ID"
+client_secret="Your Client Secret"
+
+payload = {"resource": "https://graph.windows.net",
+ "client_id": client_id,
+ "client_secret": client_secret,
+ "grant_type": "client_credentials"}
+
+response = requests.post(auth_url, payload)
+token = json.loads(response.text)["access_token"]
+```
## Step 2: Create request session object
Add HTTP headers to the session object, including the Authorization header with the token that was obtained.
-[!code[CustomTIAPI](./code/example.py#L19-L23)]
+```
+with requests.Session() as session:
+ session.headers = {
+ 'Authorization': 'Bearer {}'.format(token),
+ 'Content-Type': 'application/json',
+ 'Accept': 'application/json'}
+```
## Step 3: Create calls to the custom threat intelligence API
After adding HTTP headers to the session object, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities:
-[!code[CustomTIAPI](./code/example.py#L25-L26)]
+```
+ response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
+ pprint(json.loads(response.text))
+```
The response is empty on initial use of the API.
@@ -59,18 +84,95 @@ The response is empty on initial use of the API.
## Step 4: Create a new alert definition
The following example demonstrates how you to create a new alert definition.
-[!code[CustomTIAPI](./code/example.py#L28-L39)]
+```
+ alert_definition = {"Name": "The alert's name",
+ "Severity": "Low",
+ "InternalDescription": "An internal description of the alert",
+ "Title": "The Title",
+ "UxDescription": "Description of the alerts",
+ "RecommendedAction": "The alert's recommended action",
+ "Category": "Trojan",
+ "Enabled": True}
+
+ response = session.post(
+ "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
+ json=alert_definition)
+```
## Step 5: Create a new indicator of compromise
You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
-[!code[CustomTIAPI](./code/example.py#L41-L51)]
+```
+ alert_definition_id = json.loads(response.text)["Id"]
+
+ ioc = {'Type': "Sha1",
+ 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
+ 'DetectionFunction': "Equals",
+ 'Enabled': True,
+ "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
+
+ response = session.post(
+ "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
+ json=ioc)
+```
## Complete code
You can use the complete code to create calls to the API.
-[!code[CustomTIAPI](./code/example.py#L1-L53)]
+```syntax
+import json
+import requests
+from pprint import pprint
+
+auth_url="Your Authorization URL"
+client_id="Your Client ID"
+client_secret="Your Client Secret"
+
+payload = {"resource": "https://graph.windows.net",
+ "client_id": client_id,
+ "client_secret": client_secret,
+ "grant_type": "client_credentials"}
+
+response = requests.post(auth_url, payload)
+token = json.loads(response.text)["access_token"]
+
+with requests.Session() as session:
+ session.headers = {
+ 'Authorization': 'Bearer {}'.format(token),
+ 'Content-Type': 'application/json',
+ 'Accept': 'application/json'}
+
+ response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
+ pprint(json.loads(response.text))
+
+ alert_definition = {"Name": "The alert's name",
+ "Severity": "Low",
+ "InternalDescription": "An internal description of the alert",
+ "Title": "The Title",
+ "UxDescription": "Description of the alerts",
+ "RecommendedAction": "The alert's recommended action",
+ "Category": "Trojan",
+ "Enabled": True}
+
+ response = session.post(
+ "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
+ json=alert_definition)
+
+ alert_definition_id = json.loads(response.text)["Id"]
+
+ ioc = {'Type': "Sha1",
+ 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
+ 'DetectionFunction': "Equals",
+ 'Enabled': True,
+ "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
+
+ response = session.post(
+ "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
+ json=ioc)
+
+ pprint(json.loads(response.text))
+```
## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/report-monitor-windows-defender-antivirus.md b/windows/keep-secure/report-monitor-windows-defender-antivirus.md
index c2a5ab14a1..1ada466447 100644
--- a/windows/keep-secure/report-monitor-windows-defender-antivirus.md
+++ b/windows/keep-secure/report-monitor-windows-defender-antivirus.md
@@ -26,11 +26,17 @@ There are a number of ways you can review protection status and alerts, dependin
-You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using the [Microsoft Intune console](ttps://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection).
+You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using the [Microsoft Intune console](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection).
-If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
+If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964766(v=vs.85).aspx).
-For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, managament, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref1).
+Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security audting](security-auditing-overview.md) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md).
+
+These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/en-us/library/windows/desktop/bb427443(v=vs.85).aspx). It is common practice for SIEMs to have connectors for Windows events. This technique allows for correlation of all security events from the machine in the SIEM.
+
+You can also [monitor malware events using the Malware Assessment solution in Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-malware).
+
+For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref2).
## Related topics
diff --git a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
index e9d223c9d6..c768906d08 100644
--- a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -34,13 +34,13 @@ You can contain an attack in your organization by stopping the malicious process
The **Stop & Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
-The action takes effect on machines with the latest Windows 10 Insider Preview build where the file was observed in the last 30 days.
+The action takes effect on machines with the latest Windows 10, version 1703 where the file was observed in the last 30 days.
### Stop and quarantine files
1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
- – **Alerts** - click the corresponding links from the Description or Details in the Alert timeline
- – **Search box** - select File from the drop–down menu and enter the file name
+ - **Alerts** - click the corresponding links from the Description or Details in the Alert timeline
+ - **Search box** - select File from the drop–down menu and enter the file name
2. Open the **Actions menu** and select **Stop & Quarantine File**.
@@ -50,11 +50,11 @@ The action takes effect on machines with the latest Windows 10 Insider Preview b
The Action center shows the submission information:
- – **Submission time** - Shows when the action was submitted.
- – **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
- – **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
- – **Success** - Shows the number of machines where the file has been stopped and quarantined.
- – **Failed** - Shows the number of machines where the action failed and details about the failure.
+ - **Submission time** - Shows when the action was submitted.
+ - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
+ - **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
+ - **Success** - Shows the number of machines where the file has been stopped and quarantined.
+ - **Failed** - Shows the number of machines where the action failed and details about the failure.
4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed.
@@ -108,9 +108,9 @@ The Action center shows the submission information:
- – **Submission time** - Shows when the action was submitted.
- – **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
- – **Status** - Indicates whether the file was added to or removed from the blacklist.
+ - **Submission time** - Shows when the action was submitted.
+ - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
+ - **Status** - Indicates whether the file was added to or removed from the blacklist.
When the file is blocked, there will be a new event in the machine timeline.
@@ -129,9 +129,9 @@ For prevalent files in the organization, a warning is shown before an action is
### Remove file from blocked list
1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
- – **Alerts** - Click the file links from the Description or Details in the Alert timeline
- – **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
- – **Search box** - Select File from the drop–down menu and enter the file name
+ - **Alerts** - Click the file links from the Description or Details in the Alert timeline
+ - **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
+ - **Search box** - Select File from the drop–down menu and enter the file name
2. Open the **Actions** menu and select **Remove file from blocked list**.
@@ -173,10 +173,10 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
**Submit files for deep analysis:**
-1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
- – Alerts - click the file links from the **Description** or **Details** in the Alert timeline
- – **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
- – Search box - select **File** from the drop–down menu and enter the file name
+1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
+ - Alerts - click the file links from the **Description** or **Details** in the Alert timeline
+ - **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
+ - Search box - select **File** from the drop–down menu and enter the file name
2. In the **Deep analysis** section of the file view, click **Submit**.
diff --git a/windows/keep-secure/review-scan-results-windows-defender-antivirus.md b/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
index aa7ec15eef..63d6ce419e 100644
--- a/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
+++ b/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
@@ -32,7 +32,7 @@ author: iaanw
- Windows Defender Security Center app
-After Windows Defender Antivirus has completed a scan, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. You can also define
+After Windows Defender Antivirus has completed a scan, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results.
**Use Configuration Manager to review Windows Defender AV scan results:**
@@ -54,7 +54,7 @@ See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us
**Use PowerShell cmdlets to review Windows Defender AV scan results:**
-The following cmdlet will return each detection on the endpoint. If there are multiple detection of the same threat, each detection will be listed separately, based on the time of each detection:
+The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat, each detection will be listed separately, based on the time of each detection:
```PowerShell
Get-MpThreatDetection
diff --git a/windows/keep-secure/run-scan-windows-defender-antivirus.md b/windows/keep-secure/run-scan-windows-defender-antivirus.md
index f494c10f93..4e29084ea1 100644
--- a/windows/keep-secure/run-scan-windows-defender-antivirus.md
+++ b/windows/keep-secure/run-scan-windows-defender-antivirus.md
@@ -65,7 +65,7 @@ See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defen
**Use Configuration Manager to run a scan:**
-See [Antimalware and firewall tasks: How to perform an on-demance scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
+See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
diff --git a/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
index 50ca1d5359..a4826a52ae 100644
--- a/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -33,7 +33,7 @@ author: iaanw
-> [!IMPORTANT]
+> [!NOTE]
> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default.
@@ -201,7 +201,7 @@ Scan | Specify the time for a daily quick scan | Specify the number of minutes a
Use the following cmdlets:
```PowerShell
-Set-MpPreference Set-MpPreference -ScanScheduleQuickTime
+Set-MpPreference -ScanScheduleQuickTime
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md
index 81e9282bd3..a0c2aaf46e 100644
--- a/windows/keep-secure/testing-scenarios-for-wip.md
+++ b/windows/keep-secure/testing-scenarios-for-wip.md
@@ -141,7 +141,7 @@ You can try any of the processes included in these scenarios, but you should foc
Verify your Virtual Private Network (VPN) can be auto-triggered. |
- - Set up your VPN network to start based on the WIPModeID setting.
For specific info about how to do this, see the [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-wip-policy-using-intune.md) topic.
+ - Set up your VPN network to start based on the WIPModeID setting.
For specific info about how to do this, see the [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) topic.
- Start an app from your allowed apps list.
The VPN network should automatically start.
- Disconnect from your network and then start an app that isn't on your allowed apps list.
The VPN shouldn't start and the app shouldn't be able to access your enterprise network.
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index f05e878db5..a02feda9ea 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -151,8 +151,21 @@ Event ID | Message | Resolution steps
5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).
7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
+9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).
If the event happened during offboarding, contact support.
+10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).
If the problem persists, contact support.
15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
+17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). If the problem persists, contact support.
25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
+27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support.
+29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the endpoint has Internet access, then run the entire offboarding process again.
+30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender Advanced Threat Protection. Failure code: %1 | Contact support.
+32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine.
+55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine.
+63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type.
+64 | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing.
+68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type.
+69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
+
There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
diff --git a/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..c782fef5df
--- /dev/null
+++ b/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,52 @@
+---
+title: Troubleshoot SIEM tool integration issues in Windows Defender ATP
+description: Troubleshoot issues that might arise when using SIEM tools with Windows Defender ATP.
+keywords: troubleshoot, siem, client secret, secret
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Troubleshoot SIEM tool integration issues
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+You might need to troubleshoot issues while pulling alerts in your SIEM tools.
+
+This page provides detailed steps to troubleshoot issues you might encounter.
+
+
+## Learn how to get a new client secret
+If your client secret expires or if you've misplaced the copy provided when you were enabling the SIEM tool application, you'll need to get a new secret.
+
+1. Login to the [Azure management portal](https://ms.portal.azure.com).
+
+2. Select **Active Directory**.
+
+3. Select your tenant.
+
+4. Click **Application**, then select your SIEM tool application. The application name is `https://windowsdefenderatpsiemconnector`.
+
+5. Select **Keys** section, then provide a key description and specify the key validity duration.
+
+6. Click **Save**. The key value is displayed.
+
+7. Copy the value and save it in a safe place.
+
+
+## Related topics
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/troubleshoot-windows-defender-antivirus.md b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
index ebca8b01c8..4e7c275117 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
@@ -91,7 +91,7 @@ The table in this section lists the main Windows Defender Antivirus client event
Scan Resources: <Resources (such as files/directories/BHO) that were scanned.>
-User: <Domain>\<User>
+User: <Domain>\\<User>
|
@@ -133,7 +133,7 @@ The table in this section lists the main Windows Defender Antivirus client event
Customer scan
-User: <Domain>\<User>
+User: <Domain>\\<User>
Scan Time: <The duration of a scan.>
@@ -223,7 +223,7 @@ The table in this section lists the main Windows Defender Antivirus client event
Customer scan
-User: <Domain>\<User>
+User: <Domain>\\<User>
@@ -267,7 +267,7 @@ The table in this section lists the main Windows Defender Antivirus client event
Customer scan
-User: <Domain>\<User>
+User: <Domain>\\<User>
@@ -311,7 +311,7 @@ The table in this section lists the main Windows Defender Antivirus client event
Customer scan
-User: <Domain>\<User>
+User: <Domain>\\<User>
Error Code: <Error code>
Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description>
@@ -403,7 +403,7 @@ Description of the error.
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
UAC
Status: <Status>
-User: <Domain>\<User>
+User: <Domain>\\<User>
Process Name: <Process in the PID>
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
@@ -438,7 +438,7 @@ UAC
Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
-- User: <Domain>\<User>
+- User: <Domain>\\<User>
- Name: <Threat name>
- ID: <Threat ID>
- Severity: <Severity>, for example:
Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
-- User: <Domain>\<User>
+- User: <Domain>\\<User>
- Name: <Threat name>
- ID: <Threat ID>
- Severity: <Severity>, for example:
@@ -562,7 +562,7 @@ Description of the error.
- Category: <Category description>, for example, any threat or malware type.
- Path: <File path>
-- User: <Domain>\<User>
+- User: <Domain>\\<User>
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
@@ -607,7 +607,7 @@ Description of the error.
- Category: <Category description>, for example, any threat or malware type.
- Path: <File path>
-- User: <Domain>\<User>
+- User: <Domain>\\<User>
- Error Code: <Error code>
Result code associated with threat status. Standard HRESULT values.
- Error Description: <Error description>
@@ -656,7 +656,7 @@ For more information please see the following:
- Category: <Category description>, for example, any threat or malware type.
- Path: <File path>
-- User: <Domain>\<User>
+- User: <Domain>\\<User>
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
@@ -701,7 +701,7 @@ For more information please see the following:
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
-User: <Domain>\<User>
+User: <Domain>\\<User>
Error Code: <Error code>
Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description>
@@ -739,7 +739,7 @@ Description of the error.
Windows Defender has removed history of malware and other potentially unwanted software.
- Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
-- User: <Domain>\<User>
+- User: <Domain>\\<User>
@@ -771,7 +771,7 @@ Description of the error.
Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.
- Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
-- User: <Domain>\<User>
+- User: <Domain>\\<User>
- Error Code: <Error code>
Result code associated with threat status. Standard HRESULT values.
- Error Description: <Error description>
@@ -847,7 +847,7 @@ For more information please see the following:
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
UAC
- Status: <Status>
-- User: <Domain>\<User>
+- User: <Domain>\\<User>
- Process Name: <Process in the PID>
- Signature ID: Enumeration matching severity.
- Signature Version: <Definition version>
@@ -925,7 +925,7 @@ For more information please see the following:
Remote attestation
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
UAC
-User: <Domain>\<User>
+User: <Domain>\\<User>
Process Name: <Process in the PID>
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
@@ -1008,7 +1008,7 @@ For more information please see the following:
Remote attestation
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
UAC
-User: <Domain>\<User>
+User: <Domain>\\<User>
Process Name: <Process in the PID>
Action: <Action>, for example:
- Clean: The resource was cleaned
@@ -1029,7 +1029,7 @@ Description of the error.
Engine Version: <Antimalware Engine version>
NOTE:
Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:
-- Default Internet Explorer or Edge setting
+- Default Internet Explorer or Microsoft Edge setting
- User Access Control settings
- Chrome settings
- Boot Control Data
@@ -1137,7 +1137,7 @@ For more information please see the following:
- Remote attestation
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
UAC
-User: <Domain>\<User>
+User: <Domain>\\<User>
Process Name: <Process in the PID>
Action: <Action>, for example:
- Clean: The resource was cleaned
@@ -1234,7 +1234,7 @@ For more information please see the following:
- Remote attestation
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
UAC
-User: <Domain>\<User>
+User: <Domain>\\<User>
Process Name: <Process in the PID>
Action: <Action>, for example:
- Clean: The resource was cleaned
@@ -1388,7 +1388,7 @@ Description of the error.
User action:
- No action is necessary. The Windows Defenderclient is in a healthy state. This event is reported on an hourly basis.
+No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.
|
@@ -1428,7 +1428,7 @@ Description of the error.
Update Type: <Update type>, either Full or Delta.
-User: <Domain>\<User>
+User: <Domain>\\<User>
Current Engine Version: <Current engine version>
Previous Engine Version: <Previous engine version>
@@ -1496,7 +1496,7 @@ Description of the error.
Update Type: <Update type>, either Full or Delta.
-User: <Domain>\<User>
+User: <Domain>\\<User>
Current Engine Version: <Current engine version>
Previous Engine Version: <Previous engine version>
Error Code: <Error code>
@@ -1559,7 +1559,7 @@ Description of the error.
Current Engine Version: <Current engine version>
Previous Engine Version: <Previous engine version>
Engine Type: <Engine type>, either antimalware engine or Network Inspection System engine.
-User: <Domain>\<User>
+User: <Domain>\\<User>
@@ -1601,7 +1601,7 @@ Description of the error.
New Engine Version:
Previous Engine Version: <Previous engine version>
Engine Type: <Engine type>, either antimalware engine or Network Inspection System engine.
-User: <Domain>\<User>
+User: <Domain>\\<User>
Error Code: <Error code>
Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description>
@@ -2717,6 +2717,7 @@ This section provides the following information about Windows Defender Antivirus
- The error code
- The possible reason for the error
- Advice on what to do now
+
Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.
diff --git a/windows/keep-secure/use-group-policy-windows-defender-antivirus.md b/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
index b9a28ec92a..661ce72277 100644
--- a/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
@@ -40,13 +40,13 @@ The following table in this topic lists the Group Policy settings available in W
Location | Setting | Documented in topic
---|---|---
Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
-Client interface | Display additional text to clients when they need to perform an action | [Configurethenotificationsthatappearonendpoints](configure-notifications-windows-defender-antivirus.md)
-Client interface | Suppress all notifications | [Configurethenotificationsthatappearonendpoints](configure-notifications-windows-defender-antivirus.md)
-Client interface | Suppresses reboot notifications | [Configurethenotificationsthatappearonendpoints](configure-notifications-windows-defender-antivirus.md)
-Exclusions | Extension Exclusions | [ConfigureandvalidateexclusionsinWindowsDefenderAVscans](configure-exclusions-windows-defender-antivirus.md)
-Exclusions | Path Exclusions | [ConfigureandvalidateexclusionsinWindowsDefenderAVscans](configure-exclusions-windows-defender-antivirus.md)
-Exclusions | Process Exclusions | [ConfigureandvalidateexclusionsinWindowsDefenderAVscans](configure-exclusions-windows-defender-antivirus.md)
-Exclusions | Turn off Auto Exclusions | [ConfigureandvalidateexclusionsinWindowsDefenderAVscans](configure-exclusions-windows-defender-antivirus.md)
+Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+Client interface | Suppress all notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+Client interface | Suppresses reboot notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+Exclusions | Extension Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+Exclusions | Path Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+Exclusions | Process Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
MAPS | Configure the 'Block at First Sight' feature | [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
MAPS | Join Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
MAPS | Send file samples when further analysis is required | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
@@ -63,14 +63,14 @@ Real-time protection | Configure local setting override for monitoring for incom
Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for turn on behavior monitoring | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Real-time protection | Configure local setting override to turn on real-time protection | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Monitor file and program activity on your computer | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Scan all downloaded files and attachments | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn off real-time protection | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn on behavior monitoring | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn on process scanning whenever real-time protection is enabled | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn on raw volume write notifications | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Monitor file and program activity on your computer | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Scan all downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn off real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn on behavior monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn on raw volume write notifications | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
@@ -81,7 +81,7 @@ Reporting | Configure time out for detections in critically failed state | Not u
Reporting | Configure time out for detections in non-critical failed state | Not used
Reporting | Configure time out for detections in recently remediated state | Not used
Reporting | Configure time out for detections requiring additional action | Not used
-Reporting | Turn off enhanced notifications | [Configurethenotificationsthatappearonendpoints](configure-notifications-windows-defender-antivirus.md)
+Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
Root | Turn off Windows Defender Antivirus | Not used
Root | Define addresses to bypass proxy server | Not used
Root | Define proxy auto-config (.pac) for connecting to the network | Not used
@@ -103,7 +103,7 @@ Scan | Configure local setting override for scheduled scan time | [Prevent or al
Scan | Configure local setting override for the scan type to use for a scheduled scan | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Scan | Create a system restore point | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Scan | Turn on removal of items from scan history folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
-Scan | Turn on heuristics | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Scan | Turn on heuristics | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Scan | Turn on e-mail scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Turn on reparse point scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Run full scan on mapped network drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md b/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
index 2cf071feeb..d7904ec127 100644
--- a/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
@@ -16,7 +16,7 @@ author: iaanw
If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender AV.
-In both cases, the protection will be labelled as Endpoint Protection, although the engine is the same as that used by Windows Defender AV.
+In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender AV.
See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
index d3d65aa3ad..ae1135c98c 100644
--- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -27,9 +27,9 @@ PowerShell cmdlets are most useful in Windows Server environments that don't rel
> [!NOTE]
> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
-Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that dployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
+Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
-You can [configure which settings can be overriden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
+You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
@@ -38,10 +38,11 @@ PowerShell is typically installed under the folder _%SystemRoot%\system32\Window
1. Click **Start**, type **powershell**, and press **Enter**.
2. Click **Windows PowerShell** to open the interface.
- > [!NOTE]
- > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
3. Enter the command and parameters.
+> [!NOTE]
+> You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+
To open online help for any of the cmdlets type the following:
```PowerShell
diff --git a/windows/keep-secure/use-wmi-windows-defender-antivirus.md b/windows/keep-secure/use-wmi-windows-defender-antivirus.md
index cc74e07307..39b5a2ad99 100644
--- a/windows/keep-secure/use-wmi-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-wmi-windows-defender-antivirus.md
@@ -20,15 +20,15 @@ author: iaanw
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
-Read more about WMI at the [Microsoft Develop Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx).
+Read more about WMI at the [Microsoft Developer Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx).
Windows Defender AV has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md).
The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender AV, and includes example scripts.
-Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that dployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI.
+Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI.
-You can [configure which settings can be overriden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
+You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
## Related topics
diff --git a/windows/keep-secure/using-owa-with-wip.md b/windows/keep-secure/using-owa-with-wip.md
index daa6be5167..eaf4299596 100644
--- a/windows/keep-secure/using-owa-with-wip.md
+++ b/windows/keep-secure/using-owa-with-wip.md
@@ -1,7 +1,7 @@
---
-title: Using Outlook Web Access with Windows Information Protection (WIP) (Windows 10)
-description: Options for using Outlook Web Access (OWA) with Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and OWA configuration
+title: Using Outlook on the web with Windows Information Protection (WIP) (Windows 10)
+description: Options for using Outlook on the web with Windows Information Protection (WIP).
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and OWA configuration, OWA, Outlook Web access
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -10,7 +10,7 @@ author: eross-msft
localizationpriority: high
---
-# Using Outlook Web Access with Windows Information Protection (WIP)
+# Using Outlook on the web with Windows Information Protection (WIP)
**Applies to:**
- Windows 10, version 1607 and later
@@ -18,16 +18,16 @@ localizationpriority: high
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
-Because Outlook Web Access (OWA) can be used both personally and as part of your organization, you have the following options to configure it with Windows Information Protection (WIP):
+Because Outlook on the web can be used both personally and as part of your organization, you have the following options to configure it with Windows Information Protection (WIP):
-|Option |OWA behavior |
+|Option |Outlook on the web behavior |
|-------|-------------|
-|Disable OWA. Employees can only use Microsoft Outlook 2016 or the Office 365 Mail app. | Disabled. |
-|Don't configure outlook.office.com in any of your networking settings. |All mailboxes are automatically marked as personal. This means employees attempting to copy work content into OWA receive prompts and that files downloaded from OWA aren't automatically protected as corporate data. |
-|Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. |
+|Disable Outlook on the web. Employees can only use Microsoft Outlook 2016 or the Mail for Windows 10 app. | Disabled. |
+|Don't configure outlook.office.com in any of your networking settings. |All mailboxes are automatically marked as personal. This means employees attempting to copy work content into Outlook on the web receive prompts and that files downloaded from Outlook on the web aren't automatically protected as corporate data. |
+|Add outlook.office.com to the Cloud resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. |
>[!NOTE]
->These limitations don’t apply to Outlook 2016 or to the Office 365 Mail and Calendar apps. These apps will work properly, marking an employee’s mailbox as corporate data, regardless of how you’ve configured outlook.office.com in your network settings.
+>These limitations don’t apply to Outlook 2016, the Mail for Windows 10 app, or the Calendar for Windows 10 app. These apps will work properly, marking an employee’s mailbox as corporate data, regardless of how you’ve configured outlook.office.com in your network settings.
diff --git a/windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index 708740d908..bd45aa1d5f 100644
--- a/windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -31,7 +31,7 @@ Cloud-delivered protection for Windows Defender Antivirus, also referred to as M
Enabling cloud-delivered protection helps detect and block new malware - even if the malware has never been seen before - without needing to wait for a traditionally delivered definition update to block it. Definition updates can take hours to prepare and deliver, while our cloud service can deliver updated protection in seconds.
-Cloud-delivered protecton is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies.
+Cloud-delivered protection is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies.
The following table describes the differences in cloud-based protection between recent versions of Windows and System Center Configuration Manager.
diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md
index 0a9feddff7..0963cb7037 100644
--- a/windows/keep-secure/windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md
@@ -27,6 +27,8 @@ localizationpriority: high
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
+Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[https://technet.microsoft.com/en-au/windows/mt782787].
+
Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
diff --git a/windows/keep-secure/windows-defender-antivirus-compatibility.md b/windows/keep-secure/windows-defender-antivirus-compatibility.md
index 23e1a82978..4945834e0f 100644
--- a/windows/keep-secure/windows-defender-antivirus-compatibility.md
+++ b/windows/keep-secure/windows-defender-antivirus-compatibility.md
@@ -29,7 +29,7 @@ author: iaanw
Windows Defender Advanced Threat Protection (ATP) is an additional service beyond Windows Defender Antivirus that helps enterprises detect, investigate, and respond to advanced persistent threats on their network.
See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
-If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongisde your other antivirus product.
+If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongside your other antivirus product.
In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender will not provide real-time protection from malware.
diff --git a/windows/keep-secure/windows-defender-antivirus-in-windows-10.md b/windows/keep-secure/windows-defender-antivirus-in-windows-10.md
index a9cdcf6735..bcce59abef 100644
--- a/windows/keep-secure/windows-defender-antivirus-in-windows-10.md
+++ b/windows/keep-secure/windows-defender-antivirus-in-windows-10.md
@@ -66,7 +66,6 @@ Some features require a certain version of Windows 10 - the minimum version requ
Functionality, configuration, and management is largely the same when using Windows Defender Antivirus on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
-#
@@ -74,7 +73,7 @@ Functionality, configuration, and management is largely the same when using Wind
Topic | Description
:---|:---
-[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and powershell script
+[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and PowerShell script
[Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools
[Configure Windows Defender features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings
[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected
diff --git a/windows/keep-secure/windows-defender-offline.md b/windows/keep-secure/windows-defender-offline.md
index c3e4825764..af07823d3a 100644
--- a/windows/keep-secure/windows-defender-offline.md
+++ b/windows/keep-secure/windows-defender-offline.md
@@ -31,6 +31,8 @@ author: iaanw
Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
+You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean of the endpoint after a malware outbreak.
+
In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
## Pre-requisites and requirements
diff --git a/windows/keep-secure/windows-defender-smartscreen-available-settings.md b/windows/keep-secure/windows-defender-smartscreen-available-settings.md
index 936751e349..fb399e44b3 100644
--- a/windows/keep-secure/windows-defender-smartscreen-available-settings.md
+++ b/windows/keep-secure/windows-defender-smartscreen-available-settings.md
@@ -209,7 +209,7 @@ To better help you protect your organization, we recommend turning on and using
- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies)
-- [Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge](https://technet.microsoft.com/itpro/microsoft-edge/available-policies)
+- [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://technet.microsoft.com/itpro/microsoft-edge/available-policies)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-smartscreen-overview.md b/windows/keep-secure/windows-defender-smartscreen-overview.md
index 4df34ae566..e48e138b84 100644
--- a/windows/keep-secure/windows-defender-smartscreen-overview.md
+++ b/windows/keep-secure/windows-defender-smartscreen-overview.md
@@ -18,9 +18,6 @@ localizationpriority: high
Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files.
->[!NOTE]
->SmartScreen completely blocks apps from the Internet from running on Windows 10 Mobile.
-
**SmartScreen determines whether a site is potentially malicious by:**
- Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, SmartScreen shows a warning page, advising caution.
@@ -53,7 +50,7 @@ Windows Defender SmartScreen helps to provide an early warning system against we
When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/en-us/scriptcenter/dd565657(v=msdn.10).aspx).
## Related topics
-- [SmartScreen Frequently Asked Questions (FAQ)](https://support.microsoft.com/en-us/products/windows?os=windows-10)
+- [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx)
- [How to recognize phishing email messages, links, or phone calls](https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx)
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index 148d75201f..15a5dc3d5d 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -131,7 +131,7 @@
##### [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md)
### [Troubleshooting App-V](appv-troubleshooting.md)
### [Technical Reference for App-V](appv-technical-reference.md)
-#### [Available Mobile Data Management (MDM) settings for App-V](appv-available-mdm-settings.md)
+#### [Available Mobile Device Management (MDM) settings for App-V](appv-available-mdm-settings.md)
#### [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
#### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
#### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md)
diff --git a/windows/manage/appv-available-mdm-settings.md b/windows/manage/appv-available-mdm-settings.md
index dc5eb1a61a..1fc2a529b1 100644
--- a/windows/manage/appv-available-mdm-settings.md
+++ b/windows/manage/appv-available-mdm-settings.md
@@ -1,5 +1,5 @@
---
-title: Available Mobile Data Management (MDM) settings for App-V (Windows 10)
+title: Available Mobile Device Management (MDM) settings for App-V (Windows 10)
description: A list of the available MDM settings for App-V on Windows 10.
author: eross-msft
ms.pagetype: mdop, appcompat, virtualization
@@ -8,8 +8,8 @@ ms.sitesec: library
ms.prod: w10
---
-# Available Mobile Data Management (MDM) settings for App-V
-With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps by using these Mobile Data Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page.
+# Available Mobile Device Management (MDM) settings for App-V
+With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps by using these Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page.
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index d6a3868254..62a652728f 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -16,19 +16,21 @@ This topic lists new and updated topics in the [Manage Windows 10](index.md) doc
## RELEASE: Windows 10, version 1703
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). Some topics have been moved to [Update Windows 10](../update/index.md) or to [Configure Windows 10](../configure/index.md).
+The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). Some topics have been moved to [Update Windows 10](../update/index.md) or to [Configure Windows 10](../configure/index.md). The following new topics have been added:
+
+- [Release Notes for App-V for Windows 10, version 1703](appv-release-notes-for-appv-for-windows-1703.md)
+- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md)
+- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md)
+- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md)
+- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md)
+- [Available Mobile Device Management (MDM) settings for App-V](appv-available-mdm-settings.md)
+
## March 2017
| New or changed topic | Description |
| --- | --- |
|[Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md) |New |
-|[What's new in App-V for Windows 10, version 1703 and earlier](appv-about-appv.md)|Updated to include new features in App-V for Windows 10, version 1703. |
-|[Release Notes for App-V for Windows 10, version 1703](appv-release-notes-for-appv-for-windows-1703.md)|New |
-|[Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) |New |
-|[Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) |New |
-|[Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) |New |
-|[Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) |New |
-|[Available Mobile Data Management (MDM) settings for App-V](appv-available-mdm-settings.md) |New |
+
## February 2017
| New or changed topic | Description |
diff --git a/windows/manage/configure-mdm-provider-windows-store-for-business.md b/windows/manage/configure-mdm-provider-windows-store-for-business.md
index d4c07de29f..8d22548f35 100644
--- a/windows/manage/configure-mdm-provider-windows-store-for-business.md
+++ b/windows/manage/configure-mdm-provider-windows-store-for-business.md
@@ -30,7 +30,7 @@ Your management tool needs to be installed and configured with Azure AD, in the
3. Click **Applications**, find the application, and add it to your directory.
-After your management tool is added to your Azure AD directory, you can configure it to work with Store for Business.
+After your management tool is added to your Azure AD directory, you can configure it to work with Store for Business. You can configure multiple management tools - just repeat the following procedure.
**To configure a management tool in Store for Business**
@@ -40,7 +40,7 @@ After your management tool is added to your Azure AD directory, you can configur
You'll see a list of available MDM tools.
- 
+ 
3. Choose the MDM tool you want to synchronize with Store for Business, and then click **Activate.**
diff --git a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
index 969c7bc490..61e6b65929 100644
--- a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
@@ -62,7 +62,7 @@ However, neither of these methods provides SSO in the Windows Store or SSO to re
Using **Settings** > **Accounts** > **Your email and accounts** > **Add work or school account**, users can add their Azure AD account to the device. Alternatively, a work account can be added when the user signs in to an application like Mail, Word, etc. If you [enable auto-enrollment in your MDM settings](https://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM.
-An added work account provides the same SSO experience in browser apps like Office 365 (Office portal, Outlook Web Access, Calendar, People, OneDrive), Azure AD profile and change password app, and Visual Studio. You get SSO to built-in applications like Mail, Calendar, People, OneDrive and files hosted on OneDrive without prompts for a password. In Office apps like Microsoft Word, Microsoft Excel, etc., you simply select the Azure AD account and you are able to open files without entering a password.
+An added work account provides the same SSO experience in browser apps like Office 365 (Office portal, Outlook on the web, Calendar, People, OneDrive), Azure AD profile and change password app, and Visual Studio. You get SSO to built-in applications like Mail, Calendar, People, OneDrive and files hosted on OneDrive without prompts for a password. In Office apps like Microsoft Word, Microsoft Excel, etc., you simply select the Azure AD account and you are able to open files without entering a password.
## Preparing for Windows 10 Mobile
diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md
index dbf68b6bad..43a9468143 100644
--- a/windows/manage/update-windows-store-for-business-account-settings.md
+++ b/windows/manage/update-windows-store-for-business-account-settings.md
@@ -31,7 +31,7 @@ We need an email address in case we need to contact you about your Store for Bus
To update Organization information, click **Edit organization information**.
-## Organization tax information ##
+## Organization tax information
Taxes for Windows Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent:
- Austria
- Belgium
@@ -96,7 +96,7 @@ For example:
($1.29 X .095) X 100 = $12.25
-##Payment options##
+## Payment options
You can purchase apps from the Windows Store for Business using your credit card. You can enter your credit card information on Account Information, or when you purchase an app. We currently accept these credit cards:
1. VISA
2. MasterCard
@@ -104,8 +104,8 @@ You can purchase apps from the Windows Store for Business using your credit card
4. American Express
5. Japan Commercial Bureau (JCB)
-**Note**:
-Not all cards available in all countries. When you add a payment option, Store for Business shows which cards are available in your region.
+> [!NOTE]
+> Not all cards available in all countries. When you add a payment option, Store for Business shows which cards are available in your region.
**To add a new payment option**
@@ -116,7 +116,8 @@ Not all cards available in all countries. When you add a payment option, Store f
Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
-**Note**:
When adding credit or debit cards, you may be prompted to enter a CVV . The CVV is only used for verification purposes and is not stored in our systems after validation.
+> [!NOTE]
+> When adding credit or debit cards, you may be prompted to enter a CVV . The CVV is only used for verification purposes and is not stored in our systems after validation
**To update a payment option**
@@ -126,9 +127,10 @@ Once you click Next, the information you provided will be validated with a tes
4. Enter any updated information in the appropriate fields, and then click **Next**.
Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
-**Note**:
Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time or have a low balance.
+> [!NOTE]
+> Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance.
-##Offline licensing##
+## Offline licensing
Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. For more information on the Store for Business licensing model, see [licensing model](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).
diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
index 6d43bdcb7f..e8814f6869 100644
--- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md
+++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
@@ -13,6 +13,12 @@ author: TrudyHa
This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+
+## RELEASE: Windows 10, version 1703
+
+The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following is a new topic:
+- [Windows 10 Enterprise - FAQ for IT Professionals](windows-10-enterprise-faq-itpro.md)
+
## January 2017
| New or changed topic | Description |
|----------------------|-------------|
diff --git a/windows/update/change-history-for-update-windows-10.md b/windows/update/change-history-for-update-windows-10.md
index d1a178004f..97ece9af22 100644
--- a/windows/update/change-history-for-update-windows-10.md
+++ b/windows/update/change-history-for-update-windows-10.md
@@ -15,5 +15,7 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc
## RELEASE: Windows 10, version 1703
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update).
-
+The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added:
+* [Windows Insider Program for Business](waas-windows-insider-for-business.md)
+* [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
+* [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
\ No newline at end of file
diff --git a/windows/update/images/waas-wipfb-aad-classicaad.png b/windows/update/images/waas-wipfb-aad-classicaad.png
new file mode 100644
index 0000000000..424f4bca0a
Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-classicaad.png differ
diff --git a/windows/update/images/waas-wipfb-aad-classicenable.png b/windows/update/images/waas-wipfb-aad-classicenable.png
new file mode 100644
index 0000000000..9cc78c2736
Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-classicenable.png differ
diff --git a/windows/update/images/waas-wipfb-aad-consent.png b/windows/update/images/waas-wipfb-aad-consent.png
new file mode 100644
index 0000000000..aeb78e5ddf
Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-consent.png differ
diff --git a/windows/update/images/waas-wipfb-aad-error.png b/windows/update/images/waas-wipfb-aad-error.png
new file mode 100644
index 0000000000..83e6ca9974
Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-error.png differ
diff --git a/windows/update/images/waas-wipfb-aad-newaad.png b/windows/update/images/waas-wipfb-aad-newaad.png
new file mode 100644
index 0000000000..87a6f5e750
Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-newaad.png differ
diff --git a/windows/update/images/waas-wipfb-aad-newdirectorybutton.png b/windows/update/images/waas-wipfb-aad-newdirectorybutton.png
new file mode 100644
index 0000000000..9da18db5d1
Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-newdirectorybutton.png differ
diff --git a/windows/update/images/waas-wipfb-aad-newenable.png b/windows/update/images/waas-wipfb-aad-newenable.png
new file mode 100644
index 0000000000..f9bbe57b26
Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-newenable.png differ
diff --git a/windows/update/images/waas-wipfb-aad-newusersettings.png b/windows/update/images/waas-wipfb-aad-newusersettings.png
new file mode 100644
index 0000000000..ab28da5cbc
Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-newusersettings.png differ
diff --git a/windows/update/index.md b/windows/update/index.md
index 4346995b12..18f0e7fcdd 100644
--- a/windows/update/index.md
+++ b/windows/update/index.md
@@ -41,6 +41,7 @@ Windows as a service provides a new way to think about building, deploying, and
| [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
| [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
| [Manage device restarts after updates](waas-restart.md) | Explains how to use Group Policy to manage device restarts. |
+| [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. |
>[!TIP]
>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
diff --git a/windows/update/waas-configure-wufb.md b/windows/update/waas-configure-wufb.md
index 0bfbe6c026..03aeba51b9 100644
--- a/windows/update/waas-configure-wufb.md
+++ b/windows/update/waas-configure-wufb.md
@@ -84,11 +84,11 @@ After you configure the servicing branch (CB or CBB), you can then define if, an
## Pause Feature Updates
-You can also pause a device from receiving Feature Updates by a period of up to 60 days from when the value is set. After 60 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
+You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
-Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 60 days to the start date.
+Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date.
-In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 60 days by configuring a later start date.
+In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
With version 1703, pausing through the settings app will provide a more consistent experience:
- Any active restart notification are cleared or closed
@@ -98,6 +98,8 @@ With version 1703, pausing through the settings app will provide a more consiste
>[!IMPORTANT]
>This policy does not apply to Windows 10 Mobile Enterprise.
+>
+>Prior to Windows 10, version 1703, feature updates could be paused by up to 60 days. This number has been changed to 35, similar to the number of days for quality updates.
**Pause Feature Updates policies**
@@ -110,7 +112,7 @@ With version 1703, pausing through the settings app will provide a more consiste
You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
-The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
| Value | Status|
| --- | --- |
@@ -234,12 +236,11 @@ When a client running a newer version sees an update available on Windows Update
In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates. In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other.
Group Policy keys| Version 1511 GPO keys | Version 1607 GPO keys |
-| **DeferUpgrade**: *enable/disable*
-Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***Pause**: *enable/disable* Enabling will pause both upgrades and updates for a max of 35 days | **DeferFeatureUpdates**: *enable/disable***BranchReadinessLevel** Set device on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable* Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdates**: *Enable/disable***DeferQualityUpdatesPeriodinDays**: *0 - 35 days***PauseQualityUpdates**: *enable/disable* Enabling will pause Quality updates for a max of 35 days**ExcludeWUDrivers**: *enable/disable* |
+| **DeferUpgrade**: *enable/disable*Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***Pause**: *enable/disable*Enabling will pause both upgrades and updates for a max of 35 days | **DeferFeatureUpdates**: *enable/disable***BranchReadinessLevel**Set device on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable*Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdates**: *Enable/disable***DeferQualityUpdatesPeriodinDays**: *0 - 35 days***PauseQualityUpdates**: *enable/disable*Enabling will pause Quality updates for a max of 35 days**ExcludeWUDrivers**: *enable/disable* |
MDM keys| Version 1511 MDM keys | Version 1607 MDM keys |
-| **RequireDeferUpgade**: *bool* Puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***PauseDeferrals**: *bool* Enabling will pause both upgrades and updates for a max of 35 days | **BranchReadinessLevel** Set system on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable* Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdatesPeriodinDays**: *0 - 35 days***PauseQualityUpdates**: *enable/disable* Enabling will pause Quality updates for a max of 35 days**ExcludeWUDriversInQualityUpdate**: *enable/disable<*/td> |
+| **RequireDeferUpgade**: *bool*Puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***PauseDeferrals**: *bool*Enabling will pause both upgrades and updates for a max of 35 days | **BranchReadinessLevel**Set system on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable*Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdatesPeriodinDays**: *0 - 35 days***PauseQualityUpdates**: *enable/disable*Enabling will pause Quality updates for a max of 35 days**ExcludeWUDriversInQualityUpdate**: *enable/disable* |
### Comparing the version 1607 keys to the version 1703 keys
diff --git a/windows/update/waas-optimize-windows-10-updates.md b/windows/update/waas-optimize-windows-10-updates.md
index dba3ee72bb..0c618399e9 100644
--- a/windows/update/waas-optimize-windows-10-updates.md
+++ b/windows/update/waas-optimize-windows-10-updates.md
@@ -49,7 +49,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
Windows 10 update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
### How Microsoft supports Express
-- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager.
+- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update.
- **Express on WSUS Standalone**
Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).
diff --git a/windows/update/waas-quick-start.md b/windows/update/waas-quick-start.md
index 28b2e3d36a..51827c8f74 100644
--- a/windows/update/waas-quick-start.md
+++ b/windows/update/waas-quick-start.md
@@ -42,7 +42,7 @@ See [Assign devices to servicing branches for Windows 10 updates](waas-servicing
## Staying up to date
-The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Upgrade Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
+The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps and CBB has been declared, broad deployment can begin.
diff --git a/windows/update/waas-restart.md b/windows/update/waas-restart.md
index 8eb41f55fc..da651bccc2 100644
--- a/windows/update/waas-restart.md
+++ b/windows/update/waas-restart.md
@@ -63,8 +63,6 @@ To configure active hours using Group Policy, go to **Computer Configuration\Adm
-To configure max active hours range, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**. This is only available from Windows 10, version 1703.
-
### Configuring active hours with MDM
MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) and [Update/ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours.
@@ -84,10 +82,64 @@ For a detailed description of these regsitry keys, see [Registry keys used to ma
>
>
+### Configuring active hours max range
+
+With Windows 10, version 1703, administrators can specify the max active hours range users can set. This option gives you additional flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updating. The max range is calculated from active hours start time.
+
+To configure active hours max range through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**.
+
+To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRange**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-activehoursmaxrange).
+
## Limit restart delays
After an update is installed, Windows 10 attemtps automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14.
+## Control restart notifications
+
+In Windows 10, version 1703, we have added settings to control restart notifications for users.
+
+### Auto-restart notifications
+
+Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically.
+
+To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
+
+To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartRequiredNotificationDismissal)
+
+You can also configure the period prior to an update that this notification will show up on. The default value is 15 minutes.
+
+To change it through Group Policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes.
+
+To change it through MDM, use [**Update/AutoRestartNotificationSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartNotificationSchedule).
+
+
+In some cases, you don't need a notification to show up.
+
+To do so through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Turn off auto-restart notifications for update installations**.
+
+To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-setautorestartnotificationdisable).
+
+### Scheduled auto-restart warnings
+
+Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled a restart. You can also configure a configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
+
+To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto-restart can be configured by **Warning (mins)**.
+
+In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleRestartWarning) and the auto-restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleImminentRestartWarning).
+
+### Engaged restart
+
+Engaged restart is the period of time when users are required to schedule a restart. When this period ends (7 days by default), Windows transitions to auto-restart outside of active hours.
+
+The following settings can be adjusted for engaged restart:
+* Period of time before engaged restart transitions to auto-restart.
+* The number of days that users can snooze engaged restart reminder notifications.
+* The number of days before a pending restart automatically executes outside of working hours.
+
+In Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and pick **Specify Engaged restart transition and notification schedule for updates**.
+
+In MDM, use [**Update/EngagedRestartTransitionSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartTransitionSchedule), [**Update/EngagedRestartSnoozeSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartSnoozeSchedule) and [**Update/EngagedRestartDeadline**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartDeadline) respectively.
+
## Group Policy settings for restart
In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
diff --git a/windows/update/waas-windows-insider-for-business-aad.md b/windows/update/waas-windows-insider-for-business-aad.md
index f749ef1c36..5467e01600 100644
--- a/windows/update/waas-windows-insider-for-business-aad.md
+++ b/windows/update/waas-windows-insider-for-business-aad.md
@@ -37,12 +37,11 @@ Simply go to **Settings > Accounts > Access work or school**. If a corporate acc
## Enroll a device with an Azure Active Directory account
1. Visit [insider.windows.com](https://insider.windows.com). Sign-in with your corporate account in AAD and follow the on-screen registration directions.
2. On your Windows 10 device, go to **Settings > Updates & Security > Windows Insider Program**.
+3. Enter the AAD account that you used to register and follow the on-screen directions.
>[!NOTE]
>Make sure that you have administrator rights to the machine and that it has latest Windows updates.
-3. Enter the AAD account that you used to register and follow the on-screen directions.
-
## Switch device enrollment from your Microsoft account to your AAD account
1. Visit [insider.windows.com](https://insider.windows.com) to register your AAD account. If you are signed in with your Microsoft account, sign out, then sign back in with your corporate AAD account.
2. Click **Get started**, read and accept the privacy statement and program terms and click **Submit**.
@@ -55,6 +54,46 @@ Simply go to **Settings > Accounts > Access work or school**. If a corporate acc
>[!NOTE]
>Your device must be connected to your corporate account in AAD for the account to appear in the account list.
+## User consent requirement
+
+With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this:
+
+
+
+Once agreed, everything will work fine and that user won't be prompted for permission again.
+
+### Something went wrong
+
+The option for users to give consent for apps to access their profile data is controlled through Azure Active Directory. This means the AAD administrators have the ability to allow or block users from giving consent.
+
+In case the administrators blocked this option, when the user signs in with the AAD account, they will see the following error message:
+
+
+
+This blocks the user from signing in, which means they won't be able to use the Feedback Hub app with their AAD credentials.
+
+**To fix this issue**, an adminsitrator of the AAD directory will need to enable user consent for apps to access their data.
+
+To do this through the **classic Azure portal**:
+1. Go to https://manage.windowsazure.com/ .
+2. Switch to the **Active Directory** dashboard.
+ 
+3. Select the appropriate directory and go to the **Configure** tab.
+4. Under the **integrated applications** section, enable **Users may give applications permissions to access their data**.
+ 
+
+To do this through the **new Azure portal**:
+1. Go to https://portal.azure.com/ .
+2. Switch to the **Active Directory** dashboard.
+ 
+3. Switch to the appropriate directory.
+ 
+4. Under the **Manage** section, select **User settings**.
+ 
+5. In the **Enterprise applications** section, enable **Users can allow apps to access their data**.
+ 
+
+
## Frequently Asked Questions
### Will my test machines be affected by automatic registration?
diff --git a/windows/update/waas-windows-insider-for-business-faq.md b/windows/update/waas-windows-insider-for-business-faq.md
index 653d6d5c93..aa84530023 100644
--- a/windows/update/waas-windows-insider-for-business-faq.md
+++ b/windows/update/waas-windows-insider-for-business-faq.md
@@ -31,11 +31,12 @@ Hindi, Catalan, and Vietnamese can only be installed as a language pack over [su
> To learn how to install a language pack, see [How to add an input language to your PC Additional](https://support.microsoft.com/instantanswers/60f32ff8-8697-4452-af7d-647439c38433/how-to-add-and-switch-input-languages-on-your-pc).
### How do I register for the Windows Insider Program for Business?
-To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account \that you use for Office 365 and other Microsoft services.
+To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account that you use for Office 365 and other Microsoft services.
1. Visit https://insider.windows.com and click **Get Started**.
2. Sign-in with your corporate account in AAD (username/password) and follow the on-screen registration directions.
-3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions.
+3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions.
+
>[!NOTE]
>Make sure that you have administrator rights to your machine and that it has latest Windows updates.
@@ -73,7 +74,7 @@ In just a few steps, you can switch your existing program registration from your
Sign in to the Feedback Hub using the same AAD account you are using to flight builds.
### Am I going to lose all the feedback I submitted and badges I earned with my MSA?
-No. However, your feedback will not be transferred from your MSA to your AAD account. You can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badge you’ve earned.
+No. However, your feedback will not be transferred from your MSA to your AAD account. You can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned.
### How is licensing handled for Windows 10 Insider builds?
All PCs need to have a valid Windows 10 license. This requirement applies whether the device is joined to the Windows Insider Program using a Microsoft account or an Azure Active Directory account.
diff --git a/windows/update/waas-windows-insider-for-business.md b/windows/update/waas-windows-insider-for-business.md
index b25fa5f18b..5308d3e795 100644
--- a/windows/update/waas-windows-insider-for-business.md
+++ b/windows/update/waas-windows-insider-for-business.md
@@ -20,9 +20,9 @@ localizationpriority: high
For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation.
The Windows Insider Program for Business gives you the opportunity to:
-* Get early access to Windows Insider Preview Builds
+* Get early access to Windows Insider Preview Builds.
* Provide feedback to Microsoft in real-time via the Feedback Hub app.
-* Sign-in with coproate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs.
+* Sign-in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs.
Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app.
@@ -56,9 +56,8 @@ Best for Insiders who enjoy getting early access to updates for the Current Bran
Insiders on this level receive builds of Windows just before Microsoft releases them for CB. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
-* The Release Preview Ring will only be visible when your Windows build version is the same as the Current Branch
-* The easiest way to go between the Development Branch to the Current Branch is to use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows
-Ring
+* The Release Preview Ring will only be visible when your Windows build version is the same as the Current Branch.
+* The easiest way to go between the Development Branch to the Current Branch is to use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows.
### Slow
@@ -66,15 +65,16 @@ The Slow Windows Insider level is for users who enjoy seeing new builds of Windo
* Builds are sent to the Slow Ring after feedback has been received from Insiders within the Fast Ring and analyzed by our Engineering teams.
* These builds will include updates to fix key issues that would prevent many Windows Insiders from being able to use the build on a daily basis.
-* These builds are still may have issues that would be addressed in a future flight.
+* These builds still may have issues that would be addressed in a future flight.
### Fast
-Best for Insiders who enjoy being the first to get access to builds and feature upgrades, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great
+Best for Insiders who enjoy being the first to get access to builds and feature upgrades, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great.
* Windows Insiders with devices in the Fast Ring should be prepared for more issues that may block key activities that are important to you or may require significant workarounds.
* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features may work on some devices but may fail in other device configurations.
-* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked. • Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community Forum
+* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked.
+* Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community Forum.
>[!NOTE]
>Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete.
@@ -85,11 +85,11 @@ During your time in the Windows Insider Program, you may want to change between
1. Go to **Settings > Updates & Security > Windows Insider Program**
2. Under **Choose your level**, select between the following rings -
- * [Windows Insider Fast](#fast)
- * [Windows Insider Slow](#slow)
- * [Release Preview](#release-preview)
+ * [Windows Insider Fast](#fast)
+ * [Windows Insider Slow](#slow)
+ * [Release Preview](#release-preview)
-## How to switch between you MSA and your Corporate AAD account
+## How to switch between your MSA and your Corporate AAD account
The Windows Insider Program for Business now gives users the option to register and enroll devices using a corporate account in [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) (AAD) as well as their Microsoft Account (MSA).
@@ -108,11 +108,16 @@ When providing feedback, please consider the following:
3. Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible.
### How to use your corporate AAD account for additional Feedback Hub benefits
-Get even more out of the Feedback Hub by signing in to the Feedback Hub using the same corporate account in AAD that are using to flight builds. One of the benefits of submitting feedback using your AAD account is the addition of a page to the Feedback Hub for your organization. Simply click the **My Company** page in the feedback hub to see and upvote all feedback submitted by other Insiders in your organization.
+Get even more out of the Feedback Hub by signing in to the Feedback Hub using the same corporate account in AAD that you're using to flight builds. One of the benefits of submitting feedback using your AAD account is the addition of a page to the Feedback Hub for your organization. Simply click the **My Company** page in the feedback hub to see and upvote all feedback submitted by other Insiders in your organization.
>[!NOTE]
>If you signed into the Feedback Hub previously with your MSA, your feedback and badges will not be transferred to your AAD sing-in. However, you can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned.
+>[!IMPORTANT]
+>With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will se a popup asking for their permissions. Once agreed, everything will work fine and that user won't be asked for permissions again.
+>
+> If something goes wrong, it is possible that users aren't enabled to give persmissions to access their data. This can be resolved through the AAD portal. For more information about this, please see [User consent requirement](waas-windows-insider-for-business-aad.md#user-consent-requirement).
+
## Not receiving Windows 10 Insider Preview build updates?
In some cases, your PC may not update to the latest Insider Preview build as expected. Here are items that you can review to troubleshoot this issue:
@@ -126,7 +131,7 @@ Go to **Settings > Updates & Security**. Review available updates or select **Ch
### Make sure Windows is activated
Go to **Settings > Updates & Security > Activation** to verify Windows is activated.
-### Make sure your coporate account in AAD is connected to your device
+### Make sure your corporate account in AAD is connected to your device
Open **Settings \ Accounts \ Access work or school**. If your PC is not listed as connected to your account in AAD, click Connect and enter your AAD account.
### Make sure you have selected a flight ring
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index f23a6b2556..a909347a7b 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -347,7 +347,7 @@ We also recommend that you upgrade to IE11 if you're running any earlier version
## Learn more
-- [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info)
+- [Windows 10 release information](https://technet.microsoft.com/windows/release-info)
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 73a74e3409..f10f250341 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -14,10 +14,10 @@ ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617
Below is a list of some of the new and updated content that discusses Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update).
-For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.md).
+For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.md). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/).
>[!NOTE]
->Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update).
+>Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update).
## Configuration
@@ -36,9 +36,9 @@ Both the desktop and kiosk wizards include an option to remove pre-installed sof
[Learn more about Windows Configuration Designer.](../configure/provisioning-packages.md)
-### Bulk enrollment in Azure Active Directory
+### Azure Active Directory join in bulk
-Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](../configure/provisioning-packages.md#configuration-designer-wizards). Bulk enrollment in Azure AD is available in the desktop, mobile, kiosk, and Surface Hub wizards.
+Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](../configure/provisioning-packages.md#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
@@ -75,6 +75,8 @@ Cortana is Microsoft’s personal digital assistant, who helps busy people get t
Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.
+For more info about Cortana at work, see (../configure/cortana-at-work-overview.md)
+
## Deployment
@@ -119,6 +121,8 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
+Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[https://technet.microsoft.com/en-au/windows/mt782787].
+
### Windows Defender Antivirus
Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](../keep-secure/windows-defender-antivirus-in-windows-10.md).
@@ -158,7 +162,7 @@ A new security policy setting
### Windows Hello for Business
-You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
+You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
For Windows Phone devices, an adminisrator is able to initiate a remote PIN reset through the Intune portal.
@@ -180,7 +184,10 @@ We recently added the option to download Windows 10 Insider Preview builds using
### Optimize update delivery
-[Express updates](../update/waas-optimize-windows-10-updates.md#express-update-delivery) are now supported on System Center Configuration Manager, starting with version 1702 of Configuration Manager, in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+With changes delivered in Windows 10, version 1703, [Express updates](../update/waas-optimize-windows-10-updates.md#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+
+>[!NOTE]
+> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
@@ -209,14 +216,15 @@ Some of the other new CSPs are:
- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
-- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for fixed drives and removable drives.
+- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.
- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx).
-- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
+- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
+IT pros can use the new [MDM Migration Analysis Tool (MMAT)](http://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
@@ -226,7 +234,9 @@ The Windows version of mobile application management (MAM) is a lightweight solu
For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management).
+### MDM diagnostics
+In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
### Application Virtualization for Windows (App-V)
Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Addtionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
@@ -237,6 +247,13 @@ For more info, see the following topics:
- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-updating.md)
- [Automatically cleanup unpublished packages on the App-V client](../manage/appv-auto-clean-unpublished-packages.md)
+### Windows diagnostic data
+
+Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level.
+
+- [Windows 10, version 1703 basic level Windows diagnostic events and fields](../configure/basic-level-windows-diagnostic-events-and-fields.md)
+- [Windows 10, version 1703 Diagnostic Data](../configure/windows-diagnostic-data.md)
+
## Windows 10 Mobile enhancements
### Lockdown Designer