Merge branch 'master' into MTE_premiereEOD

2025-05-23 10:47:22 +00:00 · 2020-06-09 09:31:22 -07:00 · 2020-06-09 09:31:22 -07:00 · ca4308fe1f
commit ca4308fe1f
parent b190525046 adcac3edfc
18 changed files with 371 additions and 472 deletions
--- a/devices/hololens/hololens-release-notes.md
+++ b/devices/hololens/hololens-release-notes.md
@ -8,7 +8,7 @@ ms.prod: hololens
 ms.sitesec: library
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 05/12/2020
+ms.date: 06/9/2020
 ms.custom: 
 - CI 111456
 - CSSTroubleshooting
@ -20,6 +20,48 @@ appliesto:
 # HoloLens 2 release notes
 ## Windows Holographic, version 2004 - June 2020 Update
 - Build 19041.1106
 Improvements and fixes in the update:
 - Custom MRC recorders have new default values for certain properties if they aren't specified.
  - On the MRC Video Effect:
    - PreferredHologramPerspective (1 PhotoVideoCamera)
    - GlobalOpacityCoefficient (0.9 (HoloLens) 1.0 (Immersive headset))
  - On the MRC Audio Effect:
    - LoopbackGain (the current "App Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
    - MicrophoneGain (the current "Mic Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
 - This update contains a bug fix that improves audio quality in Mixed Reality Capture scenarios. Specifically, it should eliminate any audio glitching in the recording when the Start Menu is displayed.
 - Improved hologram stability in recorded videos.
 - Resolves an issue where mixed reality capture couldn't record video after device is left in standby state for multiple days.
 - The HolographicSpace.UserPresence API is generally disabled for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled. The API is now enabled for Unity versions 2018.4.18 and higher, and 2019.3.4 and higher.
 - When accessing Device Portal over a WiFi connection, a web browser might prevent access to due to an invalid certificate, reporting an error such as "ERR_SSL_PROTOCOL_ERROR," even if the device certificate has previously been trusted.  In this case, you would be unable to progress to Device Portal as options to ignore security warnings are not available.  This update resolves the issue.  If the device certificate was previously downloaded and trusted on a PC to remove browser security warnings and the SSL error has been encountered, the new certificate will need to be downloaded and trusted to address browser security warnings.
 - Enabled ability to create a runtime provisioning package which can install an app using MSIX packages.
 - New setting that users can find under Settings > System > Holograms, that allows users to automatically remove all holograms from the mixed reality home when the device shuts down.
 - Fixed an issue that caused HoloLens apps that change their pixel format to render black in the HoloLens emulator.
 - Fixed bug that caused a crash during Iris Login.
 - Fixes an issue around repeated store downloads for already current apps.
 - Fixed a bug to preventing immersive apps from launching Edge multiple times.
 - Fixes an issue around launches of the Photos app in initial boots after updating from the 1903 release.
 - Improved performance and reliability.
 ## Windows Holographic, version 1903 - June 2020 Update
 - Build 18362.1064
 Improvements and fixes in the update:
 - Custom MRC recorders have new default values for certain properties if they aren't specified.
  - On the MRC Video Effect:
    - PreferredHologramPerspective (1 PhotoVideoCamera)
    - GlobalOpacityCoefficient (0.9 (HoloLens) 1.0 (Immersive headset))
  - On the MRC Audio Effect:
    - LoopbackGain (the current "App Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
    - MicrophoneGain (the current "Mic Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
 - The HolographicSpace.UserPresence API is generally disabled for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled. The API is now enabled for Unity versions 2018.4.18 and higher, and 2019.3.4 and higher.
 - Fixed an issue that caused HoloLens apps that change their pixel format to render black in the HoloLens emulator.
 - Fixes an issue around launches of the Photos app in initial boots after updating from the 1903 release.
 ## Windows Holographic, version 2004  
 Build - 19041.1103
@ -32,7 +74,7 @@ We are excited to announce our May 2020 major software update for HoloLens 2, **
 |       Improved provisioning                      |          Seamlessly apply a provisioning   package from a USB drive to your HoloLens                              |
 |       Application install status                 |          Check install status for apps have   been pushed to HoloLens 2 via MDM, in the Settings app              |
 |       Configuration Service Providers   (CSPs)   |          Added new Configuration Service   Providers (CSPs) enhancing admin control capabilities.                 |
-|       USB 5G/LTE support                       |          Expanded USB Ethernet capability   enables support for 5G/LTE dongles                                    |
+|       USB 5G/LTE support                       |          Expanded USB Ethernet capability   enables support for 5G/LTE                                    |
 |       Dark App Mode                              |          Dark App Mode for apps that support   both dark and light modes, improving the viewing experience        |
 |       Voice Commands                             |          Support for additional system voice   commands to control HoloLens, hands-free                           |
 |       Hand Tracking improvements                 |          Hand Tracking improvements make   buttons and 2D slate interactions more accurate                        |
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@ -51,14 +51,15 @@
 ### [Surface Brightness Control](microsoft-surface-brightness-control.md)
 ### [Surface Asset Tag](assettag.md)
 ## Secure
 ### [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md)
 ### [Manage Surface UEFI settings](manage-surface-uefi-settings.md)
 ### [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
 ### [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
 ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
 ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
 ### [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md)
 ### [Use Microsoft Endpoint Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
 ### [Surface Data Eraser](microsoft-surface-data-eraser.md)
--- a/devices/surface/images/secure-surface-dock-ports-semm-1.png
+++ b/devices/surface/images/secure-surface-dock-ports-semm-1.png
--- a/devices/surface/images/secure-surface-dock-ports-semm-2.png
+++ b/devices/surface/images/secure-surface-dock-ports-semm-2.png
--- a/devices/surface/images/secure-surface-dock-ports-semm-3.png
+++ b/devices/surface/images/secure-surface-dock-ports-semm-3.png
--- a/devices/surface/images/secure-surface-dock-ports-semm-4.png
+++ b/devices/surface/images/secure-surface-dock-ports-semm-4.png
--- a/devices/surface/images/secure-surface-dock-ports-semm-5.png
+++ b/devices/surface/images/secure-surface-dock-ports-semm-5.png
--- a/devices/surface/images/secure-surface-dock-ports-semm-6.png
+++ b/devices/surface/images/secure-surface-dock-ports-semm-6.png
--- a/devices/surface/secure-surface-dock-ports-semm.md
+++ b/devices/surface/secure-surface-dock-ports-semm.md
@ -0,0 +1,166 @@
 ---
 title: Secure Surface Dock 2 ports with Surface Enterprise Management Mode (SEMM)
 description: This document provides guidance for configuring UEFI port settings for Surface Dock 2 when connected to compatible Surface devices including Surface Book 3, Surface Laptop 3, and Surface Pro 7.
 ms.assetid: 2808a8be-e2d4-4cb6-bd53-9d10c0d3e1d6
 ms.reviewer: 
 manager: laurawi
 keywords: Troubleshoot common problems, setup issues
 ms.prod: w10
 ms.mktglfcycl: support
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: v-miegge
 ms.author: jesko
 ms.topic: article
 ms.date: 06/08/2020
 ms.localizationpriority: medium
 ms.audience: itpro
 ---
 # Secure Surface Dock 2 ports with Surface Enterprise Management Mode (SEMM)
 ## Introduction
 Surface Enterprise Management Mode (SEMM) enables IT admins to secure and manage Surface Dock 2 ports by configuring UEFI settings in a Windows installer configuration package (.MSI file) deployed to compatible Surface devices across a corporate environment.
 ### Supported devices
 Managing Surface Dock 2 with SEMM is available for docks connected to Surface Book 3, Surface Laptop 3, and Surface Pro 7. These compatible Surface devices are commonly referred to as **host devices**. A package is applied to host devices based on if a host device is **authenticated** or **unauthenticated**. Configured settings reside in the UEFI layer on host devices enabling you — the IT admin — to manage Surface Dock 2 just like any other built-in peripheral such as the camera.
 >[!NOTE]
 >You can manage Surface Dock 2 ports only when the dock is connected to one of the following compatible devices:  Surface Book 3, Surface Laptop 3, and Surface Pro 7. Any device that doesn't receive the UEFI Authenticated policy settings is inherently an unauthenticated device.
 Restricting Surface Dock 2 to authorized persons signed into a corporate host device provides another layer of data protection. This ability to lock down Surface Dock 2 is critical for specific customers in highly secure environments who want the functionality and productivity benefits of the dock while maintaining compliance with strict security protocols. We anticipate SEMM used with Surface Dock 2 will be particularly useful in open offices and shared spaces especially for customers who want to lock USB ports for security reasons.
 ## Configuring and deploying UEFI settings for Surface Dock 2
 This section provides step-by-step guidance for the following tasks:
 1. Install **Surface UEFI Configurator**.
 1. Create or obtain public key certificates.
 1. Create an .MSI configuration package.
   1. Add your certificates.
   1. Enter the 16-digit RN number for your Surface Dock 2 devices.
   1. Configure UEFI settings.
 1. Build and apply the configuration package to targeted Surface devices (Surface Book 3, Surface Laptop 3, or Surface Pro 7.)
 >[!NOTE]
 >The **Random Number (RN)** is a unique 16-digit hex code identifier which is provisioned at the factory, and printed in small type on the underside of the dock. The RN differs from most serial numbers in that it can't be read electronically. This ensures proof of ownership is primarily established only by reading the RN when physically accessing the device. The RN may also be obtained during the purchase transaction and is recorded in Microsoft inventory systems.
 ### Install SEMM and Surface UEFI Configurator
 Install SEMM by running **SurfaceUEFI_Configurator_v2.71.139.0.msi**. This is a standalone installer and contains everything you need to create and distribute configuration packages for Surface Dock 2.
 - Download **Surface UEFI Configurator** from [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703).
 ## Create public key certificates
 This section provides specifications for creating the certificates needed to manage ports for Surface Dock 2.
 ### Prerequisites
 This article assumes that you either obtain certificates from a third-party provider or you already have expertise in PKI certificate services and know how to create your own.  You should be familiar with and follow the general recommendations for creating certificates as described in [Surface Enterprise Management Mode (SEMM)](https://docs.microsoft.com/surface/surface-enterprise-management-mode) documentation, with one exception. The certificates documented on this page require expiration terms of 30 years for the **Dock Certificate Authority**, and 20 years for the **Host Authentication Certificate**.
 For more information, see [Certificate Services Architecture](https://docs.microsoft.com/windows/win32/seccrypto/certificate-services-architecture) documentation and review the appropriate chapters in [Windows Server 2019 Inside Out](https://www.microsoftpressstore.com/store/windows-server-2019-inside-out-9780135492277), or [Windows Server 2008 PKI and Certificate Security](https://www.microsoftpressstore.com/store/windows-server-2008-pki-and-certificate-security-9780735640788) available from Microsoft Press.
 ### Root and host certificate requirements
 Prior to creating the configuration package, you need to prepare public key certificates that authenticate ownership of Surface Dock 2 and facilitate any subsequent changes in ownership during the device lifecycle. The host and provisioning certificates require entering EKU IDs otherwise known as **Client Authentication Enhanced Key Usage (EKU) object identifiers (OIDs)**.
 The required EKU values are listed in Table 1 and Table 2.
 #### Table 1. Root and Dock Certificate requirements
 |Certificate|Algorithm|Description|Expiration|EKU OID|
 |---|---|---|---|---|
 |Root Certificate Authority|ECDSA_P384|- Root certificate with 384-bit prime elliptic curve digital signature algorithm (ECDSA)<br>- SHA 256 Key Usage:<br>CERT_DIGITAL_SIGNATURE_KEY_USAGE<br>- CERT_KEY_CERT_SIGN_KEY_USAGE<br>CERT_CRL_SIGN_KEY_USAGE|30 years|N/A
 |Dock Certificate Authority|ECC P256 curve|- Host certificate with 256-bit elliptic-curve cryptography (ECC)<br>- SHA 256 Key Usage:<br>CERT_KEY_CERT_SIGN_KEY_USAGE<br>- Path Length Constraint = 0|20 years|1.3.6.1.4.1.311.76.9.21.2<br>1.3.6.1.4.1.311.76.9.21.3|
   >[!NOTE]
   >The dock CA must be exported as a .p7b file.
 ### Provisioning Administration Certificate requirements
 Each host device must have the doc CA and two certificates as shown in Table 2.
 #### Table 2. Provisioning administration certificate requirements
 |Certificate|Algorithm|Description|EKU OID|
 |---|---|---|---|
 |Host authentication certificate|ECC P256<br>SHA 256|Proves the identity of the host device.|1.3.6.1.4.1.311.76.9.21.2|
 |Provisioning administration certificate|ECC P256<br>SHA256|Enables you to change dock ownership and/or policy settings by allowing you to replace the CA that's currently installed on the dock.|1.3.6.1.4.1.311.76.9.21.3<br>1.3.6.1.4.1.311.76.9.21.4|
   >[!NOTE]
   >The host authentication and provisioning certificates must be exported as.pfx files.
 ### Create configuration package
 When you have obtained or created the certificates, you’re ready to build the MSI configuration package that will be applied to target Surface devices.
 1. Run Surface **UEFI Configurator**.
   ![Run Surface UEFI Configurator](images/secure-surface-dock-ports-semm-1.png)
 1. Select **Surface Dock**.
   ![Select Surface Dock](images/secure-surface-dock-ports-semm-2.png)
 1. On the certificate page, enter the appropriate **certificates**.
   ![enter the appropriate certificates](images/secure-surface-dock-ports-semm-3.png)
 1. Add appropriate dock RNs to the list.
   >[!NOTE]
   >When creating a configuration package for multiple Surface Dock 2 devices, instead of entering each RN manually, you can use a .csv file that contains a list of RNs.
 1. Specify your policy settings for USB data, Ethernet, and Audio ports. UEFI Configurator lets you configure policy settings for authenticated users (Authenticated Policy) and unauthenticated users (Unauthenticated Policy). The following figure shows port access turned on for authenticated users and turned off for unauthenticated users.
   ![Choose which components you want to activate or deactivate.](images/secure-surface-dock-ports-semm-4.png)
   - Authenticated user refers to a Surface Device that has the appropriate certificates installed, as configured in the .MSI configuration package that you applied to target devices. It applies to any user authenticated user who signs into the device. 
   - Unauthenticated user refers to any other device.
   - Select **Reset** to create a special “Reset” package that will remove any previous configuration package that the dock had accepted.
 1. Select **Build** to create the package as specified.
 ### Apply the configuration package to a Surface Dock 2
 1. Take the MSI file that the Surface UEFI Configurator generated and install it on a Surface host device. Compatible host devices are Surface Book 3, Surface Laptop 3, or Surface Pro 7.
 1. Connect the host device to the Surface Dock 2. When you connect the dock UEFI policy settings are applied.
 ## Verify managed state using the Surface App
 Once you have applied the configuration package, you can quickly verify the resultant policy state of the dock directly from the Surface App, installed by default on all Surface devices. If Surface App isn't present on the device, you can download and install it from the Microsoft Store.
 ### Test scenario
 Objective: Configure policy settings to allow port access by authenticated users only.
 1. Turn on all ports for authenticated users and turn them off for unauthenticated users.
   ![Enabling ports for authenticated users](images/secure-surface-dock-ports-semm-4.png)
 1. Apply the configuration package to your target device and then connect Surface Dock 2.
 1. Open **Surface App** and select **Surface Dock** to view the resultant policy state of your Surface Dock. If the policy settings are applied, Surface App will indicate that ports are available.
   ![Surface app shows all ports are available for authenticated users](images/secure-surface-dock-ports-semm-5.png)
 1. Now you need to verify that the policy settings have successfully turned off all ports for unauthenticated users. Connect Surface Dock 2 to an unmanaged device, i.e., any Surface device outside the scope of management for the configuration package you created.
 1. Open **Surface App** and select **Surface Dock**. The resultant policy state will indicate ports are turned off.
   ![Surface app showing ports turned off for unauthenticated users ](images/secure-surface-dock-ports-semm-6.png)
 >[!NOTE]
 >If you want to keep ownership of the device, but allow all users full access, you can make a new package with everything turned on. If you wish to completely remove the restrictions and ownership of the device (make it unmanaged), select **Reset** in Surface UEFI Configurator to create a package to apply to target devices.
 Congratulations. You have successfully managed Surface Dock 2 ports on targeted host devices.
 ## Learn more
 - [Surface Enterprise Management Mode (SEMM) documentation](https://docs.microsoft.com/surface/surface-enterprise-management-mode)
 - [Certificate Services Architecture](https://docs.microsoft.com/windows/win32/seccrypto/certificate-services-architecture)
 - [Windows Server 2019 Inside Out](https://www.microsoftpressstore.com/store/windows-server-2019-inside-out-9780135492277)
 - [Windows Server 2008 PKI and Certificate Security](https://www.microsoftpressstore.com/store/windows-server-2008-pki-and-certificate-security-9780735640788)
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@ -930,12 +930,35 @@ The following list shows the supported values:
 <!--Description-->
 Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
 <!--/Description-->
 > [!NOTE]
 > This policy is only supported in Azure AD accounts.
 "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy  being set to "0", i.e, silent encryption is enforced.
 If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
    <th>Pro</th>
    <th>Business</th>
    <th>Enterprise</th>
    <th>Education</th>
    <th>Mobile</th>
    <th>Mobile Enterprise</th>
 </tr>
 <tr>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
    <td><img src="images/checkmark.png" alt="check mark" /></td>
    <td><img src="images/checkmark.png" alt="check mark" /></td>
    <td><img src="images/checkmark.png" alt="check mark" /></td>
    <td><img src="images/checkmark.png" alt="check mark" /></td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table> 
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 The expected values for this policy are:
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -1984,7 +1984,8 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 ### June 2020
 |New or updated topic | Description|
 |--- | ---|
-|[Policy CSP - NetworkIsolation](policy-csp-networkisolation.md)|Updated the description to Integer instead of Boolean for the following policy settings:<br>EnterpriseIPRangesAreAuthoritative, EnterpriseProxyServersAreAuthoritative|
+|[BitLocker CSP](bitlocker-csp.md)|Added SKU support table for **AllowStandardUserEncryption**.|
 |[Policy CSP - NetworkIsolation](policy-csp-networkisolation.md)|Updated the description from Boolean to Integer for the following policy settings:<br>EnterpriseIPRangesAreAuthoritative, EnterpriseProxyServersAreAuthoritative.|
 ### May 2020
 |New or updated topic | Description|
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@ -13,7 +13,7 @@ metadata:
  ms.collection: windows-10
  author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
  ms.author: greglin #Required; microsoft alias of author; optional team alias.
-  ms.date: 05/27/2020 #Required; mm/dd/yyyy format.
+  ms.date: 06/08/2020 #Required; mm/dd/yyyy format.
  localization_priority: medium
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@ -123,7 +123,7 @@ landingContent:
            url: volume-activation/volume-activation-management-tool.md
          - text: User State Migration Tool (USMT) overview
            url: usmt/usmt-overview.md  
-      - linkListType: learn
+      - linkListType: reference
        links:
          - text: Windows 10 release information
            url: https://docs.microsoft.com/windows/release-information/
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@ -7,7 +7,6 @@ ms.localizationpriority: medium
 ms.prod: w10
 ms.sitesec: library
 ms.pagetype: deploy
 ms.date: 12/05/2018
 ms.reviewer: 
 manager: laurawi
 ms.audience: itpro
@ -42,7 +41,7 @@ Save your files to your favorite cloud, like OneDrive or Dropbox, and access the
 ## Deployment
-Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired.
+Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](windows-autopilot/windows-autopilot.md). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired.
 ## Keep line of business apps functioning with Desktop Bridge
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@ -0,0 +1,107 @@
 ---
 title: Windows 10 updates, channels, and tools
 description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them
 keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
 ms.prod: w10
 ms.mktglfcycl: manage
 author: jaimeo
 ms.localizationpriority: medium
 ms.author: jaimeo
 ms.reviewer: 
 manager: laurawi
 ms.topic: article
 ---
 # Windows 10 updates, channels, and tools
 ## How Windows updates work
 There are four phases to the Windows update process:
 - **Scan:** A device checks the Microsoft Update server, Windows Update service, or your Windows Server Update Services (WSUS) endpoint at random intervals to see if any updates have been added since the last time updates were searched, and then evaluates whether the update is appropriate by checking the policies that have been set up by the
 administrator. This process is invisible to the user.
 - **Download:** Once the device determines that an update is available, it begins downloading the update. The download process is also invisible to the user. With feature updates, download happens in multiple
 sequential phases.
 - **Install:** After the update is downloaded, depending on the device’s Windows Update settings, the update is installed on the system.
 - **Commit and restart:** Once installed, the device usually (but not always) must be restarted in order to complete the installation and begin using the update. Before that happens, a device is still running the previous
 version of the software.
 ## Types of updates
 We include information here about a number of different update types you'll hear about, but the two overarching types which you have the most direct control over are *feature updates* and *quality updates*. 
 - **Feature updates:** Released twice per year, around March and September. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
 - **Quality updates:** Quality updates deliver both security and non-security fixes to Windows 10. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
 - **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
 - **Driver updates**: These are updates to drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not.
 - **Microsoft product updates:** These are updates for other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools.
 ## Servicing channels
 Windows 10 offers three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows 10 "as a service" which conceives of deployment as a continual process of updates which roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process.
 The first step of controlling when and how devices install updates is assigning them to the appropriate servicing channel. You can assign devices to a particular channel with any of several tools, including Microsoft Endpoint Configuration Manager, Windows Server Update Services (WSUS), and Group Policy settings applied by any of several means. By dividing devices into different populations ("deployment groups" or "rings") you can use servicing channel assignment, followed by other management features such as update deferral policies, to create a phased deployment of any update that allows you to start with a limited pilot deployment for testing before moving to a broad deployment throughout your organization.
 ### Semi-annual Channel
 In the Semi-annual Channel, feature updates are available as soon as Microsoft releases them, twice per year. As long as a device isn't set to defer feature updates, any device using the Semi-annual Channel will install a feature update as soon as it's released. If you use Windows Update for Business, the Semi-annual Channel provides three months of additional total deployment time before being required to update to the next release.{IS THIS STILL TRUE?}
 > [!NOTE]
 > All releases of Windows 10 have **18 months of servicing for all editions**--these updates provide security and feature updates for the release. However, fall releases of the **Enterprise and Education editions** will have an **additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release**. This extended servicing window applies to Enterprise and Education editions starting with Windows 10, version 1607.
 ### Windows Insider Program for Business
 Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel:
 - Windows Insider Fast
 - Windows Insider Slow
 - Windows Insider Release Preview
 We recommend that you use the Windows Insider Release Preview channel for validation activities.
 ### Long-term Servicing Channel
 The **Long Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSB releases service a special LTSB edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
 The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition. 
 | Windows 10 edition | Semi-Annual Channel | Insider Program | Long-Term Servicing Channel |
 | --- | --- | --- | --- |
 | Home | ![yes](images/checkmark.png)|![no](images/crossmark.png)    | ![no](images/crossmark.png)|
 | Pro | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
 | Enterprise  | ![yes](images/checkmark.png) |![yes](images/checkmark.png)  |  ![no](images/crossmark.png)|
 | Enterprise LTSB  | ![no](images/crossmark.png) |![no](images/crossmark.png) |   ![yes](images/checkmark.png)|
 | Pro Education | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
 | Education  | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
 ## Servicing tools
 ### Tools for on-premises update delivery
 Windows Server Update Services (WSUS): you set up a WSUS server, which downloads updates in bulk from Microsoft. Your individual devices then connect to your server to install their updates from there.
 You can set up, control, and manage the server and update process with a number of tools:
 - A standalone Windows Server Update Services server operated directly
 - [Configuration Manager](deploy-updates-configmgr.md)
 - Non-Microsoft tools
 For more information, see [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus).
 ### Tools for cloud-based update delivery
 Your individual devices connect to Microsoft endpoints directly to get the updates. The details of this process (how often devices download updates of various kinds, from which channels, deferrals, and details of the users' experience of installation) are set on devices either with Group Policy or MDM policies, which you can control with any of a number of tools:
 - [Group Policy Management Console](waas-wufb-group-policy.md) (Gpmc.msc)
 - [Microsoft Intune](waas-wufb-intune.md)
 - Non-Microsoft MDM tools
 ### Hybrid scenarios
 It is also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery.
--- a/windows/deployment/upgrade/resolution-procedures.md
+++ b/windows/deployment/upgrade/resolution-procedures.md
@ -24,9 +24,11 @@ ms.topic: article
 > This is a 200 level topic (moderate).  
 > See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
 This topic provides some common causes and solutions that are associated with specific upgrade error codes. If a Windows 10 upgrade fails, you can write down the error code that is displayed, or find the error code in the Windows [Event Log](windows-error-reporting.md) or in the Windows Setup [log files](log-files.md) (ex: **setuperr.log**) and review the cause and solutions provided here. You should also try running the free [SetupDiag](setupdiag.md) tool provided by Microsoft, which can automatically find the reason for an upgrade failure.
 ## 0xC1900101
-A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:  
+A frequently observed [result code](upgrade-error-codes.md#result-codes) is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:  
 - The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp,
 - Event logs: $Windows.~bt\Sources\Rollback\*.evtx
@ -38,251 +40,16 @@ To resolve a rollback that was caused by driver conflicts, try running setup usi
 See the following general troubleshooting procedures associated with a result code of 0xC1900101:<br /><br />
 <table border="1" cellspacing="0" cellpadding="0">
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+| Code | Mitigation | Cause |
-
+| :---     |  :---  |  :--- |
-<table cellspacing="0" cellpadding="0">
+| 0xC1900101 - 0x20004   | Uninstall antivirus applications.<br>Remove all unused SATA devices. <br>Remove all unused devices and drivers. <br>Update drivers and BIOS.     | Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation. <br>This is generally caused by out-of-date drivers.    |
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
+| 0xC1900101 - 0x2000c     | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.<br> Contact your hardware vendor to obtain updated device drivers.<br> Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.       | Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.<br> This is generally caused by out-of-date drivers      |
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x20004
+| 0xC1900101 - 0x20017 | Ensure that all that drivers are updated.<br>Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.<br>For more information, see [Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations](https://support.microsoft.com/en-us/help/927521/windows-vista-windows-7-windows-server-2008-r2-windows-8-1-and-windows).<br>Update or uninstall the problem drivers. | A driver has caused an illegal operation.<br>Windows was not able to migrate the driver, resulting in a rollback of the operating system.<br>This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. |
-</table>
+| 0xC1900101 - 0x30018 | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.<br>Contact your hardware vendor to obtain updated device drivers.<br>Ensure that &quot;Download and install updates (recommended)&quot; is accepted at the start of the upgrade process. | A device driver has stopped responding to setup.exe during the upgrade process. |
-
+| 0xC1900101 - 0x3000D | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.<br>Update or uninstall the display driver. | Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.<br>This can occur due to a problem with a display driver. |
-<table cellspacing="0" cellpadding="0">
+| 0xC1900101 - 0x4000D | Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.<br>Review the rollback log and determine the stop code.<br>The rollback log is located in the <strong>$Windows.~BT\Sources\Rollback</strong> folder.  An example analysis is shown below. This example is not representative of all cases:<br>&nbsp;<br>Info SP     Crash 0x0000007E detected<br>Info SP       Module name           :<br>Info SP       Bugcheck parameter 1  : 0xFFFFFFFFC0000005<br>Info SP       Bugcheck parameter 2  : 0xFFFFF8015BC0036A<br>Info SP       Bugcheck parameter 3  : 0xFFFFD000E5D23728<br>Info SP       Bugcheck parameter 4  : 0xFFFFD000E5D22F40<br>Info SP     Cannot recover the system.<br>Info SP     Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.<br>&nbsp;<br>Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:<br>&nbsp;<br>1. Make sure you have enough disk space.<br>2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.<br>3. Try changing video adapters.<br>4. Check with your hardware vendor for any BIOS updates.<br>5. Disable BIOS memory options such as caching or shadowing. | A rollback occurred due to a driver configuration issue.<br>Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.<br>This can occur because of incompatible drivers. |
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+| 0xC1900101 - 0x40017 | Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).<br>&nbsp;<br>Ensure that you select the option to "Download and install updates (recommended)."  <br>&nbsp;<br><b>Computers that run Citrix VDA</b>  <br>You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.  <br>&nbsp;<br>This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade cannot complete and the system rolls back.  <br>&nbsp;<br>**Resolution**<br>&nbsp;<br>To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).<br>&nbsp;<br>You can work around this problem in two ways:<br>&nbsp;<br>**Workaround 1**<br>&nbsp;<br>1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.<br>2. Run the Windows upgrade again.<br>3. Reinstall Citrix VDA.<br>&nbsp;<br>**Workaround 2**<br>&nbsp;<br>If you cannot uninstall Citrix VDA, follow these steps to work around this problem:  <br>&nbsp;<br>1. In Registry Editor, go to the following subkey:<br> **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc**<br>2. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.<br>3. Go to the following subkey:<br> **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}**<br>4. Delete the **CtxMcsWbc** entry.<br>5. Restart the computer, and then try the upgrade again.<br>&nbsp;<br>**Non-Microsoft information disclaimer**  <br>The non-Microsoft products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. | Windows 10 upgrade failed after the second reboot.<br>This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. |
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation.
 <br>This is generally caused by out-of-date drivers.
 </table>
 </td>
 <td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Uninstall antivirus applications.
 <br>Remove all unused SATA devices.
 <br>Remove all unused devices and drivers.
 <br>Update drivers and BIOS.
 </table>
 </td>
 </tr>
 <tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x2000c
 </table>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.
 <br>This is generally caused by out-of-date drivers.
 </table>
 </td>
 <td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
 <br>Contact your hardware vendor to obtain updated device drivers.
 <br>Ensure that &quot;Download and install updates (recommended)&quot; is accepted at the start of the upgrade process.
 </table>
 </td>
 </tr>
 <tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x20017
 </table>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A driver has caused an illegal operation.
 <br>Windows was not able to migrate the driver, resulting in a rollback of the operating system.
 <br>This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software.
 </table>
 </td>
 <td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 Ensure that all that drivers are updated.  
 <br />Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.  
 <br />For more information, see <a href="https://support.microsoft.com/help/927521/windows-vista-windows-7-windows-server-2008-r2-windows-8-1-and-windows">Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations</a>.
 <br>Update or uninstall the problem drivers.
 </table>
 </td>
 </tr>
 <tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x30018
 </table>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A device driver has stopped responding to setup.exe during the upgrade process.
 </table>
 </td>
 <td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
 <br>Contact your hardware vendor to obtain updated device drivers.
 <br>Ensure that &quot;Download and install updates (recommended)&quot; is accepted at the start of the upgrade process.
 </table>
 </td>
 </tr>
 <tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x3000D
 </table>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
 <br>This can occur due to a problem with a display driver.
 </table>
 </td>
 <td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
 <br>Update or uninstall the display driver.
 </table>
 </td>
 </tr>
 <tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x4000D
 </table>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A rollback occurred due to a driver configuration issue.
 <br>Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
 <br>This can occur because of incompatible drivers.
 </table>
 </td>
 <td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
 <br>Review the rollback log and determine the stop code.
 <br>The rollback log is located in the <strong>$Windows.~BT\Sources\Rollback</strong> folder.  An example analysis is shown below. This example is not representative of all cases:
 <pre>
 Info SP     Crash 0x0000007E detected
 Info SP       Module name           :
 Info SP       Bugcheck parameter 1  : 0xFFFFFFFFC0000005
 Info SP       Bugcheck parameter 2  : 0xFFFFF8015BC0036A
 Info SP       Bugcheck parameter 3  : 0xFFFFD000E5D23728
 Info SP       Bugcheck parameter 4  : 0xFFFFD000E5D22F40
 Info SP     Cannot recover the system.
 Info SP     Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.</pre>
 Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:<br>
 1. Make sure you have enough disk space.<br>
 2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.<br>
 3. Try changing video adapters.<br>
 4. Check with your hardware vendor for any BIOS updates.<br>
 5. Disable BIOS memory options such as caching or shadowing.
 </table>
 </td>
 </tr>
 <tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x40017
 </table>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows 10 upgrade failed after the second reboot.
 <br>This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers.
 </table>
 </td>
 <td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 <b>Mitigation</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).  
 Ensure that you select the option to "Download and install updates (recommended)."  
 <b>Computers that run Citrix VDA</b>  
 You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.  
 This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade cannot complete and the system rolls back.  
 **Resolution**
 To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).
 You can work around this problem in two ways
 **Workaround 1**
 1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.
 1. Run the Windows upgrade again.
 1. Reinstall Citrix VDA.
 **Workaround 2**
 If you cannot uninstall Citrix VDA, follow these steps to work around this problem:  
 1. In Registry Editor, go to the following subkey:
   ```
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc
   ```
 1. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.
 1. Go to the following subkey:
   ```
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}
   ```
 1. Delete the **CtxMcsWbc** entry.
 1. Restart the computer, and then try the upgrade again.
 > **Third-party information disclaimer**  
 > The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
 </table>
 </td>
 </tr>
 </table>
 ## 0x800xxxxx
@ -290,223 +57,15 @@ Result codes that start with the digits 0x800 are also important to understand.
 See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
-<br><table border="1" cellspacing="0" cellpadding="0">
+| Code | Mitigation | Cause |
-
+| :---     |  :---  |  :--- |
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+| 80040005 - 0x20007     |  This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution.  |   An unspecified error occurred with a driver during the SafeOS phase.   |
-
+| 0x80073BC3 - 0x20009<br>0x80070002 - 0x20009<br>0x80073B92 - 0x20009     |  These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition.  |   The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria.   |
-<table cellspacing="0" cellpadding="0">
+| 800704B8 - 0x3001A   |  Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/kb/929135).  |   An extended error has occurred during the first boot phase.   |
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
+| 8007042B - 0x4000D    |  [Analyze log files](log-files.md#analyze-log-files) in order to determine the file, application, or driver that is not able to be migrated. Disconnect, update, remove, or replace the device or object.  |   The installation failed during the second boot phase while attempting the MIGRATE_DATA operation.<br>This issue can occur due to file system, application, or driver issues.   |
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+| 8007001F - 0x3000D    |  [Analyze log files](log-files.md#analyze-log-files) in order to determine the files or registry entries that are blocking data migration.<br>&nbsp;<br>This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory.<br>&nbsp;<br>**Note**: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory.<br>&nbsp;<br>To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files.|   The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation.   |
-80040005 - 0x20007
+| 8007001F - 0x4000D     |  [Analyze log files](log-files.md#analyze-log-files) in order to determine the device that is not functioning properly. Disconnect, update, or replace the device.  |   General failure, a device attached to the system is not functioning.   |
-
+| 8007042B - 0x4001E   |  This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution.  |   The installation failed during the second boot phase while attempting the PRE_OOBE operation.   |
 </table>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 An unspecified error occurred with a driver during the SafeOS phase.
 </table>
 </td>
 <td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution.
 </table>
 </td>
 </tr>
 <tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 0x80073BC3 - 0x20009<br>
 0x80070002 - 0x20009<br>
 0x80073B92 - 0x20009
 </table>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria.
 </table>
 </td>
 <td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition.
 </table>
 </td>
 </tr>
 <tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 800704B8 - 0x3001A
 </table>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 An extended error has occurred during the first boot phase.
 </table>
 </td>
 <td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/kb/929135).
 </table>
 </td>
 </tr>
 <tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 8007042B - 0x4000D
 </table>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 The installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
 <br>This issue can occur due to file system, application, or driver issues.
 </table>
 </td>
 <td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 [Analyze log files](log-files.md#analyze-log-files) in order to determine the file, application, or driver that is not able to be migrated. Disconnect, update, remove, or replace the device or object.
 </table>
 </td>
 </tr>
 <tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 8007001F - 0x3000D
 </table>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation.
 </table>
 </td>
 <td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 [Analyze log files](log-files.md#analyze-log-files) in order to determine the files or registry entries that are blocking data migration.
 This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory.
 > [!NOTE]  
 > If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory.
 To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files.
 </table>
 </td>
 </tr>
 <tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 8007001F - 0x4000D
 </table>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 General failure, a device attached to the system is not functioning.
 </table>
 </td>
 <td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 [Analyze log files](log-files.md#analyze-log-files) in order to determine the device that is not functioning properly. Disconnect, update, or replace the device.
 </table>
 </td>
 </tr>
 <tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 8007042B - 0x4001E
 </table>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 The installation failed during the second boot phase while attempting the PRE_OOBE operation.
 </table>
 </td>
 <td align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <table cellspacing="0" cellpadding="0">
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution.
 </table>
 </td>
 </tr>
 </table>
 ## Other result codes
--- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
@ -26,7 +26,7 @@ ms.topic: article
 If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. 
-Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100.
+Briefly, the upgrade process consists of four phases that are controlled by [Windows Setup](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-technical-reference): **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100.
 These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered.
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@ -25,6 +25,7 @@ To successfully deploy the Windows 10 operating system in your organization, it
 The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. 
 - Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home).
  - Note: Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates.
 - Dynamic deployment methods enable you to configure applications and settings for specific use cases. 
 - Traditional deployment methods use existing tools to deploy operating system images.<br>&nbsp;
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
@ -38,7 +38,7 @@ The Windows Intune security baseline provides a comprehensive set of recommended
 - [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows)
 - [Microsoft Defender ATP baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp)
-Both baselines are maintained so that they complement one another and have identical values for shared settings. Deploying both baselines to the same machine will not result in conflicts. Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls.
+Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released.
 >[!NOTE]
 >The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.