diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md
index 29090e5faa..e261955400 100644
--- a/browsers/edge/Index.md
+++ b/browsers/edge/Index.md
@@ -21,7 +21,11 @@ localizationpriority: high
Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge also introduces new features like Web Note, Reading View, and Cortana that you can use along with your normal web browsing abilities.
Microsoft Edge lets you stay up-to-date through the Windows Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools.
-
**Note** This content isn't meant to be a step-by-step guide, so not everything that's talked about in this guide will be necessary for you to manage and deploy Microsoft Edge in your company.
+
+> **Note** This content isn't meant to be a step-by-step guide, so not everything that's talked about in this guide will be necessary for you to manage and deploy Microsoft Edge in your company.
+
+
+> **Note** For more info about the potential impact of using Microsoft Edge in a large organization, you can download an infographic from here: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892).
## In this section
@@ -58,3 +62,4 @@ You'll need to keep running them using IE11. If you don't have IE11 installed an
- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760644)
- [Internet Explorer 11 - FAQ for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760645)
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646)
+
diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
index a3dcf46f40..67b924eaef 100644
--- a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
+++ b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
@@ -44,6 +44,7 @@ IE11 offers enterprises additional security, manageability, performance, backwar
- **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
## Related topics
+- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 22d411f58d..5228460e99 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -19,6 +19,10 @@ ms.sitesec: library
Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.
+>**Upgrade Analytics and Windows upgrades**
+>You can use Upgrade Analytics to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Analytics to review several site discovery reports. Check out Upgrade Analytics from [here](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-analytics-get-started).
+
+
## Before you begin
Before you start, you need to make sure you have the following:
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
index 78978d8119..fbd10a4080 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
@@ -20,8 +20,8 @@ Included examples:
- [Example 4: Connect directly if the host is in specified subnet](#example-4-connect-directly-if-the-host-is-in-specified-subnet)
- [Example 5: Determine the connection type based on the host domain](#example-5-determine-the-connection-type-based-on-the-host-domain)
- [Example 6: Determine the connection type based on the protocol](#example-6-determine-the-connection-type-based-on-the-protocol)
-- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-IP-address)
-- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-IP-address-matches-the-specified-IP-address)
+- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-ip-address)
+- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-ip-address-matches-the-specified-ip-address)
- [Example 9: Connect using a proxy server if there are periods in the host name](#example-9-connect-using-a-proxy-server-if-there-are-periods-in-the-host-name)
- [Example 10: Connect using a proxy server based on specific days of the week](#example-10-connect-using-a-proxy-server-based-on-specific-days-of-the-week)
diff --git a/browsers/internet-explorer/index.md b/browsers/internet-explorer/index.md
index c9e24043a1..79a0d7af08 100644
--- a/browsers/internet-explorer/index.md
+++ b/browsers/internet-explorer/index.md
@@ -6,6 +6,7 @@ ms.prod: IE11
title: Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0
ms.sitesec: library
+localizationpriority: low
---
diff --git a/devices/hololens/hololens-checklist.md b/devices/hololens/hololens-checklist.md
new file mode 100644
index 0000000000..d1eb5f80d4
--- /dev/null
+++ b/devices/hololens/hololens-checklist.md
@@ -0,0 +1,30 @@
+---
+title: Checklist for HoloLens in the enterprise (HoloLens)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Checklist: HoloLens in the enterprise
+
+[Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers)
+
+
+Windows Store for Business
+
+Requirements
+
+- IT Admins: Before you sign up for the Store for Business, at a minimum, you'll need an Azure Active Directory (AAD) account for your organization, and you'll need to be the global administrator for your organization. Once the Global Admin has signed in, they can give permissions to other employees.
+- End Users: Need Azure AD account when they access Store for Business content from Windows-based devices.
+
+[Getting started with Azure Active Directory Premium](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/)
+
+[Get started with Intune](https://docs.microsoft.com/en-us/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune)
+
+[Enroll devices for management in Intune](https://docs.microsoft.com/en-us/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms)
+
+[Azure AD editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/)
+
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index b127e38f53..47279ae319 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -1,8 +1,8 @@
# [Microsoft Surface Hub](index.md)
## [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
### [Intro to Microsoft Surface Hub](intro-to-surface-hub.md)
-### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
### [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)
+#### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
#### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
##### [Online deployment](online-deployment-surface-hub-device-accounts.md)
##### [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md)
@@ -17,20 +17,23 @@
#### [Setup worksheet](setup-worksheet-surface-hub.md)
#### [First-run program](first-run-program-surface-hub.md)
### [Manage Microsoft Surface Hub](manage-surface-hub.md)
-#### [Accessibility](accessibility-surface-hub.md)
-#### [Change the Surface Hub device account](change-surface-hub-device-account.md)
-#### [Device reset](device-reset-surface-hub.md)
-#### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your-surface-hub-meeting.md)
+#### [Remote Surface Hub management](remote-surface-hub-management.md)
+##### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)
+##### [Monitor your Surface Hub](monitor-surface-hub.md)
+##### [Windows updates](manage-windows-updates-for-surface-hub.md)
+#### [Manage Surface Hub settings](manage-surface-hub-settings.md)
+##### [Local management for Surface Hub settings](local-management-surface-hub-settings.md)
+##### [Accessibility](accessibility-surface-hub.md)
+##### [Change the Surface Hub device account](change-surface-hub-device-account.md)
+##### [Device reset](device-reset-surface-hub.md)
+##### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
+##### [Wireless network management](wireless-network-management-for-surface-hub.md)
#### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
-#### [Manage settings with a local admin account](manage-settings-with-local-admin-account-surface-hub.md)
-#### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)
-#### [Monitor your Surface Hub](monitor-surface-hub.md)
+#### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your-surface-hub-meeting.md)
#### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
#### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
-#### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
#### [Using a room control system](use-room-control-system-with-surface-hub.md)
-#### [Windows updates](manage-windows-updates-for-surface-hub.md)
-#### [Wireless network management](wireless-network-management-for-surface-hub.md)
### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)
-
+## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
+## [Change history for Surface Hub](change-history-surface-hub.md)
\ No newline at end of file
diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md
index 4950e97e51..5aa1cfc951 100644
--- a/devices/surface-hub/accessibility-surface-hub.md
+++ b/devices/surface-hub/accessibility-surface-hub.md
@@ -13,66 +13,44 @@ localizationpriority: medium
# Accessibility (Surface Hub)
+Microsoft Surface Hub has the same accessibility options as Windows 10.
-Accessibility settings for the Microsoft Surface Hub can be changed by using the Settings app. You'll find them under **Ease of Access**. Your Surface Hub has the same accessibility options as Windows 10.
-The default accessibility settings for Surface Hub include:
+## Default accessibility settings
-
-
-
-
-
-
-
-
Accessibility feature
-
Default setting
-
-
-
-
-
Narrator
-
Off
-
-
-
Magnifier
-
Off
-
-
-
High contrast
-
No theme selected
-
-
-
Closed captions
-
Defaults selected for Font and Background and window.
-
-
-
Keyboard
-
On-screen Keyboard, Sticky Keys, Toggle Keys, and Filter Keys are all off.
-
-
-
Mouse
-
Defaults selected for Pointer size, Pointer color and Mouse keys.
-
-
-
+The full list of accessibility settings are available to IT admins in the **Settings** app. The default accessibility settings for Surface Hub include:
-
+| Accessibility feature | Default settings |
+| --------------------- | ----------------- |
+| Narrator | Off |
+| Magnifier | Off |
+| High contrast | No theme selected |
+| Closed captions | Defaults selected for Font and Background and window |
+| Keyboard | **On-screen Keyboard**, **Sticky Keys**, **Toggle Keys**, and **Filter Keys** are all off. |
+| Mouse | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. |
+| Other options | Defaults selected for **Visual options** and **Touch feedback**. |
+
+Additionally, these accessibility features and apps are returned to default settings when users press [**I'm Done**](i-am-done-finishing-your-surface-hub-meeting.md):
+- Narrator
+- Magnifier
+- High contrast
+- Filter keys
+- Sticky keys
+- Toggle keys
+- Mouse keys
+
+
+## Change accessibility settings during a meeting
+
+During a meeting, users can toggle accessibility features and apps in a couple ways:
+- [Keyboard shortcuts](https://support.microsoft.com/en-us/help/13813/windows-10-microsoft-surface-hub-keyboard-shortcuts)
+- **Quick Actions** > **Ease of Access** from the status bar
+
+> 
-You'll find additional settings under **Ease of Access** > **Other options**.
## Related topics
-
[Manage Microsoft Surface Hub](manage-surface-hub.md)
[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
-
-
-
-
-
-
-
-
-
diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md
index cf642f2291..0278b24569 100644
--- a/devices/surface-hub/admin-group-management-for-surface-hub.md
+++ b/devices/surface-hub/admin-group-management-for-surface-hub.md
@@ -14,96 +14,67 @@ localizationpriority: medium
# Admin group management (Surface Hub)
-Every Microsoft Surface Hub can be configured individually by opening the Settings app on the device. However, to prevent people who are not administrators from changing the settings, the Settings app requires administrator credentials to open the app and change settings.
+Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app.
+
-The Settings app requires local administrator credentials to open the app.
## Admin Group Management
+You can set up administrator accounts for the device in one of three ways:
-You can set up administrator accounts for the device in any of three ways:
+- Create a local admin account
+- Domain join the device to Active Directory (AD)
+- Azure Active Directory (Azure AD) join the device
-- Create a local admin account.
-- Domain join the device to Active Directory (AD).
-- Azure Active Directory (Azure AD) join the device.
### Create a local admin account
-To create a local admin, choose to use a local admin during first run. This will create a single local admin account on the Surface Hub with the username and password of your choice. These same credentials will need to be provided to open the Settings app.
+To create a local admin, [choose to use a local admin during first run](first-run-program-surface-hub.md#use-a-local-admin). This will create a single local admin account on the Surface Hub with the username and password of your choice. Use these credentials to open the Settings app.
-Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory (AD) or Azure Active Directory (Azure AD). If you decide to change the local admin’s password, you can do so in Settings. However, if you want to change from using the local admin account to using a group from your domain or Azure AD organization, then you’ll need to reset the device and go through first-time setup again.
+Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory (AD) or Azure Active Directory (Azure AD). If you decide to change the local admin’s password, you can do so in Settings. However, if you want to change from using the local admin account to using a group from your domain or Azure AD tenant, then you’ll need to [reset the device](device-reset-surface-hub.md) and go through the first-time program again.
### Domain join the device to Active Directory (AD)
-You can set a security group from your domain as local administrators on the Surface Hub after you domain join the device to AD. You will need to provide credentials that are capable of joining the domain of your choice. After you domain join successfully, you will be asked to pick an existing security group to be set as the local admins. Anyone who is a member of that security group can enter their credentials and unlock Settings.
+You can domain join the Surface Hub to your AD domain to allow users from a specified security group to configure settings. During first run, choose to use [Active Directory Domain Services](first-run-program-surface-hub.md#a-href-iduse-active-directoryause-active-directory-domain-services). You'll need to provide credentials that are capable of joining the domain of your choice, and the name of an existing security group. Anyone who is a member of that security group can enter their credentials and unlock Settings.
->**Note** Surface Hubs domain join for the single purpose of using a security group as local admins. Group policies are not applied after the device is domain joined.
+#### What happens when you domain join your Surface Hub?
+Surface Hubs use domain join to:
+- Grant admin rights to members of a specified security group in AD.
+- Backup the device's BitLocker recovery key by storing it under the computer object in AD. See [Save your BitLocker key](save-bitlocker-key-surface-hub.md) for details.
+- Synchronize the system clock with the domain controller for encrypted communication
-
+Surface Hub does not support applying group policies or certificates from the domain controller.
->**Note** If your Surface Hub loses trust with the domain (for example, if you remove the Surface Hub from the domain after it is domain joined), you won't be able to authenticate into the device and open up Settings. If you decide to remove the trust relationship of the Surface Hub with your domain, reset the device first.
+> [!NOTE]
+> If your Surface Hub loses trust with the domain (for example, if you remove the Surface Hub from the domain after it is domain joined), you won't be able to authenticate into the device and open up Settings. If you decide to remove the trust relationship of the Surface Hub with your domain, [reset the device](device-reset-surface-hub.md) first.
-
### Azure Active Directory (Azure AD) join the device
-You can set up IT pros from your Azure AD organization as local administrators on the Surface Hub after you join the device. The people that are provisioned as local admins on your device depend on what Azure AD subscription you have. You will need to provide credentials that are capable of joining the Azure AD organization of your choice. After you successfully join Azure AD, the appropriate people will be set as local admins on the device. Any user who was set up as a local admin as a result of this process can enter their credentials and unlock the Settings app.
+You can Azure AD join the Surface Hub to allow IT pros from your Azure AD tenant to configure settings. During first run, choose to use [Microsoft Azure Active Directory](first-run-program-surface-hub.md#a-href-iduse-microsoft-azureause-microsoft-azure-active-directory). You will need to provide credentials that are capable of joining the Azure AD tenant of your choice. After you successfully Azure AD join, the appropriate people will be granted admin rights on the device.
->**Note** If your Azure AD organization is configured with mobile device management (MDM) enrollment, Surface Hubs will be enrolled into MDM as a result of joining Azure AD. Surface Hubs that have joined Azure AD are subject to receiving MDM policies, and can be managed using the MDM solution that your organization uses.
+By default, all **global administrators** will be given admin rights on an Azure AD joined Surface Hub. With **Azure AD Premium** or **Enterprise Mobility Suite (EMS)**, you can add additional administrators:
+1. In the [Azure classic portal](https://manage.windowsazure.com/), click **Active Directory**, and then click the name of your organization's directory.
+2. On the **Configure** page, under **Devices** > **Additional administrators on Azure AD joined devices**, click **Selected**.
+3. Click **Add**, and select the users you want to add as administrators on your Surface Hub and other Azure AD joined devices.
+4. When you have finished, click the checkmark button to save your change.
-
+#### What happens when you Azure AD join your Surface Hub?
+Surface Hubs use Azure AD join to:
+- Grant admin rights to the appropriate users in your Azure AD tenant.
+- Backup the device's BitLocker recovery key by storing it under the account that was used to Azure AD join the device. See [Save your BitLocker key](save-bitlocker-key-surface-hub.md) for details.
+
+> [!IMPORTANT]
+> Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
### Which should I choose?
-If your organization is using AD or Azure AD, we recommend you either domain join or join Azure AD, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with you domain or organization.
-
-We recommend that a local admin be set up only if you do not have Active Directory or Azure AD, or if you cannot connect to your Active Directory or Azure AD during first run.
-
-### Summary
-
-
-
-
-
-
-
-
-
-
How is the local administrator set up?
-
Requirements
-
Which credentials can be used for the Settings app?
-
-
-
-
-
A local admin account is created.
-
None.
-
The credentials of the local admin that was created.
-
-
-
The Surface Hub is joined to a domain.
-
Your organization is using Active Directory (AD).
-
Credentials of any AD user from a specified security group
-
-
-
The Surface Hub is joined to Azure Active Directory (Azure AD).
-
Your organization is using Azure AD Basic.
-
Tenant or device admins
-
-
-
Your organization is using Azure AD Premium.
-
Tenant or device admins + additional specified people
-
-
-
-
-
-
-
-
-
-
-
-
+If your organization is using AD or Azure AD, we recommend you either domain join or Azure AD join, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with your domain.
+| Option | Requirements | Which credentials can be used to access the Settings app? |
+|---------------------------------------------------|-----------------------------------------|-------|
+| Create a local admin account | None | The user name and password specified during first run |
+| Domain join to Active Directory (AD) | Your organization uses AD | Any AD user from a specific security group in your domain |
+| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic | Global administators only |
+| | Your organization uses Azure AD Premium or Enterprise Mobility Suite (EMS) | Global administrators and additional administrators |
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
new file mode 100644
index 0000000000..a753773f2f
--- /dev/null
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -0,0 +1,40 @@
+---
+title: Change history for Surface Hub
+description: This topic lists new and updated topics for Surface Hub.
+keywords: change history
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Change history for Surface Hub
+
+This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
+
+## November 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | New |
+
+## RELEASE: Windows Anniversary Update for Surface Hub (Windows 10, version 1607)
+The topics in this library have been updated for Windows 10, version 1607 (also known as Windows Anniversary Update for Surface Hub). These topics had significant updates for this release:
+- [Windows Updates (Surface Hub)](manage-windows-updates-for-surface-hub.md)
+- [Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md)
+- [Monitor your Microsoft Surface Hub](monitor-surface-hub.md)
+- [Create provisioning packages (Surface Hub)](provisioning-packages-for-certificates-surface-hub.md)
+- [Install apps on your Microsoft Surface Hub](install-apps-on-surface-hub.md)
+- [Device reset (Surface Hub)](device-reset-surface-hub.md)
+
+## October 2016
+| New or changed topic | Description |
+| --- | --- |
+| [Admin group management (Surface Hub)](admin-group-management-for-surface-hub.md) |Add note about automatic enrollment, and update table. |
+| [Password management (Surface Hub)](password-management-for-surface-hub-device-accounts.md) | Updates to content. |
+| [Create and test a device account (Surface Hub)](create-and-test-a-device-account-surface-hub.md) | Reorganize and streamline guidance on creating a device account. |
+| [Introduction to Surface Hub](intro-to-surface-hub.md) | Move Surface Hub dependencies table to [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md). |
+| [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) | Add dependency table and reorganize topic. |
+| [Local management for Surface Hub settings](local-management-surface-hub-settings.md) | New topic. |
\ No newline at end of file
diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md
index c32f557d19..3d1a589760 100644
--- a/devices/surface-hub/connect-and-display-with-surface-hub.md
+++ b/devices/surface-hub/connect-and-display-with-surface-hub.md
@@ -233,7 +233,7 @@ Surface Hub is compatible with a range of hardware. Choose the processor and mem
### Graphics adapter
-In replacement PC mode, Surface Hub supports any graphics adapter that can produce a DisplayPort signal. You'll improve your experience with a graphics adapter that can match Surface Hub's resolution and refresh rate. For example, though the best and recommended replacement PC experience on the Surface Hub is with a 120Hz video signal, 60Hz video signals are also supported.
+In replacement PC mode, Surface Hub supports any graphics adapter that can produce a DisplayPort signal. You'll improve your experience with a graphics adapter that can match Surface Hub's resolution and refresh rate. For example, the best and recommended replacement PC experience on the Surface Hub is with a 120Hz video signal.
**55" Surface Hubs** - For best experience, use a graphics card capable of 1080p resolution at 120Hz.
@@ -295,7 +295,7 @@ Replacement PC ports on 55" Surface Hub.
PC video
Video input
-
DisplayPort 1.2
+
DP 1.2
Full screen display of 1080p at 120 Hz, plus audio
HDCP compliant
@@ -352,7 +352,7 @@ Replacement PC ports on 84" Surface Hub.
PC video
Video input
-
DisplayPort 1.2 (2x)
+
DP 1.2 (2x)
Full screen display of 2160p at 120 Hz, plus audio
HDCP compliant
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index a24d50ff5c..914b6136e6 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -133,7 +133,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
5. Finally, to connect to Exchange Online Services, run:
``` syntax
- $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri"https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" –AllowRedirection
+ $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" –AllowRedirection
```
@@ -202,7 +202,7 @@ Now that you're connected to the online services, you can finish setting up the
``` syntax
Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
- Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a room!"
+ Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
@@ -350,7 +350,7 @@ Now that you're connected to the online services, you can finish setting up the
``` syntax
Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
- Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a room!"
+ Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
5. Now we have to set some properties in AD. To do that, you need the alias of the account (this is the part of the UPN that becomes before the “@”).
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index b1888116aa..ec7e16757b 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -16,166 +16,43 @@ localizationpriority: medium
This topic introduces how to create and test the device account that Microsoft Surface Hub uses to communicate with Microsoft Exchange and Skype.
-A "device account" is an account that the Microsoft Surface Hub uses to:
+A **device account** is an Exchange resource account that Surface Hub uses to:
-- sync its meeting calendar,
-- send mail,
-- and enable Skype for Business compatibility.
+- Display its meeting calendar
+- Join Skype for Business calls
+- Send email (for example, email whiteboard content from a meeting)
-People can book this account by scheduling a meeting with it. The Surface Hub will be able to join that meeting and provide various features to the meeting attendees.
+Once the device account is provisioned to a Surface Hub, people can add this account to a meeting invitation the same way that they would invite a meeting room.
->**Important** Without a device account, none of these features will work.
+## Configuration overview
-
+This table explains the main steps and configuration decisions when you create a device account.
+
+| Step | Description | Purpose |
+|------|---------------------------------|--------------------------------------|
+| 1 | Created a logon-enabled Exchange resource mailbox (Exchange 2013 or later, or Exchange Online) | This resource mailbox allows the device to maintain a meeting calendar, receive meeting requests, and send mail. It must be logon-enabled to be provisioned to a Surface Hub. |
+| 2 | Configure mailbox properties | The mailbox must be configured with the correct properties to enable the best meeting experience on Surface Hub. For more information on mailbox properties, see [Mailbox properties](exchange-properties-for-surface-hub-device-accounts.md). |
+| 3 | Apply a compatible mobile device mailbox policy to the mailbox | Surface Hub is managed using mobile device management (MDM) rather than through mobile device mailbox policies. For compatibility, the device account must have a mobile device mailbox policy where the **PasswordEnabled** setting is set to False. Otherwise, Surface Hub can't sync mail and calendar info. |
+| 4 | Enable mailbox with Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business must be enabled to use conferencing features like video calls, IM, and screen sharing. |
+| 5 | (Optional) Whitelist ActiveSync Device ID | Your organization may have a global policy that prevents device accounts from syncing mail and calendar info. If so, you need to whitelist the ActiveSync Device ID of your Surface Hub. |
+| 6 | (Optional) Disable password expiration | To simplify management, you can turn off password expiration for the device account and allow Surface Hub to automatically rotate the device account password. For more information about password management, see [Password management](password-management-for-surface-hub-device-accounts.md). |
-Every device account is unique to a single Surface Hub, and requires some setup:
+## Detailed configuration steps
-- The device account must be configured correctly, as described in the folllowing sections.
-- Your infrastructure must be configured to allow the Surface Hub to validate the device account, and to reach the appropriate Microsoft services.
+We recommend setting up your device accounts using remote PowerShell. There are PowerShell scripts available to help create and validate device accounts For more information on PowerShell scripts and instructions, see [Appendix A: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md).
-You can think of a device account as the resource account that people recognize as a conference room’s or meeting space’s account. When you want to schedule a meeting using that conference room, you invite the account to that meeting. In order to use the Surface Hub most effectively, you do the same with the device account that's assigned to each one.
+For detailed steps using PowerShell to provision a device account, choose an option from the table, based on your organization deployment.
-If you already have a resource mailbox account set up for the meeting space where you’re putting a Surface Hub, you can change that resource account into a device account. Once that’s done, all you need to do is add the device account to a Surface Hub. See step 2 of either [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) or [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md).
+| Organization deployment | Description |
+|---------------------------------|--------------------------------------|
+| [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md) | Your organization's environment is deployed entirely on Office 365. |
+| [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync). |
+| [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. |
-The following sections will describe how to create and test a device account before configuring your Surface Hub.
-
-### Basic configuration
-
-These properties represent the minimum configuration for a device account to work on a Surface Hub. Your device account may require further setup, which is covered in [Advanced configuration](#advanced-config).
-
-
-
-
-
-
-
-
-
Property
-
Purpose
-
-
-
-
-
Exchange mailbox (Exchange 2013 or later, or Exchange Online)
-
Enabling the account with an Exchange mailbox gives the device account the capability to receive and send both mail and meeting requests, and to display a meetings calendar on the Surface Hub’s welcome screen. The Surface Hub mailbox must be a room mailbox.
-
-
-
Skype for Business-enabled (Lync/Skype for Business 2013 or later or Skype for Business Online)
-
Skype for Business must be enabled in order to use various conferencing features, like video calls, IM, and screen-sharing.
-
-
-
Password-enabled
-
The device account must be enabled with a password, or it cannot authenticate with either Exchange or Skype for Business.
-
-
-
Compatible EAS policies
-
The device account must use a compatible EAS policy in order for it to sync its mail and calendar. In order to implement this policy, the PasswordEnabled property must be set to False. If an incompatible EAS policy is used, the Surface Hub will not be able to use any services provided by Exchange and ActiveSync.
-
-
-
-
-
-
-### Advanced configuration
-
-While the properties for the basic configuration will allow the device account to be set up in a simple environment, it is possible your environment has other restrictions on directory accounts that must be met in order for the Surface Hub to successfully use the device account.
-
-
-
-
-
-
-
-
-
Property
-
Purpose
-
-
-
-
-
Certificate-based authentication
-
Certificates may be required for both ActiveSync and Skype for Business. To deploy certificates, you need to use provisioning packages or an MDM solution.
-
See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details.
-
-
-
Allowed device IDs (ActiveSync Device ID)
-
Your Exchange ActiveSync setup may require that an account must whitelist device IDs so that ActiveSync can retrieve the device account’s mail and calendar. You must ensure that the Surface Hub’s device ID is added to this whitelist. This can either be configured using PowerShell (by setting the ActiveSyncAllowedDeviceIDs property) or the Exchange administrative portal.
-
You can find out how to find and whitelist a device ID with PowerShell in [Allowing device IDs for ActiveSync](appendix-a-powershell-scripts-for-surface-hub.md#whitelisting-device-ids-cmdlet).
-
-
-
-
-
-
-### How do I set up the account?
-
-The best way to set up device accounts is to configure them using remote PowerShell. We provide several PowerShell scripts that will help create new device accounts, or validate existing resource accounts you have in order to help you turn them into compatible Surface Hub device accounts. These PowerShell scripts, and instructions for their use, are in [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md).
-
-You can check online for updated versions at [Surface Hub device account scripts](http://aka.ms/surfacehubscripts).
-
-### Device account configuration
-
-Your infrastructure will likely fall into one of three configurations. Which configuration you have will affect how you prepare for device setup.
-
-- [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md): Your organization’s environment is deployed entirely on Office 365.
-- [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md): Your organization has servers that it controls, where Active Directory, Exchange, and Skype for Business (or Lync) are hosted.
-- [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md): Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365.
-
-If you prefer to use the Office 365 UI over PowerShell cmdlets, some steps can be performed manually. See [Creating a device account using Office 365](create-a-device-account-using-office-365.md).
-
-### Device account resources
-
-These sections describe resources used by the Surface Hub device account.
-
-- [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md): The Exchange properties of the device account must be set to particular values for the Surface Hub to work properly.
-- [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md): The Surface Hub uses ActiveSync to sync both mail and its meeting calendar.
-- [Password management](password-management-for-surface-hub-device-accounts.md): Every device account requires a password to authenticate. This section describes your options for managing this password.
-
-## In this section
+If you prefer to use a graphical user interface, some steps can be done using UI instead of PowerShell.
+For more information, see [Creating a device account using UI](create-a-device-account-using-office-365.md).
-
A hybrid deployment requires special processing in order to set up a device account for your Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#hybrid-exchange-on-prem), and [Exchange hosted online](#hybrid-exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided PowerShell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)
-
-
-
[Create a device account using UI](create-a-device-account-using-office-365.md)
-
If you prefer to use a graphical user interface, you can create a device account for your Surface Hub with either the [Office 365 UI](#create-device-acct-o365) or the [Exchange Admin Center](#create-device-acct-eac).
Some Exchange properties of the device account must be set to particular values to have the best meeting experience on Surface Hub. The following table lists various Exchange properties based on PowerShell cmdlet parameters, their purpose, and the values they should be set to.
-
-
-
[Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md)
-
The Surface Hub's device account uses ActiveSync to sync mail and calendar. This allows people to join and start scheduled meetings from the Surface Hub, and allows them to email any whiteboards they have made during their meeting.
Every Surface Hub device account requires a password to authenticate and enable features on the device.
-
-
-
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
index fe97b78978..dc24991701 100644
--- a/devices/surface-hub/device-reset-surface-hub.md
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -30,6 +30,14 @@ Initiating a reset will return the device to the last cumulative Windows update,
- Local admins on the device
- Configurations from MDM or the Settings app
+> [!IMPORTANT]
+> Performing a device reset may take up to 2 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
+
+After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again.
+
+
+## Reset a Surface Hub from Settings
+
**To reset a Surface Hub**
1. On your Surface Hub, open **Settings**.
@@ -43,14 +51,20 @@ Initiating a reset will return the device to the last cumulative Windows update,
-**Important Note**
-Performing a device reset may take up to 6 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
+## Reset a Surface Hub from Windows Recovery Environment
+
+On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset the device from [Windows Recovery Environment](https://technet.microsoft.com/library/cc765966.aspx) (Windows RE).
+
+**To reset a Surface Hub from Windows Recovery Environment**
+
+1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch.
+2. The device should automatically boot into Windows RE. Select **Advanced Repair**.
+3. Select **Reset**.
+4. If prompted, enter your device's BitLocker key.
-After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again.
## Related topics
-
[Manage Microsoft Surface Hub](manage-surface-hub.md)
[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
\ No newline at end of file
diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
new file mode 100644
index 0000000000..73557c1f2c
--- /dev/null
+++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
@@ -0,0 +1,169 @@
+---
+title: Differences between Surface Hub and Windows 10 Enterprise
+description: This topic explains the differences between Windows 10 Team and Windows 10 Enterprise.
+keywords: change history
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: isaiahng
+localizationpriority: medium
+---
+
+# Differences between Surface Hub and Windows 10 Enterprise
+
+The Surface Hub operating system, Windows 10 Team, is based on Windows 10 Enterprise, providing rich support for enterprise management, security, and other features. However, there are important differences between them. While the Enterprise edition is designed for PCs, Windows 10 Team is designed from the ground up for large screens and meeting rooms. When you evaluate security and management requirements for Surface Hub, it's best to consider it as a new operating system. This article is designed to help highlight the key differences between Windows 10 Team on Surface Hub and Windows 10 Enterprise, and what the differences mean for your organization.
+
+## User interface
+
+### Shell (OS user interface)
+
+The Surface Hub's shell is designed from the ground up to be large screen and touch optimized. It doesn't use the same shell as Windows 10 Enterprise.
+
+*Organization policies that this may affect:* Settings related to controls in the Windows 10 Enterprise shell don't apply for Surface Hub.
+
+### Lock screen and screensaver
+
+Surface Hub doesn't have a lock screen or a screen saver, but it has a similar feature called the welcome screen. The welcome screen shows scheduled meetings from the device account's calendar, and easy entry points to the Surface Hub's top apps - Skype for Business, Whiteboard, and Connect.
+
+*Organization policies that this may affect:* Settings for lock screen, screen timeout, and screen saver don't apply for Surface Hub.
+
+### User logon
+
+Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without logging on. The system always runs as a local, auto logged-in, low-privilege user. It doesn't support logging in any additional users - including admin users.
+
+> [!NOTE]
+> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **I'm done**.
+
+*Organization policies that this may affect:* Generally, Surface Hub uses lockdown features rather than user access control to enforce security. Policies related to password requirements, interactive logon, user accounts, and access control don't apply for Surface Hub.
+
+### Saving and browsing files
+
+Users have access to a limited set of directories on the Surface Hub:
+- Music
+- Videos
+- Documents
+- Pictures
+- Downloads
+
+Files saved locally in these directories are deleted when users press **I'm done**. To save content created during a meeting, users should save files to a USB drive or to OneDrive.
+
+*Organization policies that this may affect:* Policies related to access permissions and ownership of files and folders don't apply for Surface Hub. Users can't browse and save files to system directories and network folders.
+
+## Applications
+
+### Default applications
+
+With few exceptions, the default Universal Windows Platform (UWP) apps on Surface Hub are also available on Windows 10 PCs.
+
+UWP apps pre-installed on Surface Hub:
+- Alarms & Clock
+- Calculator
+- Connect
+- Excel Mobile
+- Feedback Hub
+- File Explorer*
+- Get Started
+- Maps
+- Microsoft Edge
+- Microsoft Power BI
+- OneDrive
+- Photos
+- PowerPoint Mobile
+- Settings*
+- Skype for Business*
+- Store
+- Whiteboard*
+- Word Mobile
+
+*Apps with an asterisk (*) are unique to Surface Hub*
+
+*Organization policies that this may affect:* Use guidelines for Windows 10 Enterprise to determine the features and network requirements for default apps on the Surface Hub.
+
+### Installing apps, drivers, and services
+
+To help preserve the appliance-like nature of the device, Surface Hub only supports installing Universal Windows Platform (UWP) apps, and does not support installing classic Win32 apps, services and drivers. Furthermore, only admins have access to install UWP apps.
+
+*Organization policies that this may affect:* Employees can only use the apps that have been installed by admins, helping mitigate against unintended use. Surface Hub doesn't support installing Win32 agents required by most traditional PC management and monitoring tools.
+
+## Security and lockdown
+
+For Surface Hub to be used in communal spaces, such as meeting rooms, its custom OS implements many of the security and lockdown features available in Windows 10.
+
+Surface Hub implements these Windows 10 security features:
+- [UEFI Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview)
+- [User Mode Code Integrity (UMCI) with Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies)
+- [Application restriction policies using AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview)
+- [BitLocker Drive Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview)
+- [Trusted Platform Module (TPM)](https://technet.microsoft.com/itpro/windows/keep-secure/trusted-platform-module-overview)
+- [Windows Defender](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10)
+- [User Account Control (UAC)](https://technet.microsoft.com/itpro/windows/keep-secure/user-account-control-overview) for access to the Settings app
+
+These Surface Hub features provide additional security:
+- Custom UEFI firmware
+- Custom shell and Start menu limits device to meeting functions
+- Custom File Explorer only grants access to files and folders under My Documents
+- Custom Settings app only allows admins to modify device settings
+- Downloading advanced Plug and Play drivers is disabled
+
+*Organization policies that this may affect:* Consider these features when performing your security assessment for Surface Hub.
+
+## Management
+
+### Device settings
+
+Device settings can be configured through the Settings app. The Settings app is customized for Surface Hub, but also contains many familiar settings from Windows 10 Desktop. A User Accounts Control (UAC) prompt appears when opening up the Settings app to verify the admin's credentials, but this does not log in the admin.
+
+*Organization policies that this may affect:* Employees can use the Surface Hub for meetings, but cannot modify any device settings. In addition to lockdown features, this ensures that employees only use the device for meeting functions.
+
+### Administrative features
+
+The administrative features in Windows 10 Enterprise, such as the Microsoft Management Console, Run, Command Prompt, PowerShell, registry editor, event viewer, and task manager are not supported on Surface Hub. The Settings app contains all of the administrative features locally available on Surface Hub.
+
+*Organization policies that this may affect:* Surface Hubs are not managed like traditional PCs. Use MDM to configure settings and OMS to monitor your Surface Hub.
+
+### Remote management and monitoring
+
+Surface Hub supports remote management through mobile device management (MDM), and monitoring through Operations Management Suite (OMS).
+
+*Organization policies that this may affect:* Surface Hub doesn't support installing Win32 agents required by most traditional PC management and monitoring tools, such as System Center Operations Manager.
+
+### Group policy
+
+Surface Hub does not support group policy, including auditing. Instead, use MDM to apply policies to your Surface Hub. For more information about MDM, see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md).
+
+*Organization policies that this may affect:* Use MDM to manage Surface Hub rather than group policy.
+
+### Remote assistance
+
+Surface Hub does not support remote assistance.
+
+*Organization policies that this may affect:* Policies related to remote assistance don't apply for Surface Hub.
+
+## Network
+
+### Domain join and Azure Active Directory (Azure AD) join
+
+Surface Hub uses domain join and Azure AD join primarily to provide a directory-backed admin group. Users can't log in with a domain account. For more information, see [Admin group management](admin-group-management-for-surface-hub.md).
+
+*Organization policies that this may affect:* Group policies are not applied when a Surface Hub is joined to your domain. Policies related to domain membership don't apply for Surface Hub.
+
+### Accessing domain resources
+
+Users can sign in to Microsoft Edge to access intranet sites and online resources (such as Office 365). If your Surface Hub is configured with a device account, the system uses it to access Exchange and Skype for Business. However, Surface Hub doesn't support accessing domain resources such as file shares and printers.
+
+*Organization policies that this may affect:* Policies related to accessing domain objects don't apply for Surface Hub.
+
+
+
+### Telemetry
+
+The Surface Hub OS uses the Windows 10 Connected User Experience and Telemetry component to gather and transmit telemetry data. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization).
+
+*Organization policies that this may affect:* Configure telemetry levels for Surface Hub in the same way as you do for Windows 10 Enterprise.
\ No newline at end of file
diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md
index b34943faf8..43cc104e63 100644
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@@ -169,17 +169,19 @@ On this page, the Surface Hub will ask for credentials for the device account th
>**Note** This section does not cover specific errors that can happen during first run. See [Troubleshoot Surface Hub](troubleshoot-surface-hub.md) for more information on errors.
-
### Details
-Use either a **user principal name (UPN)** or a **domain\\user name** as the account identifier in the first entry field.
+Use either a **user principal name (UPN)** or a **domain\\user name** as the account identifier in the first entry field. Use the format that matches your environment, and enter the password.
+
+| Environment | Required format for device account|
+| ------------ | ----------------------------------|
+| Device account is hosted only online. | username@domain.com|
+| Device account is hosted only on-prem. | DOMAIN\username|
+| Device account is hosted online and on-prem (hybrid). | DOMAIN\username|
-- **User principal name:** This is the UPN of the device account for this Surface Hub. If you’re using Azure Active Directory (Azure AD) or a hybrid deployment, then you must enter the UPN of the device account.
-- **Domain\\user name:** This is the identity of the device account for this Surface Hub, in domain\\user name format. If you’re using an Active Directory (AD) deployment, then you must enter the account in this format.
-- **Password:** Enter the device account password.
Click **Skip setting up a device account** to skip setting up a device account. However, if you don't set up a device account, the device will not be fully integrated into your infrastructure. For example, people won't be able to:
@@ -423,7 +425,7 @@ This page will attempt to create a new admin account using the credentials that
In order to get the latest features and fixes, you should update your Surface Hub as soon as you finish all of the preceding first-run steps.
-1. Make sure the device has access to the Windows Update servers or to Windows Server Update Services (WSUS). To configure WSUS, see [Using WSUS](manage-windows-updates-for-surface-hub.md#using-wsus).
+1. Make sure the device has access to the Windows Update servers or to Windows Server Update Services (WSUS). To configure WSUS, see [Using WSUS](manage-windows-updates-for-surface-hub.md#use-windows-server-update-services).
2. Open Settings, click **Update & security**, then **Windows Update**, and then click **Check for updates**.
3. If updates are available, they will be downloaded. Once downloading is complete, click the **Update now** button to install the updates.
4. Follow the onscreen prompts after the updates are installed. You may need to restart the device.
diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
index 4fd03e659e..798952d528 100644
--- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
@@ -12,7 +12,7 @@ localizationpriority: medium
---
# Hybrid deployment (Surface Hub)
-A hybrid deployment requires special processing in order to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#hybrid-exchange-on-prem), and [Exchange hosted online](#hybrid-exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)
+A hybrid deployment requires special processing in order to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#exchange-on-prem), and [Exchange hosted online](#exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)
## Exchange on-prem
Use this procedure if you use Exchange on-prem.
diff --git a/devices/surface-hub/images/ICDstart-option.PNG b/devices/surface-hub/images/ICDstart-option.PNG
new file mode 100644
index 0000000000..1ba49bb261
Binary files /dev/null and b/devices/surface-hub/images/ICDstart-option.PNG differ
diff --git a/devices/surface-hub/images/choose-package.png b/devices/surface-hub/images/choose-package.png
new file mode 100644
index 0000000000..2bf7a18648
Binary files /dev/null and b/devices/surface-hub/images/choose-package.png differ
diff --git a/devices/surface-hub/images/connect-aad.png b/devices/surface-hub/images/connect-aad.png
new file mode 100644
index 0000000000..8583866165
Binary files /dev/null and b/devices/surface-hub/images/connect-aad.png differ
diff --git a/devices/surface-hub/images/express-settings.png b/devices/surface-hub/images/express-settings.png
new file mode 100644
index 0000000000..99e9c4825a
Binary files /dev/null and b/devices/surface-hub/images/express-settings.png differ
diff --git a/devices/surface-hub/images/icd-common-settings.png b/devices/surface-hub/images/icd-common-settings.png
new file mode 100644
index 0000000000..c2a8eb807f
Binary files /dev/null and b/devices/surface-hub/images/icd-common-settings.png differ
diff --git a/devices/surface-hub/images/icd-new-project.png b/devices/surface-hub/images/icd-new-project.png
new file mode 100644
index 0000000000..8a5c64fa4e
Binary files /dev/null and b/devices/surface-hub/images/icd-new-project.png differ
diff --git a/devices/surface-hub/images/license-terms.png b/devices/surface-hub/images/license-terms.png
new file mode 100644
index 0000000000..8dd34b0a18
Binary files /dev/null and b/devices/surface-hub/images/license-terms.png differ
diff --git a/devices/surface-hub/images/networkmgtwired-01.png b/devices/surface-hub/images/networkmgtwired-01.png
index bbf7930292..d2c1748b0b 100644
Binary files a/devices/surface-hub/images/networkmgtwired-01.png and b/devices/surface-hub/images/networkmgtwired-01.png differ
diff --git a/devices/surface-hub/images/networkmgtwired-02.png b/devices/surface-hub/images/networkmgtwired-02.png
index 1ab3eddb4e..7312b644d0 100644
Binary files a/devices/surface-hub/images/networkmgtwired-02.png and b/devices/surface-hub/images/networkmgtwired-02.png differ
diff --git a/devices/surface-hub/images/networkmgtwireless-01.png b/devices/surface-hub/images/networkmgtwireless-01.png
index 5fadeb5d48..0ccdc9f5c7 100644
Binary files a/devices/surface-hub/images/networkmgtwireless-01.png and b/devices/surface-hub/images/networkmgtwireless-01.png differ
diff --git a/devices/surface-hub/images/networkmgtwireless-02.png b/devices/surface-hub/images/networkmgtwireless-02.png
index 8f8f84602a..5e9ccb9d99 100644
Binary files a/devices/surface-hub/images/networkmgtwireless-02.png and b/devices/surface-hub/images/networkmgtwireless-02.png differ
diff --git a/devices/surface-hub/images/networkmgtwireless-04.png b/devices/surface-hub/images/networkmgtwireless-04.png
index 9fb5a315e3..c1d0e6ec6d 100644
Binary files a/devices/surface-hub/images/networkmgtwireless-04.png and b/devices/surface-hub/images/networkmgtwireless-04.png differ
diff --git a/devices/surface-hub/images/oobe.jpg b/devices/surface-hub/images/oobe.jpg
new file mode 100644
index 0000000000..53a5dab6bf
Binary files /dev/null and b/devices/surface-hub/images/oobe.jpg differ
diff --git a/devices/surface-hub/images/prov.jpg b/devices/surface-hub/images/prov.jpg
new file mode 100644
index 0000000000..1593ccb36b
Binary files /dev/null and b/devices/surface-hub/images/prov.jpg differ
diff --git a/devices/surface-hub/images/setupdeviceacct.png b/devices/surface-hub/images/setupdeviceacct.png
index 8eefaa51f7..23c2f22171 100644
Binary files a/devices/surface-hub/images/setupdeviceacct.png and b/devices/surface-hub/images/setupdeviceacct.png differ
diff --git a/devices/surface-hub/images/setupdomainjoin.png b/devices/surface-hub/images/setupdomainjoin.png
index 88f74a2d30..c42a637981 100644
Binary files a/devices/surface-hub/images/setupdomainjoin.png and b/devices/surface-hub/images/setupdomainjoin.png differ
diff --git a/devices/surface-hub/images/setupexchangeserver-01.png b/devices/surface-hub/images/setupexchangeserver-01.png
index d70eaa91cf..f3b9dc9e18 100644
Binary files a/devices/surface-hub/images/setupexchangeserver-01.png and b/devices/surface-hub/images/setupexchangeserver-01.png differ
diff --git a/devices/surface-hub/images/setupexchangeserver-02.png b/devices/surface-hub/images/setupexchangeserver-02.png
index 2de288fb19..58462ec244 100644
Binary files a/devices/surface-hub/images/setupexchangeserver-02.png and b/devices/surface-hub/images/setupexchangeserver-02.png differ
diff --git a/devices/surface-hub/images/setupjoiningazuread-1.png b/devices/surface-hub/images/setupjoiningazuread-1.png
index 4d5cc1cc3d..cd24be2c90 100644
Binary files a/devices/surface-hub/images/setupjoiningazuread-1.png and b/devices/surface-hub/images/setupjoiningazuread-1.png differ
diff --git a/devices/surface-hub/images/setupjoiningazuread-2.png b/devices/surface-hub/images/setupjoiningazuread-2.png
index 15c92a9413..9ec163f679 100644
Binary files a/devices/surface-hub/images/setupjoiningazuread-2.png and b/devices/surface-hub/images/setupjoiningazuread-2.png differ
diff --git a/devices/surface-hub/images/setupjoiningazuread-3.png b/devices/surface-hub/images/setupjoiningazuread-3.png
index a3e8dcd971..abe6691d92 100644
Binary files a/devices/surface-hub/images/setupjoiningazuread-3.png and b/devices/surface-hub/images/setupjoiningazuread-3.png differ
diff --git a/devices/surface-hub/images/setuplocaladmin.png b/devices/surface-hub/images/setuplocaladmin.png
index aa6caf16f0..30ac056c5a 100644
Binary files a/devices/surface-hub/images/setuplocaladmin.png and b/devices/surface-hub/images/setuplocaladmin.png differ
diff --git a/devices/surface-hub/images/setuplocale.png b/devices/surface-hub/images/setuplocale.png
index 3c0b6361b0..e9aa468697 100644
Binary files a/devices/surface-hub/images/setuplocale.png and b/devices/surface-hub/images/setuplocale.png differ
diff --git a/devices/surface-hub/images/setupmsg.jpg b/devices/surface-hub/images/setupmsg.jpg
new file mode 100644
index 0000000000..12935483c5
Binary files /dev/null and b/devices/surface-hub/images/setupmsg.jpg differ
diff --git a/devices/surface-hub/images/setupnamedevice.png b/devices/surface-hub/images/setupnamedevice.png
index 5c09a6b786..5baa35c487 100644
Binary files a/devices/surface-hub/images/setupnamedevice.png and b/devices/surface-hub/images/setupnamedevice.png differ
diff --git a/devices/surface-hub/images/setupsecuritygroup-1.png b/devices/surface-hub/images/setupsecuritygroup-1.png
index fb5c6f7de2..bab6e2f197 100644
Binary files a/devices/surface-hub/images/setupsecuritygroup-1.png and b/devices/surface-hub/images/setupsecuritygroup-1.png differ
diff --git a/devices/surface-hub/images/setupsetupadmins.png b/devices/surface-hub/images/setupsetupadmins.png
index 3429407953..109cb1ea92 100644
Binary files a/devices/surface-hub/images/setupsetupadmins.png and b/devices/surface-hub/images/setupsetupadmins.png differ
diff --git a/devices/surface-hub/images/setupsetupforyou.png b/devices/surface-hub/images/setupsetupforyou.png
index 9c86134ed6..c0ea230caf 100644
Binary files a/devices/surface-hub/images/setupsetupforyou.png and b/devices/surface-hub/images/setupsetupforyou.png differ
diff --git a/devices/surface-hub/images/setupskipdeviceacct.png b/devices/surface-hub/images/setupskipdeviceacct.png
index 55cf72fe7f..7a71c7f982 100644
Binary files a/devices/surface-hub/images/setupskipdeviceacct.png and b/devices/surface-hub/images/setupskipdeviceacct.png differ
diff --git a/devices/surface-hub/images/sh-device-family-availability.png b/devices/surface-hub/images/sh-device-family-availability.png
new file mode 100644
index 0000000000..30b8a954af
Binary files /dev/null and b/devices/surface-hub/images/sh-device-family-availability.png differ
diff --git a/devices/surface-hub/images/sh-org-licensing.png b/devices/surface-hub/images/sh-org-licensing.png
new file mode 100644
index 0000000000..48c7033715
Binary files /dev/null and b/devices/surface-hub/images/sh-org-licensing.png differ
diff --git a/devices/surface-hub/images/sh-quick-action.png b/devices/surface-hub/images/sh-quick-action.png
new file mode 100644
index 0000000000..cb072a9793
Binary files /dev/null and b/devices/surface-hub/images/sh-quick-action.png differ
diff --git a/devices/surface-hub/images/sh-select-template.png b/devices/surface-hub/images/sh-select-template.png
new file mode 100644
index 0000000000..58ab21481e
Binary files /dev/null and b/devices/surface-hub/images/sh-select-template.png differ
diff --git a/devices/surface-hub/images/sh-settings-reset-device.png b/devices/surface-hub/images/sh-settings-reset-device.png
index bdb16e8e20..b3e35bb385 100644
Binary files a/devices/surface-hub/images/sh-settings-reset-device.png and b/devices/surface-hub/images/sh-settings-reset-device.png differ
diff --git a/devices/surface-hub/images/sh-settings-update-security.png b/devices/surface-hub/images/sh-settings-update-security.png
index 44bb2202f0..a10d4ffb51 100644
Binary files a/devices/surface-hub/images/sh-settings-update-security.png and b/devices/surface-hub/images/sh-settings-update-security.png differ
diff --git a/devices/surface-hub/images/sh-settings.png b/devices/surface-hub/images/sh-settings.png
index 12783739ed..03125b3419 100644
Binary files a/devices/surface-hub/images/sh-settings.png and b/devices/surface-hub/images/sh-settings.png differ
diff --git a/devices/surface-hub/images/sign-in-prov.png b/devices/surface-hub/images/sign-in-prov.png
new file mode 100644
index 0000000000..55c9276203
Binary files /dev/null and b/devices/surface-hub/images/sign-in-prov.png differ
diff --git a/devices/surface-hub/images/system-settings-add-fqdn.png b/devices/surface-hub/images/system-settings-add-fqdn.png
index 011d4a41f7..ef00872a16 100644
Binary files a/devices/surface-hub/images/system-settings-add-fqdn.png and b/devices/surface-hub/images/system-settings-add-fqdn.png differ
diff --git a/devices/surface-hub/images/trust-package.png b/devices/surface-hub/images/trust-package.png
new file mode 100644
index 0000000000..8a293ea4da
Binary files /dev/null and b/devices/surface-hub/images/trust-package.png differ
diff --git a/devices/surface-hub/images/who-owns-pc.png b/devices/surface-hub/images/who-owns-pc.png
new file mode 100644
index 0000000000..d3ce1def8d
Binary files /dev/null and b/devices/surface-hub/images/who-owns-pc.png differ
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index 8c84d59605..ddbbfb4fab 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -34,5 +34,7 @@ Documents related to the Microsoft Surface Hub.
This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.
+
[Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise.
+
[Change history for Surface Hub](change-history-surface-hub.md)
This topic lists new and updated topis in the Surface Hub documentation.
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index 76cf98911f..2f658f6fd8 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -13,22 +13,158 @@ localizationpriority: medium
# Install apps on your Microsoft Surface Hub
+You can install additional apps on your Surface Hub to fit your team or organization's needs. There are different methods for installing apps depending on whether you are developing and testing an app, or deploying a released app. This topic describes methods for installing apps for either scenario.
-Admins can install apps can from either the Windows Store or the Windows Store for Business.
-
-## Using the Windows Store
+A few things to know about apps on Surface Hub:
+- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp).
+- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631).
+- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.
+- When submitting an app to the Windows Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub.
+- You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Windows Store to download and install apps.
-Admins can install apps on the device using the Windows Store app available in **Settings** > **System** > **Microsoft Surface Hub**. They can start the store app, sign in using their Microsoft account credentials, browse, purchase, and install the apps as with any other Windows device.
+## Develop and test apps
+While you're developing your own app, there are a few options for testing apps on Surface Hub.
-## Using the Store for Business
+### Developer Mode
+By default, Surface Hub only runs UWP apps that have been published to and signed by the Windows Store. Apps submitted to the Windows Store go through security and compliance tests as part of the [app certification process](https://msdn.microsoft.com/en-us/windows/uwp/publish/the-app-certification-process), so this helps safeguard your Surface Hub against malicious apps.
+
+By enabling developer mode, you can also install developer-signed UWP apps.
+
+> [!IMPORTANT]
+> After developer mode has been enabled, you will need to reset the Surface Hub to disable it. Resetting the device removes all local user files and configurations and then reinstalls Windows.
+
+**To turn on developer mode**
+1. From your Surface Hub, start **Settings**.
+2. Type the device admin credentials when prompted.
+3. Navigate to **Update & security** > **For developers**.
+4. Select **Developer mode** and accept the warning prompt.
+
+### Visual Studio
+During development, the easiest way to test your app on a Surface Hub is using Visual Studio. Visual Studio's remote debugging feature helps you discover issues in your app before deploying it broadly. For more information, see [Test Surface Hub apps using Visual Studio](https://msdn.microsoft.com/windows/uwp/debug-test-perf/test-surface-hub-apps-using-visual-studio).
+
+### Provisioning package
+Use Visual Studio to [create an app package](https://msdn.microsoft.com/library/windows/apps/hh454036.aspx) for your UWP app, signed using a test certificate. Then use Windows Imaging and Configuration Designer (ICD) to create a provisioning package containing the app package. For more information, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
-For apps purchased through the Store for Business, download the Appxbundle, offline license, and the dependencies for the App from the store to a separate PC. Create a provisioning package and copy it to a USB drive. (See [Create a provisioning package](provisioning-packages-for-certificates-surface-hub.md).) Move the USB drive to the Surface Hub, and install the app on the device using the Settings app.
+## Submit apps to the Windows Store
+Once an app is ready for release, developers need to submit and publish it to the Windows Store. For more information, see [Publish Windows apps](https://developer.microsoft.com/store/publish-apps).
+
+During app submission, developers need to set **Device family availability** and **Organizational licensing** options to make sure the app will be available to run on Surface Hub.
+
+**To set device family availability**
+1. On the [Windows Dev Center](https://developer.microsoft.com), navigate to your app submission page.
+2. Select **Packages**.
+3. Under Device family availability, select these options:
+ - **Windows 10 Desktop** (other device families are optional)
+ - **Let Microsoft decide whether to make the app available to any future device families**
+
+
+
+For more information, see [Device family availability](https://msdn.microsoft.com/windows/uwp/publish/upload-app-packages#device-family-availability).
+
+**To set organizational licensing**
+1. On the [Windows Dev Center](https://developer.microsoft.com), navigate to your app submission page.
+2. Select **Pricing and availability**.
+3. Under Organizational licensing, select **Allow disconnected (offline) licensing for organizations**.
+
+
+
+> [!NOTE]
+> **Make my app available to organizations with Store-managed (online) licensing and distribution** is selected by default.
+
+> [!NOTE]
+> Developers can also publish line-of-business apps directly to enterprises without making them broadly available in the Store. For more information, see [Distribute LOB apps to enterprises](https://msdn.microsoft.com/windows/uwp/publish/distribute-lob-apps-to-enterprises).
+
+For more information, see [Organizational licensing options](https://msdn.microsoft.com/windows/uwp/publish/organizational-licensing).
+
+
+## Deploy released apps
+
+There are several options for installing apps that have been released to the Windows Store, depending on whether you want to evaluate them on a few devices, or deploy them broadly to your organization.
+
+To install released apps:
+- Download the app using the Windows Store app, or
+- Download the app package from the Windows Store for Business, and distribute it using a provisioning package or a supported MDM provider.
+
+### Windows Store app
+To evaluate apps released on the Windows Store, use the Windows Store app on the Surface Hub to browse and download apps.
+
+> [!NOTE]
+> Using the Windows Store app is not the recommended method of deploying apps at scale to your organization:
+> - To download apps, you must sign in to the Windows Store app with a Microsoft account or organizational account. However, you can only connect an account to a maximum of 10 devices at once. If you have more than 10 Surface Hubs, you will need to create multiple accounts or remove devices from your account between app installations.
+> - To install apps, you will need to manually sign in to the Windows Store app on each Surface Hub you own.
+
+**To browse the Windows Store on Surface Hub**
+1. From your Surface Hub, start **Settings**.
+2. Type the device admin credentials when prompted.
+3. Navigate to **This device** > **Apps & features**.
+4. Select **Open Store**.
+
+### Download app packages from Windows Store for Business
+To download the app package you need to install apps on your Surface Hub, visit the [Windows Store for Business](https://www.microsoft.com/business-store). The Store for Business is where you can find, acquire, and manage apps for the Windows 10 devices in your organization, including Surface Hub.
+
+> [!NOTE]
+> Currently, Surface Hub only supports offline-licensed apps available through the Store for Business. App developers set offline-license availability when they submit apps.
+
+Find and acquire the app you want, then download:
+- The offline-licensed app package (either an .appx or an .appxbundle)
+- The *unencoded* license file (if you're using provisioning packages to install the app)
+- The *encoded* license file (if you're using MDM to distribute the app)
+- Any necessary dependency files
+
+For more information, see [Download an offline-licensed app](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app).
+
+### Provisioning package
+You can manually install the offline-licensed apps that you downloaded from the Store for Business on a few Surface Hubs using provisioning packages. Use Windows Imaging and Configuration Designer (ICD) to create a provisioning package containing the app package and *unencoded* license file that you downloaded from the Store for Business. For more information, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
+
+### Supported MDM provider
+To deploy apps to a large number of Surface Hubs in your organization, use a supported MDM provider. The table below shows which MDM providers support deploying offline-licensed app packages.
+
+| MDM provider | Supports offline-licensed app packages |
+|-----------------------------|----------------------------------------|
+| On-premises MDM with System Center Configuration Manager (beginning in version 1602) | Yes |
+| Hybrid MDM with System Center Configuration Manager and Microsoft Intune | Yes |
+| Microsoft Intune standalone | No |
+| Third-party MDM provider | Check to make sure your MDM provider supports deploying offline-licensed app packages. |
+
+**To deploy apps remotely using System Center Configuration Manager (either on-prem MDM or hybrid MDM)**
+
+> [!NOTE]
+> These instructions are based on the current branch of System Center Configuration Manager.
+
+1. Enroll your Surface Hubs to System Center Configuration Manager. For more information, see [Enroll a Surface Hub into MDM](manage-settings-with-mdm-for-surface-hub.md#enroll-into-mdm).
+2. Download the offline-licensed app package, the *encoded* license file, and any necessary dependency files from the Store for Business. For more information, see [Download an offline-licensed app](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app). Place the downloaded files in the same folder on a network share.
+3. In the **Software Library** workspace of the Configuration Manager console, click **Overview** > **Application Management** > **Applications**.
+4. On the **Home** tab, in the **Create** group, click **Create Application**.
+5. On the **General** page of the **Create Application Wizard**, select the **Automatically detect information about this application from installation files** check box.
+6. In the **Type** drop-down list, select **Windows app package (\*.appx, \*.appxbundle)**.
+7. In the **Location** field, specify the UNC path in the form \\server\share\\filename for the offline-licensed app package that you downloaded from the Store for Business. Alternatively, click **Browse** to browse to the app package.
+8. On the **Import Information** page, review the information that was imported, and then click **Next**. If necessary, you can click **Previous** to go back and correct any errors.
+9. On the **General Information** page, complete additional details about the app. Some of this information might already be populated if it was automatically obtained from the app package.
+10. Click **Next**, review the application information on the Summary page, and then complete the Create Application Wizard.
+11. Create a deployment type for the application. For more information, see [Create deployment types for the application](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/create-applications#create-deployment-types-for-the-application).
+12. Deploy the application to your Surface Hubs. For more information, see [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/deploy-applications).
+13. As needed, update the app by downloading a new package from the Store for Business, and publishing an application revision in Configuration Manager. For more information, see [Update and retire applications with System Center Configuration Manager](https://technet.microsoft.com/library/mt595704.aspx).
+
+> [!NOTE]
+> If you are using System Center Configuration Manager (current branch), you can bypass the above steps by connecting the Store for Business to System Center Configuration Manager. By doing so, you can synchronize the list of apps you've purchased with System Center Configuration Manager, view these in the Configuration Manager console, and deploy them like you would any other app. For more information, see [Manage apps from the Windows Store for Business with System Center Configuration Manager](https://technet.microsoft.com/library/mt740630.aspx).
+
+
+## Summary
+
+There are a few different ways to install apps on your Surface Hub depending on whether you are developing apps, evaluating apps on a small number of devices, or deploying apps broadly to your oganization. This table summarizes the supported methods:
+
+| Install method | Developing apps | Evaluating apps on a few devices | Deploying apps broadly to your organization |
+| -------------------------- | --------------- | ------------------------------------- | ---------------------- |
+| Visual Studio | X | | |
+| Provisioning package | X | X | |
+| Windows Store app | | X | |
+| Supported MDM provider | | | X |
+
## Related topics
-
[Manage Microsoft Surface Hub](manage-surface-hub.md)
[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md
new file mode 100644
index 0000000000..dea2a514bd
--- /dev/null
+++ b/devices/surface-hub/local-management-surface-hub-settings.md
@@ -0,0 +1,51 @@
+---
+title: Local management Surface Hub settings
+description: How to manage Surface Hub settings with Settings.
+keywords: manage Surface Hub, Surface Hub settings
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Local management for Surface Hub settings
+
+After initial setup of Microsoft Surface Hub, the device’s settings can be locally managed through **Settings**.
+
+## Surface Hub settings
+
+Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. This table lists settings only cofigurable on Surface Hubs.
+
+| Setting | Location | Description |
+| ------- | -------- | ----------- |
+| Device account | This device > Accounts | Set or change the Surface Hub's device account. |
+| Device account sync status | This device > Accounts | Check the sync status of the device account’s mail and calendar on the Surface Hub. |
+| Password rotation | This device > Accounts | Choose whether to let the Surface Hub automatically rotate the device account's password. |
+| Change admin account password | This device > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. |
+| Configure Operations Management Suite (OMS) | This device > Device management | Set up monitoring for your Surface Hub using OMS. |
+| Open the Windows Store app | This device > Apps & features | The Windows Store app is only available to admins through the Settings app. |
+| Skype for Business domain name | This device > Calling | Configure a domain name for your Skype for Business server. |
+| Default microphone and speaker settings | This device > Calling | Configure a default microphone and speaker for calls, and a default speaker for media playback. |
+| Turn off wireless projection using Miracast | This device > Wireless projection | Choose whether presenters can wirelessly project to the Surface Hub using Miracast. |
+| Require a PIN for wireless projection | This device > Wireless projection | Choose whether people are required to enter a PIN before they use wireless projection. |
+| Wireless projection (Miracast) channel | This device > Wireless projection | Set the channel for Miracast projection. |
+| Meeting info shown on the welcome screen | This device > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. |
+| Welcome screen background | This device > Welcome screen | Choose a background image for the welcome screen. |
+| Turn on screen with motion sensors | This device > Session & clean up | Choose whether the screen turns on when motion is detected. |
+| Session time out | This device > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. |
+| Sleep time out | This device > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. |
+| Friendly name | This device > About | Set the Surface Hub name that people will see when connecting wirelessly. |
+| Maintenance hours | Update & security > Windows Update > Advanced options | Configure when updates can be installed. |
+| Configure Windows Server Update Services (WSUS) server | Update & security > Windows Update > Advanced options | Change whether Surface Hub receives updates from a WSUS server instead of Windows Update. |
+| Save BitLocker key | Update & security > Recovery | Backup your Surface Hub's BitLocker key to a USB drive. |
+| Collect logs | Update & security > Recovery | Save logs to a USB drive to send to Microsoft later. |
+
+## Related topics
+
+[Manage Surface Hub settings](manage-surface-hub-settings.md)
+
+[Remote Surface Hub management](remote-surface-hub-management.md)
+
+[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
\ No newline at end of file
diff --git a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md
index 05b356e461..db9230f9ad 100644
--- a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md
@@ -2,6 +2,7 @@
title: Manage settings with a local admin account (Surface Hub)
description: A local admin account will be set up on every Microsoft Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device.
ms.assetid: B4B3668B-985D-427E-8495-E30ABEECA679
+redirect_url: https://technet.microsoft.com/itpro/surface-hub/admin-group-management-for-surface-hub
keywords: local admin account, Surface Hub, change local admin options
ms.prod: w10
ms.mktglfcycl: manage
@@ -10,113 +11,3 @@ ms.pagetype: surfacehub
author: TrudyHa
localizationpriority: medium
---
-
-# Manage settings with a local admin account (Surface Hub)
-
-
-A local admin account will be set up on every Microsoft Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device.
-
-Every device can be configured individually by opening the Settings app on the device you want to configure. However, to prevent people who are not administrators from changing the devices’ settings, the Settings app requires local administrator credentials to open the app and change settings.
-
-You can set up a local administrator in one of three ways (see [Setting up admins for this device](first-run-program-surface-hub.md#setup-admins)):
-
-1. Create a local admin
-2. Domain join the device (AD)
-3. Azure Active Directory (Azure AD) join the device.
-
-### Which method should I choose?
-
-If your organization is using Active Directory or Azure AD, we recommend you either domain join or join Azure AD, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with your domain or organization.
-
-Preferably, a local admin is set up only if you do not have Active Directory or Azure AD, or if you cannot connect to your Active Directory or Azure AD during first run.
-
-### Summary table
-
-
-
-
How is the local admin set up?
-
Requirements
-
Which credentials will open Settings?
-
-
-
A local admin was created
-
-
-
None
-
-
-
The credentials of the local admin account.
-
-
-
-
-
The device is joined to a domain (AD)
-
-
-
Your organization is using Active Directory
-
-
-
Credentials of any Active Directory account from the security group that was specified furing first run.
-
-
-
-
-
The device is joined to Azure AD
-
-
-
Your organization is using Azure AD Basic
-
-
-
Tenant or device admins
-
-
-
-
-
Your organization is using Azure AD Premium
-
-
-
Tenant or device admins, plus additional specified employees
-
-
-
-
-### Create a local admin
-
-To create a local admin, choose to use a local admin during first run. This will create a single local admin account on the Surface Hub with the username and password of your choice. These same credentials will unlock the Settings app (see [Setting up admins for this device](first-run-program-surface-hub.md#setup-admins)). Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory or Azure Active Directory. If you decide to change the local admin’s password, you can do so in Settings. However, if you want to change from a local admin you created to a group from your domain or Azure AD organization, then you’ll need to reset the device and go through first-time setup again.
-
-### Domain join the device
-
-After you domain join the device, you can set up a security group from your domain as local administrators on the Surface Hub. You will need to provide credentials that are capable of joining the domain of your choice. After you domain join successfully, you will be asked to pick an existing security group to be set as the local admins. When the Setting app is opened, any user who is a member of that security group can enter their credentials and unlock Settings.
-
->**Note** Surface Hubs domain join for the sole purpose of using a security group as local admins. Group policies are not applied after the device is domain joined.
-
-
-
-### Azure AD join the device
-
-You can set up people from your Azure Active Directory (Azure AD) organization as local administrators on the Surface Hub after you Azure AD join the device. The people that are provisioned as local admins on your device depend on what Azure AD subscription you have. You will need to provide credentials that are capable of joining the Azure AD organization of your choice. After you join Azure AD successfully, the appropriate people will be set as local admins on the device. When the Setting app is opened, any user who was set up as a local admin as a result of joining Azure AD can enter their credentials and unlock Settings. We recommend that you use the device account to join Azure AD.
-
-Otherwise, if you don’t want to use the device account to join Azure AD, you can use either of the following accounts:
-
-- The org account of an admin who will manage the device, or
-- A separate account that is part of your organization and used only for joining Surface Hubs.
-
->**Note** If your Azure AD organization is also configured with MDM enrollment, Surface Hubs will also be enrolled into MDM as a result of joining Azure AD. Surface Hubs that have joined Azure AD are subject to receiving MDM policies, and can be widely managed using an MDM solution, which opts these devices into remote management. You may want to choose an account to join Azure AD that benefits how you manage devices—you find more info about this in the [Enroll a Surface Hub into MDM](manage-settings-with-mdm-for-surface-hub.md#enroll-into-mdm) section.
-
-
-
-## Related topics
-
-
-[Manage Microsoft Surface Hub](manage-surface-hub.md)
-
-[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
-
-
-
-
-
-
-
-
-
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index 1db4d6fbe1..275688b9a0 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -13,116 +13,215 @@ localizationpriority: medium
# Manage settings with an MDM provider (Surface Hub)
+Surface Hub and other Windows 10 devices allow IT administrators to manage settings and policies using a mobile device management (MDM) provider. A built-in management component communicates with the management server, so there is no need to install additional clients on the device. For more information, see [Windows 10 mobile device management](https://msdn.microsoft.com/library/windows/hardware/dn914769.aspx).
-Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.
+Surface Hub has been validated with Microsoft’s first-party MDM providers:
+- On-premises MDM with System Center Configuration Manager (beginning in version 1602)
+- Hybrid MDM with System Center Configuration Manager and Microsoft Intune
+- Microsoft Intune standalone
-The Surface Hub operating system has a built-in management component that's used to communicate with the device management server. There are two parts to the Surface Hub management component: the enrollment client, which enrolls and configures the device to communicate with the enterprise management server; and the management client, which periodically synchronizes with the management server to check for and apply updates. Third-party MDM servers can manage Surface Hub devices by using the Mobile Device Management protocol.
+You can also manage Surface Hubs using any third-party MDM provider that can communicate with Windows 10 using the MDM protocol.
-### Supported services
+## Enroll a Surface Hub into MDM
+You can enroll your Surface Hubs using bulk or manual enrollment.
-Surface Hub management has been validated for the following MDM providers:
+> [!NOTE]
+> You can join your Surface Hub to Azure Active Directory (Azure AD) to manage admin groups on the device. However, Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
+>
+> **To disable automatic enrollment for Microsoft Intune**
+> 1. In the [Azure classic portal](https://manage.windowsazure.com/), navigate to the **Active Directory** node and select your directory.
+> 2. Click the **Applications** tab, then click **Microsoft Intune**.
+> 3. Under **Manage devices for these users**, click **Groups**.
+> 4. Click **Select Groups**, then select the groups of users you want to automatically enroll into Intune. Do not include accounts that are used to enroll Surface Hubs into Intune.
+> 5. Click the checkmark button, then click **Save**.
-- Microsoft Intune
-- System Center Configuration Manager
+### Bulk enrollment
+**To configure bulk enrollment**
+- Surface Hub supports the [Provisioning CSP](https://msdn.microsoft.com/library/windows/hardware/mt203665.aspx) for bulk enrollment into MDM. For more information, see [Windows 10 bulk enrollment](https://msdn.microsoft.com/library/windows/hardware/mt613115.aspx).
+--OR--
+- If you have an on-premises System Center Configuration Manager infrastructure, see [How to bulk enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx).
-### Enroll a Surface Hub into MDM
+### Manual enrollment
+**To configure manual enrollment**
+1. From your Surface Hub, open **Settings**.
+2. Type the device admin credentials when prompted.
+3. Select **This device**, and navigate to **Device management**.
+4. Under **Device management**, select **+ Device management**.
+5. Follow the instructions in the dialog to connect to your MDM provider.
-If you joined your Surface Hub to an Azure Active Directory (Azure AD) subscription, the device can automatically enroll into MDM and will be ready for remote management.
+## Manage Surface Hub settings with MDM
-Alternatively, the device can be enrolled like any other Windows device by going to **Settings** > **Accounts** > **Work access**.
+You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings), and some [Windows 10 settings](#supported-windows-10-settings). Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML.
-
+### Supported Surface Hub CSP settings
-### Manage a device through MDM
+You can configure the Surface Hub settings in the following table using MDM. The table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.
-The following table lists the device settings that can be managed remotely using MDM, including the OMA URI paths that 3rd party MDM providers need to create policies. Intune and System Center Configuration Manager have special templates to help create policies to manage these settings.
+For more information, see [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx).
-
Set the maintenance window start time. This time is in minutes past midnight. To set a 2:00 am start time, set a value of 120, meaning 120 minutes past midnight.
Change the background image for the welcome screen using a PNG image URL.
-
./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/CurrentBackgroundPath (Note: must be accessed using https.)
-
String
-
-
-
+| Setting | Node in the SurfaceHub CSP | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML? |
+| -------------------- | ---------------------------------- | ------------------------- | ---------------------------------------- | ------------------------- |
+| Maintenance hours | MaintenanceHoursSimple/Hours/StartTime MaintenanceHoursSimple/Hours/Duration | Yes | Yes | Yes |
+| Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
+| Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
+| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes. Use a custom setting. | Yes |
+| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes. Use a custom setting. | Yes |
+| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID MOMAgent/WorkspaceKey | Yes | Yes. Use a custom setting. | Yes |
+| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes. Use a custom setting. | Yes |
+| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes. Use a custom setting. | Yes |
+| Friendly name for wireless projection | Properties/FriendlyName | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Device account, including password rotation | DeviceAccount/*``* See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |
-
+### Supported Windows 10 settings
+
+In addition to Surface Hub-specific settings, there are numerous settings common to all Windows 10 devices. These settings are defined in the [Configuration service provider reference](https://msdn.microsoft.com/library/windows/hardware/dn920025.aspx).
+
+The following tables include info on Windows 10 settings that have been validated with Surface Hub. There is a table with settings for these areas: security, browser, Windows Updates, Windows Defender, remote reboot, certificates, and logs. Each table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.
+
+#### Security settings
+| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML? |
+| -------- | -------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``* See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+
+#### Browser settings
+
+| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML? |
+| -------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+
+#### Windows Update settings
+
+| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes|
+| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``* See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+
+#### Windows Defender settings
+
+| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``* See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes |
+
+#### Remote reboot
+
+| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes |
+| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+
+#### Install certificates
+
+| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Install trusted CA certificates | Use to deploy trusted root and intermediate CA certificates. | [RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) | Yes. See [Configure Intune certificate profiles](https://docs.microsoft.com/en-us/intune/deploy-use/configure-intune-certificate-profiles). | Yes. See [How to create certificate profiles in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-certificate-profiles). | Yes |
+
+
+#### Collect logs
+
+| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Collect ETW logs | Use to remotely collect ETW logs from Surface Hub. | [DiagnosticLog CSP](https://msdn.microsoft.com/library/windows/hardware/mt219118.aspx) | No | No | Yes |
+
+
+### Generate OMA URIs for settings
+You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager.
+
+**To generate the OMA URI for any setting in the CSP documentation**
+1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like `./Vendor/MSFT/`
+*For example, the root node of the [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) is `./Vendor/MSFT/SurfaceHub`.*
+2. Identify the node path for the setting you want to use.
+*For example, the node path for the setting to enable wireless projection is `InBoxApps/WirelessProjection/Enabled`.*
+3. Append the node path to the root node to generate the OMA URI.
+*For example, the OMA URI for the setting to enable wireless projection is `./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled`.*
+
+The data type is also stated in the CSP documentation. The most common data types are:
+- char (String)
+- int (Integer)
+- bool (Boolean)
+
+## Example: Manage Surface Hub settings with Micosoft Intune
+
+You can use Microsoft Intune to manage Surface Hub settings.
+
+**To create a configuration policy from a template**
+
+You'll use the **Windows 10 Team general configuration policy** as the template.
+
+1. On the [Intune management portal](https://manage.microsoft.com), sign in with your Intune administrator account.
+2. On the left-hand navigation menu, click **Policy**.
+3. In the Overview page, click **Add Policy**.
+4. On **Select a template for the new policy**, expand **Windows**, select **General Configuration (Windows 10 Team and later)**, and then click **Create Policy**.
+5. Configure your policy, then click **Save Policy**
+6. When prompted, click **Yes** to deploy your new policy to a user or device group. For more information, see [Use groups to manage users and devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune).
+
+**To create a custom configuration policy**
+
+You’ll need to create a custom policy to manage settings that are not available in the template.
+
+1. On the [Intune management portal](https://manage.microsoft.com), sign in with your Intune administrator account.
+2. On the left-hand navigation menu, click **Policy**.
+3. In the Overview page, click **Add Policy**.
+4. On **Select a template for the new policy**, expand **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+5. Type a name and optional description for the policy.
+6. Under OMA-URI Settings, click **Add**.
+7. Complete the form to create a new setting, and then click **OK**.
+8. Repeat Steps 6 and 7 for each setting you want to configure with this policy.
+9. Once you're done, click **Save Policy** and deploy it to a user or device group.
+
+## Example: Manage Surface Hub settings with System Center Configuration Manager
+System Center Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use System Center Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs.
+
+> [!NOTE]
+> These instructions are based on the current branch of System Center Configuration Manager.
+
+**To create a configuration item for Surface Hub settings**
+
+1. On the **Assets and Compliance** workspace of the Configuration Manager console, click **Overview** > **Compliance Settings** > **Configuration Items**.
+2. On the **Home** tab, in the **Create** group, click **Create Configuration Item**.
+3. On the **General** page of the Create Configuration Item Wizard, specify a name and optional description for the configuration item.
+4. Under **Specify the type of configuration item that you want to create**, select **Windows 8.1 and Windows 10**.
+5. Click **Categories** if you create and assign categories to help you search and filter configuration items in the Configuration Manager console.
+6. On the **Supported Platforms** page, select **Windows 10** > **All Windows 10 Team and higher**. Unselect the other Windows platforms.
+7. On the **Device Settings** page, under **Device settings groups**, select **Windows 10 Team**.
+8. On the **Windows 10 Team** page, configure the settings you require.
+9. You'll need to create custom settings to manage settings that are not available in the Windows 10 Team page. On the **Device Settings** page, select the check box **Configure additional settings that are not in the default setting groups**.
+10. On the **Additional Settings** page, click **Add**.
+11. On the **Browse Settings** dialog, click **Create Setting**.
+12. On the **Create Setting** dialog, under the **General** tab, specify a name and optional description for the custom setting.
+13. Under **Setting type**, select **OMA URI**.
+14. Complete the form to create a new setting, and then click **OK**.
+15. On the **Browse Settings** dialog, under **Available settings**, select the new setting you created, and then click **Select**.
+16. On the **Create Rule** dialog, complete the form to specify a rule for the setting, and then click **OK**.
+17. Repeat Steps 10 to 16 for each custom setting you want to add to the configuration item.
+18. Once you're done, on the **Browse Settings** dialog, click **Close**.
+19. Complete the wizard. You can view the new configuration item in the **Configuration Items** node of the **Assets and Compliance** workspace.
+
+For more information, see [Create configuration items for Windows 8.1 and Windows 10 devices managed without the System Center Configuration Manager client](https://docs.microsoft.com/sccm/compliance/deploy-use/create-configuration-items-for-windows-8.1-and-windows-10-devices-managed-without-the-client).
## Related topics
-
[Manage Microsoft Surface Hub](manage-surface-hub.md)
[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md
new file mode 100644
index 0000000000..5413d28a30
--- /dev/null
+++ b/devices/surface-hub/manage-surface-hub-settings.md
@@ -0,0 +1,24 @@
+---
+title: Manage Surface Hub settings
+description: This section lists topics for managing Surface Hub settings.
+keywords: Surface Hub accessibility settings, device account, device reset, windows updates, wireless network management
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Manage Surface Hub settings
+
+## In this section
+
+|Topic | Description|
+| ------ | --------------- |
+| [Local management for Surface Hub settings](local-management-surface-hub-settings.md) | Learn about Surface Hub settings. |
+| [Accessibility](accessibility-surface-hub.md) | Accessibility settings for the Surface Hub can be changed by using the Settings app. You'll find them under Ease of Access. Your Surface Hub has the same accessibility options as Windows 10.|
+| [Change the Surface Hub device account](change-surface-hub-device-account.md) | You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned.|
+| [Device reset](device-reset-surface-hub.md) | You may need to reset your Surface Hub.|
+| [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md) | Options to configure domain name with Surface Hub. |
+| [Wireless network management](wireless-network-management-for-surface-hub.md) | Surface Hub offers two options for network connectivity to your corporate network and Internet: wireless, and wired. While both provide network access, we recommend you use a wired connection. |
diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md
index f1ea0e3ebc..b464c430f2 100644
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@@ -13,212 +13,25 @@ localizationpriority: medium
# Manage Microsoft Surface Hub
+After initial setup of Microsoft Surface Hub, the device’s settings and configuration can be modified or changed in a couple ways:
-How to manage your Surface Hub after finishing the first-run program.
+- **Local management** - Every Surface Hub can be configured locally using the **Settings** app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. For more information, see [Local management for Surface Hub settings](local-management-surface-hub-settings.md).
+- **Remote management** - Surface Hub allow IT admins to manage settings and policies using a mobile device management (MDM) provider, such as Microsoft Intune, System Center Configuration Manager, and other third-party providers. Additionally, admins can monitor Surface Hubs using Microsoft Operations Management Suite (OMS). For more information, see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md), and [Monitor your Microsoft Surface Hub](monitor-surface-hub.md).
-## Introduction
-
-
-After initial setup of Microsoft Surface Hub, the device’s settings and configuration can be modified or changed in several ways:
-
-- Local management: using the Settings app on the device
-- Remote management: using a mobile device management (MDM) solution, like Microsoft Intune, AirWatch, or System Center 2012 R2 Configuration Manager.
-
-For locally-managed devices, administrator credentials are required to use the Settings app. These can be login credentials for Active Directory, Azure Active Directory (Azure AD), or a local admin account. One of these will have been selected during first run (see [Set up admins for this device](first-run-program-surface-hub.md#setup-admins)).
-
-For remotely-managed devices, the device must be enrolled into an MDM solution, either during first run or in the Settings app.
-
-Be aware that the two management methods are not mutually exclusive—every device will have the capability to be locally managed, and devices can be remotely managed if you choose.
-
->**Note** If a device is remotely managed, then any changes to local settings that are also remotely managed will only persist until the next time your Surface Hub syncs with your MDM solution. Once a sync occurs, the settings and policies defined on your MDM solution will be pushed to the device, overwriting the local changes.
-
-
-
-## Surface Hub-only settings
-
-
-Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs.
-
-
-
-
-
-
-
-
-
-
Setting
-
Location
-
Description
-
-
-
-
-
Change friendly name
-
System - About
-
Set the Surface Hub name that people will see when connecting wirelessly.
-
-
-
Collect logs
-
System - About
-
Collect logs to give to Microsoft Support.
-
-
-
Change meeting info shown on the welcome screen
-
System – Microsoft Surface Hub
-
Choose whether meeting organizer, time, and subject show up on the welcome screen.
-
-
-
Session time out
-
System – Microsoft Surface Hub
-
Choose how long the device needs to be inactive before returning to the welcome screen.
-
-
-
Turn on screen with motion sensors
-
System – Microsoft Surface Hub
-
Choose whether the screen turns on when motion is detected.
-
-
-
Configure Microsoft Operational Management Suite (MOMS)
-
System – Microsoft Surface Hub
-
Add information to set up monitoring using MOMS.
-
-
-
Change Skype for Business fully qualified domain name (FQDN)
-
System – Microsoft Surface Hub
-
Add the FQDN for a Skype for Business certificate.
-
-
-
Save BitLocker key
-
System – Microsoft Surface Hub
-
Set the default destination for saving the BitLocker recovery key to a USB drive.
-
-
-
Turn off wireless projection using Miracast
-
Devices - Connect
-
Choose whether presenters can wirelessly project to the Surface Hub using Miracast.
-
-
-
Require a PIN for wireless projection
-
Devices - Connect
-
Choose whether people are required to enter a PIN before they use wireless projection.
-
-
-
Wireless projection (Miracast) channel
-
Devices - Connect
-
Change the channel for Miracast projection.
-
-
-
Change device account
-
Accounts - All accounts
-
Change the Surface Hub's device account.
-
-
-
Check sync status
-
Accounts - All accounts
-
Check the sync status of the device account’s mail and calendar on the Surface Hub.
-
-
-
Turn on password rotation
-
Accounts - All accounts
-
Choose whether the device account’s password will automatically change every day (Active Directory only).
-
-
-
Edit admin account
-
Accounts - All accounts
-
Change the password for the local admin account.
-
-
-
Change maintenance hours
-
Updates & security – Windows Update – Advanced settings
-
Set the hours when updates can be installed.
-
-
-
Configure Windows Server Update Services (WSUS) server
-
Updates & security – Windows Update – Advanced settings
-
Change whether the device receives updates from the WSUS you choose.
-
-
-
-
-
-
-## Which should I choose?
-
-
-If you plan to deploy multiple Surface Hubs, we recommend that you manage your devices remotely. This requires that your organization use an MDM solution to deploy policies.
-
-Every Surface Hub can be managed locally by an admin who physically logs in to the device. Which method is used to log in is decided during first run (see [Set up admins for this device](first-run-program-surface-hub.md#setup-admins)).
+> [!NOTE]
+> These management methods are not mutually exclusive. Devices can be both locally and remotely managed if you choose. However, MDM policies and settings will overwrite any local changes when the Surface Hub syncs with the management server.
## In this section
+Learn about managing and updating Surface Hub.
-
-
-
-
-
-
-
-
Topic
-
Description
-
-
-
-
-
[Accessibility](accessibility-surface-hub.md)
-
Accessibility settings for the Surface Hub can be changed by using the Settings app. You'll find them under Ease of Access. Your Surface Hub has the same accessibility options as Windows 10.
-
-
-
[Change the Surface Hub device account](change-surface-hub-device-account.md)
-
You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned.
-
-
-
[Device reset](device-reset-suface-hub.md)
-
You may wish to reset your Surface Hub.
-
-
-
[Install apps on your Surface Hub](install-apps-on-surface-hub.md)
-
Admins can install apps can from either the Windows Store or the Windows Store for Business.
-
-
-
[Manage settings with a local admin account](manage-settings-with-local-admin-account-surface-hub.md)
-
A local admin account will be set up on every Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device.
-
-
-
[Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)
-
Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.
-
-
-
[Monitor your Surface Hub](monitor-surface-hub.md)
-
Monitoring for Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).
-
-
-
[Save your BitLocker key](save-bitlocker-key-surface-hub.md)
-
Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.
-
-
-
[Using a room control system](use-room-control-system-with-surface-hub.md)
-
Room control systems can be used with your Surface Hub.
Surface Hub offers two options for network connectivity to your corporate network and Internet: wireless, and wired. While both provide network access, we recommend you use a wired connection.
-
-
-
-
-
-
-
-
-
-
-
-
-
+| Topic | Description |
+| ----- | ----------- |
+| [Remote Surface Hub management](remote-surface-hub-management.md) |Topics related to managing your Surface Hub remotely. Include install apps, managing settings with MDM and monitoring with Operations Management Suite. |
+| [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network |
+| [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Windows Store or the Windows Store for Business.|
+| [End a meeting with I’m done](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap I'm Done to clean up any sensitive data and prepare the device for the next meeting.|
+| [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.|
+| [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.|
+| [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.|
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index c4d7d2f8d9..e41075f908 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -13,61 +13,125 @@ localizationpriority: medium
# Windows updates (Surface Hub)
+New releases of the Surface Hub operating system are published through Windows Update, just like releases of Windows 10. There are a couple of ways you can manage which updates are installed on your Surface Hubs, and the timing for when updates are applied.
+- **Windows Update for Business** - New in Windows 10, Windows Update for Business is a set of features designed to provide enterprises additional control over how and when Windows Update installs releases, while reducing device management costs. Using this method, Surface Hubs are directly connected to Microsoft’s Windows Update service.
+- **Windows Server Update Services (WSUS)** - Set of services that enable IT administrators to obtain the updates that Windows Update determines are applicable to the devices in their enterprise, perform additional testing and evaluation on the updates, and select the updates they want to install. Using this method, Surface Hubs will receive updates from WSUS rather than Windows Update.
-You can manage Windows updates on your Microsoft Surface Hub by setting the maintenance window, deferring updates, or using Windows Server Update Services (WSUS).
+You can also configure Surface Hub to receive updates from both Windows Update for Business and WSUS. See [Integrate Windows Update for Business with Windows Server Update Services](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-integrate-wufb#integrate-windows-update-for-business-with-windows-server-update-services) for details.
-### Maintenance window
+| Capabilities | Windows Update for Business | Windows server Update Services (WSUS) |
+| ------------ | --------------------------- | ------------------------------------- |
+| Receive updates directly from Microsoft's Windows Update service, with no additional infrastructure required. | Yes | No |
+| Defer updates to provide additional time for testing and evaluation. | Yes | Yes |
+| Deploy updates to select groups of devices. | Yes | Yes |
+| Define maintenance windows for installing updates. | Yes | Yes |
+
+> [!TIP]
+> Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Optimize update delivery for Windows 10 updates](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-optimize-windows-10-updates) for details.
+
+> [!NOTE]
+> Surface Hub does not currently support rolling back updates.
+
+
+## Surface Hub servicing model
+
+Surface Hub uses the Windows 10 servicing model, referred to as Windows as a Service (WaaS). Traditionally, new features are added only in new versions of Windows that are released every few years. Each new version required lengthy and expensive processes to deploy in an organization. As a result, end users and organizations don't frequently enjoy the benefits of new innovation. The goal of Windows as a Service is to continually provide new capabilities while maintaining a high level of quality.
+
+Microsoft publishes two types of Surface Hub releases broadly on an ongoing basis:
+- **Feature updates** - Updates that install the latest new features, experiences, and capabilities. Microsoft expects to publish an average of two to three new feature upgrades per year.
+- **Quality updates** - Updates that focus on the installation of security fixes, drivers, and other servicing updates. Microsoft expects to publish one cumulative quality update per month.
+
+In order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10, including Surface Hub, will be cumulative. This means new feature updates and quality updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 quality update. For example, if a quality update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.
+
+The Surface Hub operating system is available on **Current Branch (CB)** and **Current Branch for Business (CBB)**. Like other editions of Windows 10, the servicing lifetime of CB or CBB is finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
+
+For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview).
+
+
+## Use Windows Update for Business
+Surface Hubs, like all Windows 10 devices, include **Windows Update for Business (WUfB)** to enable you to control how your devices are being updated. Windows Update for Business helps reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. For more information, see [Manage updates using Windows Update for Business](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb).
+
+**To set up Windows Update for Business:**
+1. [Group Surface Hub into deployment rings](#group-surface-hub-into-deployment-rings)
+2. [Configure Surface Hub to use Current Branch or Current Branch for Business](#configure-surface-hub-to-use-current-branch-or-current-branch-for-business).
+2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates).
+
+> [!NOTE]
+> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-wufb-intune)
+
+
+### Group Surface Hub into deployment rings
+Use deployment rings to control when updates roll out to your Surface Hubs, giving you time to validate them. For example, you can update a small pool of devices first to verify quality before a broader roll-out to your organization. Depending on who manages Surface Hub in your organization, consider incorporating Surface Hub into the deployment rings that you've built for your other Windows 10 devices. For more information about deployment rings, see [Build deployment rings for Windows 10 updates](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-deployment-rings-windows-10-updates).
+
+This table gives examples of deployment rings.
+
+| Deployment ring | Ring size | Servicing branch | Deferral for feature updates | Deferral for quality updates (security fixes, drivers, and other updates) | Validation step |
+| --------- | --------- | --------- | --------- | --------- | --------- |
+| Evaluation (e.g. non-critical or test devices) | Small | Current Branch (CB) | None. Devices receive feature updates immediately after CB is released. | None. Devices receive quality updates immediately after CB is released. | Manually test and evaluate new functionality. Pause updates if there are issues. |
+| Pilot (e.g. devices used by select teams) | Medium | Current Branch for Business (CBB) | None. Devices receive feature updates immediately once CBB is released. | None. Devices receive quality updates immediately after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Broad deployment (e.g. most of the devices in your organization) | Large | Current Branch for Business (CBB) | 60 days after CBB is released. | 14 days after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Mission critical (e.g. devices in executive boardrooms) | Small | Current Branch for Business (CBB) | 180 days after CBB is released (maximum deferral for feature updates). | 30 days after CBB is released (maximum deferral for quality updates). | Monitor device usage and user feedback. |
+
+
+### Configure Surface Hub to use Current Branch or Current Branch for Business
+By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches).
+
+**To manually configure Surface Hub to use CB or CBB:**
+1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**.
+2. Select **Defer feature updates**.
+
+To configure Surface Hub to use CB or CBB remotely using MDM, set an appropriate [Update/BranchReadinessLevel](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) policy.
+
+
+### Configure when Surface Hub receives updates
+Once you've determined deployment rings for your Surface Hubs, configure update deferral policies for each ring:
+- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) policy for each ring.
+- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
+
+> [!NOTE]
+> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
+
+
+## Use Windows Server Update Services
+
+You can connect Surface Hub to your indows Server Update Services (WSUS) server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
+
+**To manually connect a Surface Hub to a WSUS server:**
+1. Open **Settings** on your Surface Hub.
+2. Enter the device admin credentials when prompted.
+3. Navigate to **Update & security** > **Windows Update** > **Advanced options** > **Configure Windows Server Update Services (WSUS) server**.
+4. Click **Use WSUS Server to download updates** and type the URL of your WSUS server.
+
+To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy.
+
+
+## Maintenance window
+
+To ensure the device is always available for use during business hours, Surface Hub performs its administrative functions during a specified maintenance window. During the maintenance window, the Surface Hub automatically installs updates through Windows Update or WSUS, and reboots the device if needed.
+
+Surface Hub follows these guidelines to apply updates:
+- Install the update during the next maintenance window. If a meeting is scheduled to start during a maintenance window, or the Surface Hub sensors detect that the device is being used, the pending update will be postponed to the following maintenance window.
+- If the next maintenance window is past the update’s prescribed grace period, the device will calculate the next available slot during business hours using the estimated install time from the update’s metadata. It will continue to postpone the update if a meeting is scheduled, or the Surface Hub sensors detect that the device is being used.
+- If a pending update is past the update’s prescribed grace period, the update will be immediately installed. If a reboot is needed, the Surface Hub will automatically reboot during the next maintenance window.
+
+> [!NOTE]
+> Allow time for updates when you first setup your Surface Hub. For example, a backlog of virus definitions may be available, which should be immediately installed.
A default maintenance window is set for all new Surface Hubs:
+- **Start time:** 3:00 AM
+- **Duration:** 1 hour
-- Start time: 3:00 AM
-- Duration: 1 hour
+**To manually change the maintenance window:**
+1. Open **Settings** on your Surface Hub.
+2. Navigate to **Update & security** > **Windows Update** > **Advanced options**.
+3. Under **Maintenance hours**, select **Change**.
-Most Windows updates are downloaded and installed automatically by Surface Hub. You can change the maintenance window to limit when the device can be automatically rebooted after a Windows update installation. For those updates that require a reboot of the device, the update installation will be postponed until the maintenance window begins. If a meeting is scheduled to start during the maintenance window, or if the Surface Hub sensors detect that the device is being used, the pending installation will be postponed to the next maintenance window.
+To change the maintenance window using MDM, set the **MOMAgent** node in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt608323.aspx). See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for more details.
->**Note**: If an update installation has been pending for 28 days, on the 28th day the update will be forcibly installed. The device will ignore meetings or sensor status and reboot during the maintenance window.
-
-
-
-To change the default maintenance window:
-
-1. Open the Settings app.
-2. Navigate to **Update and Security** > **Advanced Options**.
-3. Under **Maintenance hours**, click **Change**.
-
-### Deferring Windows updates
-
-You can choose to defer downloading or installing updates that install new Windows features. When you do, new Windows features won’t be downloaded or installed for up to several months. Deferring updates doesn’t affect security updates, which will be downloaded and installed as usual.
-
-To defer Windows feature updates:
-
-1. Open the Settings app.
-2. Navigate to **Update and Security** > **Advanced Options**.
-3. Click on the checkbox for **Defer upgrades**.
-
-### Using WSUS
-
-You can use WSUS to manage the download and installation of Windows updates on your Surface Hub.
-
-To connect a Surface Hub to a WSUS server:
-
-1. Open the Settings app.
-2. Navigate to **Update and Security** > **Advanced Options**.
-3. Click on the checkbox for **Configure Windows Server Update Services (WSUS) server**.
-4. Check the box for **Use WSUS Server to download updates** and enter the WSUS endpoint.
## Related topics
-
[Manage Microsoft Surface Hub](manage-surface-hub.md)
[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
-
-
-
-
-
-
-
-
diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md
index b28e3e7208..9f45d3d355 100644
--- a/devices/surface-hub/monitor-surface-hub.md
+++ b/devices/surface-hub/monitor-surface-hub.md
@@ -13,72 +13,132 @@ localizationpriority: medium
# Monitor your Microsoft Surface Hub
+Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS). The [Operations Management Suite](https://go.microsoft.com/fwlink/?LinkId=718138) is Microsoft's IT management solution that helps you manage and protect your entire IT infrastructure, including your Surface Hubs.
-Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).
-The [Operations Management Suite (OMS)](https://go.microsoft.com/fwlink/?LinkId=718138) is Microsoft's IT management solution that helps you manage and protect your entire IT infrastructure, including your Surface Hubs. You can use OMS to help you track the health of your Surface Hubs as well as understand how they are being used. Log files are read on the devices and sent to the OMS service. Issues like servers being offline, the calendar not syncing, or the device account being unable to log into Skype are shown in OMS in the Surface Hub dashboard. By using the data in the dashboard, you can identify devices that are not running, or that are having other problems, and potentially apply fixes for the detected issues.
+Surface Hub is offered as a Log Analytics solution in OMS, allowing you to collect and view usage and reliability data across all your Surface Hubs. Use the Surface Hub solution to:
+- Inventory your Surface Hubs.
+- View a snapshot of usage and reliability data for Skype meetings, wired and wireless projection, and apps on your Surface Hubs.
+- Create custom alerts to respond quickly if your Surface Hubs report software or hardware issues.
-### OMS requirements
+## Add Surface Hub to Operations Management Suite
-In order to manage your Surface Hubs from the Microsoft Operations Management Suite (OMS), you'll need the following:
+1. **Sign in to Operations Management Suite (OMS)**. You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+2. **Create a new OMS workspace**. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
+3. **Link Azure subscription to your workspace**. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
-- A valid [subscription to OMS](http://www.microsoft.com/server-cloud/operations-management-suite/overview.aspx).
-- [Subscription level](https://go.microsoft.com/fwlink/?LinkId=718139) in line with the number of devices. OMS pricing varies depending on how many devices are enrolled, and how much data it processes. You'll want to take this into consideration when planning your Surface Hub rollout.
+ > [!NOTE]
+ > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
-Next, you will either add an OMS subscription to your existing Microsoft Azure subscription or create a new workspace directly through the OMS portal. Detailed instructions for setting up the account can be found at: [Onboard in minutes](https://go.microsoft.com/fwlink/?LinkId=718141). Once the OMS subscription is set up, there are two ways to enroll your Surface Hub devices:
+4. **Add Surface Hub solution**. In the Solutions Gallery, select the **Surface Hub** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace.
-1. Automatically through [InTune](https://go.microsoft.com/fwlink/?LinkId=718150), or
-2. Manually through Settings.
+## Use the Surface Hub dashboard
+From the **Overview** page in your OMS workspace, click the Surface Hub tile to see the Surface Hub dashboard. Use the dashboard to get a snapshot of usage and reliability data across your Surface Hubs. Click into each view on the dashboard to see detailed data, modify the query as desired, and create alerts.
-### Setting up monitoring
+> [!NOTE]
+> Most of these views show data for the past 30 days, but this is subject to your subscription's data retention policy.
-You can monitor health and activity of your Surface Hub using Microsoft Operations Management Suite (OMS). The device can be enrolled in OMS remotely, using InTune, or locally, by using Settings.
+**Active Surface Hubs**
-### Enrolling devices through InTune
+Use this view to get an inventory of all your Surface Hubs. Once connected to OMS, each Surface Hub periodically sends a "heartbeat" event to the server. This view shows Surface Hubs that have reported a heartbeat in the past 24 hours.
-You'll need the workspace ID and primary key for your Surface Hub. You can get those from the OMS portal.
+
+
+**Wireless projection**
-1. Sign in to InTune.
-2. Navigate to **Settings** > **Connected Sources**.
-3. Create or edit a policy based on the Surface Hub template.
-4. Navigate to the OMS section of the policy, and add the **workspace ID** and **primary key** to the policy.
-5. Save the policy.
-6. Associate the policy with the appropriate group of devices.
+Use this view to get usage and reliability data for wireless projection over the past 30 days. The graph shows the total number of wireless connections across all your Surface Hubs, which provides an indication whether people in your organization are using this feature. If it's a low number, it may suggest a need to provide training to help people in your organization learn how to wirelessly connect to a Surface Hub.
+
+Also, the graph shows a breakdown of successful and unsuccessful connections. If you see a high number of unsuccessful connections, devices may not properly support wireless projection using Miracast. For best performance, Microsoft suggests that devices run a WDI Wi-Fi driver and a WDDM 2.0 graphics driver. Use the details view to learn if wireless projection problems are common with particular devices.
+
+When a connection fails, users can also do the following if they are using a Windows laptop or phone:
+- Remove the paired device from **Settings** > **Devices** > **Connected devices**, then try to connect again.
+- Reboot the device.
+
+**Wired projection**
-InTune will now sync the OMS settings with the devices in the target group, enrolling them in your OMS workspace.
+Use this view to get usage and reliability data for wired projection over the past 30 days. If the graph shows a high number of unsuccessful connections, it may indicate a connectivity issue in your audio-visual pipeline. For example, if you use a HDMI repeater or a center-of-room control panel, they may need to be restarted.
+
+**Application usage**
-### Enrolling devices using the Settings app
+Use this view to get usage data for apps on your Surface Hubs over the past 30 days. The data comes from app launches on your Surface Hubs, not including Skype for Business. This view helps you understand which Surface Hub apps are the most valuable in your organization. If you are deploying new line-of-business apps in your environment, this can also help you understand how often they are being used.
+
+**Application Crashes**
-You'll need the workspace ID and primary key for your Surface Hub. You can get those from the OMS portal.
+Use this view to get reliability data for apps on your Surface Hubs over the past 30 days. The data comes from app crashes on your Surface Hubs. This view helps you detect and notify app developers of poorly behaving in-box and line-of-business apps.
+
+**Sample Queries**
-If you don't use InTune to manage your environment, you can enroll devices manually through **Settings**:
+Use this to create custom alerts based on a recommended set of queries. Alerts help you respond quickly if your Surface Hubs report software or hardware issues. For more inforamtion, see [Set up alerts using sample queries](#set-up-alerts-with-sample-queries).
-1. From your Surface Hub, start **Settings**.
-2. Enter the device admin credentials when prompted.
-3. Click **System**, and navigate to Microsoft Operations Management Suite.
-4. Click **Configure**.
-5. Select **Enable monitoring**.
-6. In the OMS settings dialog, type the **workspace ID**.
-7. Repeat steps 5 and 6 for the **primary key**.
-8. Click **OK** to complete the configuration.
+## Set up alerts with sample queries
+Use alerts to respond quickly if your Surface Hubs report software or hardware issues. Alert rules automatically run log searches according to a schedule, and runs one or more actions if the results match specific criteria. For more information, see [Alerts in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-alerts/).
+
+The Surface Hub Log Analytics solution comes with a set of sample queries to help you set up the appropriate alerts and understand how to resolve issues you may encounter. Use them as a starting point to plan your monitoring and support strategy.
+
+This table describes the sample queries in the Surface Hub solution:
+
+| Alert type | Impact | Recommended remediation | Details |
+| ---------- | ------ | ----------------------- | ------- |
+| Software | Error | **Reboot the device**. Reboot manually, or using the [Reboot configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt720802(v=vs.85).aspx). Suggest doing this between meetings to minimize impact to your people in your organization. | Trigger conditions: - A critical process in the Surface Hub operating system, such as the shell, projection, or Skype, crashes or becomes non-responsive. - The device hasn't reported a heartbeat in the past 24 hours. This may be due to network connectivity issue or network-related hardware failure, or an error with the telemetry reporting system. |
+| Software | Error | **Check your Exchange service**. Verify: - The service is available. - The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details.| Triggers when there's an error syncing the device calendar with Exchange. |
+| Software | Error | **Check your Skype for Business service**. Verify: - The service is available. - The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details. - The domain name for Skype for Business is properly configured - see [Configure a domain name](use-fully-qualified-domain-name-surface-hub.md). | Triggers when Skype fails to sign in. |
+| Software | Error | **Reset the device**. This takes some time, so you should take the device offline. For more information, see [Device reset](device-reset-surface-hub.md).| Triggers when there is an error cleaning up user and app data at the end of a session. When this operation repeatedly fails, the device is locked to protect user data. You must reset the device to continue. |
+| Hardware | Warning | **None**. Indicates negligible impact to functionality.| Triggers when there is an error with any of the following hardware components: - Virtual pen slots - NFC driver - USB hub driver - Bluetooth driver - Proximity sensor - Graphical performance (video card driver) - Mismatched hard drive - No keyboard/mouse detected |
+| Hardware | Error | **Contact Microsoft support**. Indicates impact to core functionality (such as Skype, projection, touch, and internet connectivity). **Note** Some events, including heartbeat, include the device’s serial number that you can use when contacting support.| Triggers when there is an error with any of the following hardware components. **Components that affect Skype**: - Speaker driver - Microphone driver - Camera driver **Components that affect wired and wireless projection**: - Wired touchback driver - Wired ingest driver - Wireless adapter driver - Wi-Fi Direct error **Other components**: - Touch digitizer driver - Network adapter error (not reported to OMS)|
+
+**To set up an alert**
+1. From the Surface Hub solution, select one of the sample queries.
+2. Modify the query as desired. See Log Analytics search reference to learn more.
+3. Click **Alert** at the top of the page to open the **Add Alert Rule** screen. See [Alerts in Log Analytics](https://azure.microsoft.com/en-us/documentation/articles/log-analytics-alerts/) for details on the options to configure the alert.
+4. Click **Save** to complete the alert rule. It will start running immediately.
+
+## Enroll your Surface Hub
+
+For Surface Hub to connect to and register with the OMS service, it must have access to the port number of your domains and the URLs. This table list the ports that OMS needs. For more information, see [Configure proxy and firewall settings in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-proxy-firewall/).
+
+| Agent resource | Ports | Bypass HTTPS inspection? |
+| --------------------------- | ----- | ------------------------ |
+| *.ods.opinsights.azure.com | 443 | Yes |
+| *.oms.opinsights.azure.com | 443 | Yes |
+| *.blob.core.windows.net | 443 | Yes |
+| ods.systemcenteradvisor.com | 443 | No |
+
+The Microsoft Monitoring Agent, used to connect devices to OMS, is integrated with the Surface Hub operating system, so there is no need to install additional clients to connect Surface Hub to OMS.
+
+Once your OMS workspace is set up, there are several ways to enroll your Surface Hub devices:
+- [Settings app](#enroll-using-the-settings-app)
+- [Provisioning package](#enroll-using-a-provisioning-package)
+- [MDM provider](#enroll-using-a-mdm-provider), such as Microsoft Intune and Configuration Manager
+
+You'll need the workspace ID and primary key of your OMS workspace. You can get these from the OMS portal.
+
+### Enroll using the Settings app
+
+**To Enroll using the settings app**
+
+1. From your Surface Hub, start **Settings**.
+2. Enter the device admin credentials when prompted.
+3. Select **This device**, and navigate to **Device management**.
+4. Under **Monitoring**, select **Configure OMS settings**.
+5. In the OMS settings dialog, select **Enable monitoring**.
+6. Type the workspace ID and primary key of your OMS workspace. You can get these from the OMS portal.
+7. Click **OK** to complete the configuration.
+
A confirmation dialog will appear telling you whether or not the OMS configuration was successfully applied to the device. If it was, the device will start sending data to OMS.
-### Monitoring devices
-
-Monitoring your Surface Hubs using OMS is much like monitoring any other enrolled devices.
-
-1. Sign in to the OMS portal.
-2. Navigate to the Surface Hub solution pack dashboard.
-3. Your device's health will be displayed here.
-
-You can create OMS alerts based on existing or custom queries that use the data collected through OMS.
+### Enroll using a provisioning package
+You can use a provisioning package to enroll your Surface Hub. For more infomation, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
+
+### Enroll using a MDM provider
+You can enroll Surface Hub into OMS using the SurfaceHub CSP. Intune and Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. For more information, see [Manage Surface Hub settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md).
## Related topics
-
[Manage Microsoft Surface Hub](manage-surface-hub.md)
[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index e948c327bb..a2103eec0b 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -71,7 +71,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013
```PowerShell
Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
- Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a room!"
+ Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
5. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index a7304bb73f..853813a012 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -57,17 +57,17 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
```PowerShell
- Set-Mailbox $acctUpn -Type Regular
- Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy.Id
- Set-Mailbox $acctUpn -Type Room
- Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
+ Set-Mailbox 'HUB01@contoso.com' -Type Regular
+ Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.Id
+ Set-Mailbox 'HUB01@contoso.com' -Type Room
+ Set-Mailbox 'HUB01@contoso.com' -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) -EnableRoomMailboxAccount $true
```
4. Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
```PowerShell
- Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
- Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
+ Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
+ Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
5. Connect to Azure AD.
@@ -81,7 +81,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
6. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
```PowerShell
- Set-MsolUser -UserPrincipalName $acctUpn -PasswordNeverExpires $true
+ Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true
```
7. The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
@@ -91,9 +91,9 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).
```PowerShell
- Set-MsolUser -UserPrincipalName $acctUpn -UsageLocation "US"
+ Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation "US"
Get-MsolAccountSku
- Set-MsolUserLicense -UserPrincipalName $acctUpn -AddLicenses $strLicense
+ Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense
```
8. Enable the device account with Skype for Business.
@@ -118,14 +118,14 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
- To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
```PowerShell
- Enable-CsMeetingRoom -Identity $rm -RegistrarPool
+ Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool
"sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
```
If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
```PowerShell
- Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool*
+ Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool*
```
9. Assign Skype for Business license to your Surface Hub account.
diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
index 9ebb5d145d..c6c3db5d36 100644
--- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
@@ -13,62 +13,24 @@ localizationpriority: medium
# Password management (Surface Hub)
+Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. For security reasons, you may want to change (or "rotate") this password regularly. However, if the device account’s password changes, the password that was previously stored on the Surface Hub will be invalid, and all features that depend on the device account will be disabled. You will need to update the device account’s password on the Surface Hub from the Settings app to re-enable these features.
-Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. For security reasons, you may want to change ( or "rotate") this password. However, if the device account’s password changes, the device account on the Surface Hub will be expired, and all features that depend on the device account will be disabled. You can update the device account’s password on the Surface Hub from the Settings app to re-enable these features.
+To simplify password management for your Surface Hub device accounts, there are two options:
-To prevent the device account from expiring, there are two options:
-
-1. Set the password on the device account so it doesn't expire.
+1. Turn off password expiration for the device account.
2. Allow the Surface Hub to automatically rotate the device account’s password.
-## Setting the password so it doesn't expire
+## Turn off password rotation for the device account
Set the device account’s **PasswordNeverExpires** property to True. You should verify whether this meets your organization’s security requirements.
-## Allow the Surface Hub to manage the password
-
-
-The Surface Hub can manage a device account’s password by changing it frequently without requiring you to manually update the device account’s information from the Surface Hub. You can enable this feature in **Settings**. Once enabled, the device account's password will change daily.
-
-Note that when the device account’s password is changed, you will not be shown the new password. If you need to sign in to the account, or to provide the password again (for example, if you want to change the device account settings on the Surface Hub), then you'll need use Active Directory to reset the password.
-
-For your device account to use password rotation, you must meet enter the device account’s information when you set up your Surface Hub (during First-run experience), or in **Settings**. The format you'll use depends on where your device account it hosted:
-
-
-
-
-
-
-
-
-
Environment
-
Required format for device account
-
-
-
-
-
Device account is hosted only online
-
username@contoso.com
-
-
-
Device account is hosted only on-prem
-
DOMAIN\username
-
-
-
Device account is hosted online and on-prem (hybrid)
-
DOMAIN\username
-
-
-
-
-
-
-
-
-
-
+## Allow the Surface Hub to automatically rotate the device account’s password
+The Surface Hub can manage a device account’s password by changing it frequently without requiring you to manually update the device account’s information. You can enable this feature in **Settings**. Once enabled, the device account's password will change weekly during maintenance hours.
+Note that when the device account’s password is changed, you will not be shown the new password. If you need to sign in to the account, or to provide the password again (for example, if you want to change the device account settings on the Surface Hub), then you'll need use Active Directory or the Office 365 admin portal to reset the password.
+> [!IMPORTANT]
+> If your organization uses a hybrid topology (some services are hosted on-premises and some are hosted online through Office 365), you must setup the device account in **domain\username** format. Otherwise, password rotation will not work.
diff --git a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
index a4eb84f063..73dd21ac2e 100644
--- a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
+++ b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
@@ -13,248 +13,209 @@ localizationpriority: medium
# Create provisioning packages (Surface Hub)
+This topic explains how to create a provisioning package using the Windows Imaging and Configuration Designer (ICD), and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings.
-For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning.
+You can apply a provisioning package using a USB during first run, or through the **Settings** app.
-In this topic, you'll find the following information:
-- [Introduction to provisioning packages](#intro-prov-pkg)
-- [What can provisioning packages configure for Microsoft Surface Hubs?](#what-can-prov-pkg)
-- [How do I create and deploy a provisioning package?](#how-do-i-prov-pkg)
-- [Requirements](#requirements-prov-pkg)
-- [Install the Windows Imaging and Configuration Designer](#installing-wicd-prov-pkg)
-- [Create a provisioning package for certificates](#creating-prov-pkg-certs)
-- [Create a provisioning package for apps](#creating-prov-pkg-apps)
-- [Deploy a provisioning package to a Surface Hub](#deploy-to-hub-prov-pkg)
- - [Deploy a provisioning package using first run](#deploy-via-oobe-prov-pkg)
- - [Deploy a provisioning package using Settings](#deploy-via-settings-prov-pkg)
+## Advantages
+- Quickly configure devices without using a MDM provider.
-### Introduction to provisioning packages
+- No network connectivity required.
-Provisioning packages are created using Windows Imaging and Configuration Designer (WICD), which is a part of the Windows Assessment and Deployment Kit (ADK). For Surface Hub, the provisioning packages can be placed on a USB drive.
+- Simple to apply.
-### What can provisioning packages configure for Surface Hubs?
+[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/whats-new/new-provisioning-packages)
-Currently, you can use provisioning packages to install certificates and to install Universal Windows Platform (UWP) apps on your Surface Hub. These are the only two supported scenarios.
-You may use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange or Skype for Business, or to sideload apps that don't come from the Windows Store (for example, your own in-house apps).
+## Requirements
->**Note** Provisioning can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, you must use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
+To create and apply a provisioning package to a Surface Hub, you'll need the following:
-
-
-### How do I create and deploy a provisioning package?
-
-Provisioning packages must be created using the Windows Imaging and Configuration Designer (ICD).
-
-### Requirements
-
-In order to create and deploy provisioning packages, all of the following are required:
-
-- Access to the Settings app on Surface Hub (using admin credentials which were configured at initial setup of the Surface Hub).
-- Windows Imaging and Configuration Designer (ICD), which is installed as a part of the windows 10 Assessment and Deployment Kit (ADK).
+- Windows Imaging and Configuration Designer (ICD), which is installed as a part of the [Windows 10 Assessment and Deployment Kit (ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526740).
- A PC running Windows 10.
-- USB flash drive.
+- A USB flash drive.
+- If you apply the package using the **Settings** app, you'll need device admin credentials.
-### Install the Windows Imaging and Configuration Designer
+You'll create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub.
-1. The Windows Imaging and Configuration Designer (ICD) is installed as part of the Windows 10 ADK. The installer for the ADK can be downloaded from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?LinkId=718147).
- >**Note** The ADK must be installed on a separate PC, not on the Surface Hub.
-2. Run the installer, and set your preferences for installation. When asked what features you want to install, you will see a checklist like the one in the following figure. Note that **Windows Performance Toolkit** and **Windows Assessment Toolkit** should be unchecked, as they are not needed to run the ICD.
+## Supported items for Surface Hub provisioning packages
- Before going to the next step, make sure you have the following checked:
+Currently, you can add these items to provisioning packages for Surface Hub:
+- **Certificates** - You can add certificates, if needed, to authenticate to Microsoft Exchange.
+- **Universal Windows Platform (UWP) apps** - You can install UWP apps. This can be an offline-licensed app from the Windows Store for Business, or an app created by an in-house dev.
+- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
+- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx).
- - **Deployment Tools**
- - **Windows Preinstallation Environment**
- - **Imaging and Configuration Designer**
- - **User State Migration Tool**
- All four of these features are required to run the ICD and create a package for the Surfact Hub.
+## Create the provisioning package
- 
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. When you install the ADK, you can choose to install only the Imaging and Configuration Designer (ICD). [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
-3. Continue with the installer until the ADK is installed. This may take a while, because the installer downloads remote content.
+1. Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`).
-### Create a provisioning package for certificates
+2. Click **Advanced provisioning**.
-This example will demonstrate how to create a provisioning package to install a certificate.
+ 
+
+3. Name your project and click **Next**.
-1. On the PC that had the Windows 10 ADK installed, open ICD and choose the **New provisioning package** tile from the main menu.
+4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**.
- 
+ 
-2. When the **New project** dialog box opens, type whatever name you like in the **Name** box. The **Location** and **Description** boxes can also be filled at your discretion, though we recommend using the **Description** box to help you distinguish among multiple packages. Click **Next**.
+5. In the project, under **Available customizations**, select **Common Team edition settings**.
- 
+ 
- Select the settings that are **Common to all Windows editions**, and click **Next**.
- 
+### Add a certificate to your package
+You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange.
- When asked to import a provisioning package, just click **Finish.**
+> [!NOTE]
+> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
- 
+1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**.
-3. ICD's main screen will be displayed. This is where you create the provisioning package. In the **Available customizations** pane, expand **Runtime settings** and then expand **Certificates**. Click **Root certificates**.
+2. Enter a **CertificateName** and then click **Add**.
- 
+2. Enter the **CertificatePassword**.
- In the center pane, you’ll be asked to specify a **CertificateName** for the Root certificate. You can set this to whatever you want. For the example, we've used the same name as the project. Click **Add**, and an entry will be added in the left pane.
+3. For **CertificatePath**, browse and select the certificate.
-4. In the **Available customizations** pane on the left, a new category has appeared for **CertificatePath** underneath the **CertificateName** you provided. There’s also a red exclamation icon indicating that there is a required field that needs to be set. Click **CeritficatePath**.
+4. Set **ExportCertificate** to **False**.
- 
+5. For **KeyLocation**, select **Software only**.
-5. In the center pane, you’ll be asked to specify the path for the certificate. Enter the name of the .cer file that you want to deploy, either by typing or clicking **Browse**. It must be a root certificate. The provisioning package created will copy the .cer file into the package it creates.
- 
+### Add a Universal Windows Platform (UWP) app to your package
+Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Windows Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Windows Store for Business.
-6. Verify that the path is set, then click **Export** in the top menu and choose **Provisioning package**.
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**.
- 
+2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Windows Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \...\ tags.
-7. You'll see a series of dialog boxes next. In the first one, either accept the defaults, or enter new values as needed, and click **Next**. You'll most likely want to accept the defaults.
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
- 
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies.
- Click **Next** again in the security options dialog box, because this package doesn't need to be encrypted or signed.
+If you acquired the app from the Windows Store for Business, you will also need to add the app license to your provisioning package.
- 
+1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license".
- Choose where to save the provisioning package, and click **Next**.
+2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**.
- 
+3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \ tag, use the value in the **LicenseID** attribute.
- Review the information shown, and if it looks good, click **Build**.
+4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1.
- 
- You will see a confirmation dialog box similar to the one following. Click the link under **Output location** to open the directory containing the provisioning package.
+### Add a policy to your package
+Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
- 
+1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**.
-8. Copy the .ppkg from the output directory into the root directory of a USB drive. If it’s not at the root, it won’t be recognized by the device. You’ve finished making the provisioning package—now you just need to deploy it to the Surface Hub.
+2. Select one of the available policy areas.
-### Create a provisioning package for apps
+3. Select and set the policy you want to add to your provisioning package.
-This example will demonstrate how to create a provisioning package to install offline-licensed apps purchased from the Windows Store for Business. For information on offline-licensed apps and what you need to download in order to install them, see [Distribute offline apps](https://go.microsoft.com/fwlink/?LinkId=718148).
-For each app you want to install on Surface Hubs, you'll need to download:
+### Add Surface Hub settings to your package
-- App metadata
-- App package
-- App license
+You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package.
-Depending on the app, you may or may not need to download a new app framework.
+1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**.
-1. On the PC that had the Windows 10 ADK installed, open ICD and choose the **New provisioning package** tile from the main menu.
+2. Select one of the available setting areas.
- 
+3. Select and set the setting you want to add to your provisioning package.
-2. When the **New project** dialog box opens, type whatever name you like in the **Name** box. The **Location** and **Description** boxes can also be filled at your discretion, though we recommend using the **Description** box to help you distinguish among multiple packages. Click **Next**.
- 
+## Build your package
- Select the settings that are **Common to all Windows desktop editions**, and click **Next**.
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
- 
+2. Read the warning that project files may contain sensitive information, and click **OK**.
- When asked to import a provisioning package, just click **Finish.**
+ > [!IMPORTANT]
+ > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
- 
+3. On the **Export** menu, click **Provisioning package**.
-3. ICD's main screen will be displayed. This is where you create the provisioning package. In the **Available customizations** pane, expand **UniversalAppInstall** and click **DeviceContextApp**.
+4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources.
- 
+5. Set a value for **Package Version**, and then select **Next.**
- In the center pane, you’ll be asked to specify a **PackageFamilyName** for the app. This is one of the things you downloaded from the Store for Business. Click **Add**, and an entry will be added in the left pane.
+ > [!TIP]
+ > You can make changes to existing packages and change the version number to update previously applied packages.
-4. In the **Available customizations** pane on the left, new categories will be displayed for **ApplicationFile** and **LaunchAppAtLogin** underneath the **PackageFamilyName** you just entered. Enter the appx filename in the **ApplicationFile** box in the center pane.
+6. Optional: You can choose to encrypt the package and enable package signing.
- 
+ - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- Generally, **LaunchAppAtLogin** should be set to **Do not launch app** or **NOT CONFIGURED**.
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package.
-5. Next, click **DeviceContextAppLicense** in the left pane. In the center pane, you’ll be asked to specify the **LicenseProductId**. Click **Add**. Back in the left pane, click on the **LicenseProductId** that you just added. In the center pane, you'll need to specify **LicenseInstall**. Enter the name of the license file that you previously downloaded from the Store for Business, either by typing or clicking **Browse**. The file will have a extension of "ms-windows-store-license".
+ > [!IMPORTANT]
+ > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
- 
+7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+Optionally, you can click **Browse** to change the default output location.
-6. Verify that the path is set, then click **Export** in the top menu and choose **Provisioning package**.
+8. Click **Next**.
- 
+9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
-7. You'll see a series of dialog boxes next. In the first one, either accept the defaults, or enter new values as needed, and click **Next**. You'll most likely want to accept the defaults.
+10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- 
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
- Click **Next** again in the security options dialog box, because this package doesn't need to be encrypted or signed.
+11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive.
- 
- Choose where to save the provisioning package, and click **Next**.
+## Apply a provisioning package to Surface Hub
- 
+There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings).
- Review the information shown, and if it looks good, click **Build**.
- 
+### Apply a provisioning package during first run
- You will see a confirmation dialog box similar to the one following. Click the link under **Output location** to open the directory containing the provisioning package.
+> [!IMPORTANT]
+> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings.
- 
+1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding.
-8. Copy the .ppkg from the output directory into the root directory of a USB drive. If it’s not at the root, it won’t be recognized by the device. You’ve finished making the provisioning package—now you just need to deploy it to the Surface Hub.
+2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**.
-### Deploy a provisioning package to a Surface Hub
+ 
-The following two methods for deploying provisioning packages apply to any kind of provisioning package that is being deployed to a Surface Hub. There is no difference in the way cert provisioning packages and app provisioning packages are installed. You may see different description text in the UI depending on what the package is for, but the process is still the same.
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
-### Deploy a provisioning package using first run
+ 
+
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run.
-1. When you turn on the Surface Hub for the first time, the first run process will display the page titled **Hi there**. Make sure the settings on this page are correct before you proceed. (See [Hi there page](first-run-program-surface-hub.md#first-page) for details.) Once you've deployed your provisioning package, the first run process will not return here. It will continue to the next screen.
-2. Insert the USB drive into the Surface Hub.
-3. Press the Windows key on the separate keyboard five times. You’ll see a dialog box asking whether you want to set up your device. Click **Set Up**.
+ 
- IMage
+5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**. The package will be applied, and you'll be taken to the next page in the first-run program.
-4. Click on **Removable Media** in the **Provision From** dropdown list, then click **Next**.
+ 
- 
-5. The available packages in the root directory of the USB drive will be listed. Note that you can only install one package during first run. Select the package you want to install and then click **Next**.
+### Apply a package using Settings
- 
-
-6. You’ll then see a dialog asking if it’s from a source you trust. Click **Yes, add it**. The certificate will be installed, and you’ll be taken to the next page of first run.
-
- 
-
-### Deploy a provisioning package using Settings
-
-1. Insert the USB drive into the Surface Hub you want to deploy to.
-2. On the Surface Hub, open **Settings** and enter in the admin credentials.
-3. Navigate to **System > Work Access**. Under the header **Related settings**, click on **Add or remove a management package**.
-4. Here, click the button for **Add a package**.
-
- 
-
-5. Click **Removable media** from the dropdown list. You will see a list of available provisioning packages on the **Settings** page.
-
- 
-
-6. Choose your package and click **Add**.
-
- 
-
-7. You may have to re-enter the admin credentials if User Access Control (UAC) asks for them.
-8. You’ll see a confirmation dialog box. Click **Yes, add it**. The certificate will be installed.
-
-
-
-
+1. Insert the USB flash drive containing the .ppkg file into the Surface Hub.
+2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted.
+3. Navigate to **This device** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**.
+4. Select **Add a package**.
+5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted.
+6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**.
diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md
new file mode 100644
index 0000000000..41588251fe
--- /dev/null
+++ b/devices/surface-hub/remote-surface-hub-management.md
@@ -0,0 +1,21 @@
+---
+title: Remote Surface Hub management
+description: This section lists topics for managing Surface Hub.
+keywords: remote management, MDM, install apps, monitor Surface Hub, Operations Management Suite, OMS
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Remote Surface Hub management
+
+## In this section
+
+|Topic | Description|
+| ------ | --------------- |
+| [Manage settings with an MDM provider]( https://technet.microsoft.com/itpro/surface-hub/manage-settings-with-mdm-for-surface-hub) | Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.|
+| [Monitor your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/monitor-surface-hub) | Monitoring for Surface Hub devices is enabled through Microsoft Operations Management Suite.|
+| [Windows updates](https://technet.microsoft.com/itpro/surface-hub/manage-windows-updates-for-surface-hub) | You can manage Windows updates on your Surface Hub by setting the maintenance window, deferring updates, or using WSUS.|
diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md
index 1658d8de1a..461864a1aa 100644
--- a/devices/surface-hub/save-bitlocker-key-surface-hub.md
+++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md
@@ -24,11 +24,11 @@ There are several ways to manage your BitLocker key on the Surface Hub.
2. If you’ve joined the Surface Hub to Azure Active Directory (Azure AD), the BitLocker key will be stored under the account that was used to join the device.
-3. If you’re using a local admin account to manage the device, you can save the BitLocker key by going to Settings and navigating to **System** > **Microsoft Surface Hub**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive.
+3. If you’re using a local admin account to manage the device, you can save the BitLocker key by going to the **Settings** app and navigating to **Update & security** > **Recovery**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive.
+
## Related topics
-
[Manage Microsoft Surface Hub](manage-surface-hub.md)
[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
diff --git a/devices/surface-hub/surface-hub-administrators-guide.md b/devices/surface-hub/surface-hub-administrators-guide.md
index 275dd6a33b..4786082d45 100644
--- a/devices/surface-hub/surface-hub-administrators-guide.md
+++ b/devices/surface-hub/surface-hub-administrators-guide.md
@@ -16,7 +16,7 @@ localizationpriority: medium
This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.
-Before you power on Microsoft Surface Hub for the first time, make sure you've [completed the checklist](prepare-your-environment-for-surface-hub.md#prepare-checklist) at the end of the [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) section, and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct.
+Before you power on Microsoft Surface Hub for the first time, make sure you've [completed preparation items](prepare-your-environment-for-surface-hub.md), and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct.
## In this section
diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
index e948577807..fbed027215 100644
--- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@@ -7,21 +7,19 @@ author: TrudyHa
localizationpriority: medium
---
-# When to use a fully qualified domain name with Surface Hub
+# Configure domain name for Skype for Business
-A fully qualified domain name (FQDN) is a domain name that explicitly states the location in the Domain Name System (DNS) hierarchy. All levels of a domain are specified. In the case of Skype for Business on the Surface Hub, there are a few scenarios where you need to use a FQDN.
+There are a few scenarios where you need to specify the domain name of your Skype for Business server:
- **Multiple DNS suffixes** - When your Skype for Business infrastructure has disjointed namespaces such that one or more servers have a DNS suffix that doesn't match the suffix of the sign-in address (SIP) for Skype for Business.
- **Skype for Business and Exchange suffixes are different** - When the suffix of the sign-in address for Skype for Business differs from the suffix of the Exchange address used for the device account.
-- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails. The Skype app needs to know the FQDN of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
+- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails. Skype needs to know the domain name of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
-## Add FQDN to Surface Hub
+**To configure the domain name for your Skype for Business server**
+1. On Surface Hub, open **Settings**.
+2. Click **This device**, and then click **Calling**.
+3. Under **Skype for Business configuration**, click **Configure domain name**.
+4. Type the domain name for your Skype for Business server, and then click **Ok**.
+> [!TIP]
+> You can type multiple domain names, separated by commas. For example: lync.com, outlook.com, lync.glbdns.microsoft.com
-You use the Settings app on Surface Hub to add FQDN information. You can add multiple entries, if needed.
-
-**To add Skype for Business Server FQDN**
-1. On Surface Hub open the **Settings** app.
-2. Navigate to **System**, **Microsoft Surface Hub**.
-3. Under **Skype for Business**, click **Add FQDN**.
-4. Type the FQDN for the Skype for Business certificate. You can type multiple FQDNs separated by a comma. For example: lync.com, outlook.com, lync.glbdns.microsoft.com.
-
- 
\ No newline at end of file
+ 
\ No newline at end of file
diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md
index 8593840926..0ccd6ad70d 100644
--- a/devices/surface-hub/wireless-network-management-for-surface-hub.md
+++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md
@@ -36,10 +36,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele
1. On the Surface Hub, open **Settings** and enter your admin credentials.
2. Click **System**, click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**.
-
- 
-
-3. The system will show you the properties for the wireless network connection.
+3. Surface Hub shows you the properties for the wireless network connection.
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index eff3b9bb69..c2eea7a99c 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -1,5 +1,6 @@
# [Surface](index.md)
## [Deploy Surface devices](deploy.md)
+### [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md)
### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)
### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
@@ -12,6 +13,7 @@
### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
### [Surface Dock Updater](surface-dock-updater.md)
+## [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md)
## [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)
## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)
## [Manage Surface UEFI settings](manage-surface-uefi-settings.md)
@@ -21,5 +23,6 @@
### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
## [Surface Data Eraser](microsoft-surface-data-eraser.md)
+## [Change history for Surface documentation](change-history-for-surface.md)
diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
index 7b231f3562..6caa1ce23a 100644
--- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
+++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
@@ -28,7 +28,8 @@ To update the UEFI on Surface Pro 3, you can download and install the Surface UE
## Manually configure additional security settings
->**Note:** To enter firmware setup on a Surface device, begin with the device powered off, press and hold the **Volume Up** button, then press and release the **Power** button, then release the **Volume Up** button after the device has begun to boot.
+>[!NOTE]
+>To enter firmware setup on a Surface device, begin with the device powered off, press and hold the **Volume Up** button, then press and release the **Power** button, then release the **Volume Up** button after the device has begun to boot.
After the v3.11.760.0 UEFI update is installed on a Surface device, an additional UEFI menu named **Advanced Device Security** becomes available. If you click this menu, the following options are displayed:
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
new file mode 100644
index 0000000000..dd716e83f7
--- /dev/null
+++ b/devices/surface/change-history-for-surface.md
@@ -0,0 +1,24 @@
+---
+title: Change history for Surface documentation (Windows 10)
+description: This topic lists new and updated topics in the Surface documentation library.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Change history for Surface documentation
+
+This topic lists new and updated topics in the Surface documentation library.
+
+## October 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) | New |
+| [Long-term servicing branch for Surface devices](ltsb-for-surface.md) | New |
+
+
+
+
+
\ No newline at end of file
diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
new file mode 100644
index 0000000000..447e377d2c
--- /dev/null
+++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
@@ -0,0 +1,76 @@
+---
+title: Considerations for Surface and System Center Configuration Manager (Surface)
+description: The management and deployment of Surface devices with Configuration Manager is fundamentally the same as any other PC; this article describes scenarios that may require additional considerations.
+keywords: manage, deployment, updates, driver, firmware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: Scottmca
+---
+
+# Considerations for Surface and System Center Configuration Manager
+
+Fundamentally, management and deployment of Surface devices with System Center Configuration Manager is the same as the management and deployment of any other PC. Like any other PC, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client – to publish apps, settings, and policies, you use the same process that you would use for any other device.
+
+You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for System Center Configuration Manager](https://docs.microsoft.com/sccm/index) article in the TechNet Library.
+
+Although the deployment and management of Surface devices is fundamentally the same as any other PC, there are some scenarios that may require additional considerations or steps. This article provides descriptions and guidance for these scenarios; the solutions documented in this article may apply to other devices and manufacturers as well.
+
+>[!NOTE]
+>For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
+
+## Updating Surface device drivers and firmware
+
+For devices that receive updates through Windows Update, drivers for Surface components – and even firmware updates – are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS), the option to install drivers and firmware through Windows Update is not available. For these managed devices, the recommended driver management process is the deployment of driver and firmware updates using the Windows Installer (.msi) files, which are provided through the Microsoft Download Center. You can find a list of these downloads at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/en-us/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
+
+As .msi files, deployment of driver and firmware updates is performed in the same manner as deployment of an application. Instead of installing an application as would normally happen when an .msi file is run, the Surface driver and firmware .msi will apply the driver and firmware updates to the device. The single .msi file contains the driver and firmware updates required by each component of the Surface device. The updates for firmware are applied the next time the device reboots. You can read more about the .msi installation method for Surface drivers and firmware in [Manage Surface driver and firmware updates](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-pro-3-firmware-updates). For more information about how to deploy applications with Configuration Manager, see [Packages and programs in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs).
+
+>[!NOTE]
+>Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A workaround is available for Configuration Manager environments running on Windows Server 2008 R2 – for more information see [Can't import drivers into System Center Configuration Manager (KB3025419)](https://support.microsoft.com/en-us/kb/3025419).
+
+## Surface Ethernet adapters and Configuration Manager deployment
+
+The default mechanism that Configuration Manager uses to identify devices during deployment is the Media Access Control (MAC) address. Because the MAC address is associated with the Ethernet controller, an Ethernet adapter shared among multiple devices will cause Configuration Manager to identify each of the devices as only a single device. This can cause a Configuration Manager deployment of Windows to not be applied to intended devices.
+
+To ensure that Surface devices using the same Ethernet adapter are identified as unique devices during deployment, you can instruct Configuration Manager to identify devices using another method. This other method could be the MAC address of the wireless network adapter or the System Universal Unique Identifier (System UUID). You can specify that Configuration Manager use other identification methods with the following options:
+
+* Add an exclusion for the MAC addresses of Surface Ethernet adapters, which forces Configuration Manager to overlook the MAC address in preference of the System UUID, as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
+
+* Prestage devices by System UUID as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
+
+* Use a script to identify a newly deployed Surface device by the MAC address of its wireless adapter, as documented in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post.
+
+Another consideration for the Surface Ethernet adapter during deployments with Configuration Manager is the driver for the Ethernet controller. Beginning in Windows 10, version 1511, the driver for the Surface Ethernet adapter is included by default in Windows. For organizations that want to deploy the latest version of Windows 10 and use the latest version of WinPE, use of the Surface Ethernet adapter requires no additional actions.
+
+For versions of Windows prior to Windows 10, version 1511 (including Windows 10 RTM and Windows 8.1), you may still need to install the Surface Ethernet adapter driver and include the driver in your WinPE boot media. With its inclusion in Windows 10, the driver is no longer available for download from the Microsoft Download Center. To download the Surface Ethernet adapter driver, download it from the Microsoft Update Catalog as documented in the [Surface Ethernet Drivers](https://blogs.technet.microsoft.com/askcore/2016/08/18/surface-ethernet-drivers/) blog post from the Ask The Core Team blog.
+
+## Deploy Surface app with Configuration Manager
+
+With the release of Windows Store for Business, Surface app is no longer available as a driver and firmware download. Organizations that want to deploy Surface app to managed Surface devices or during deployment with the use of Configuration Manager, must acquire Surface app through Windows Store for Business and then deploy Surface app with PowerShell. You can find the PowerShell commands for deployment of Surface app, instructions to download Surface app, and prerequisite frameworks from Windows Store for Business in the [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/en-us/itpro/surface/deploy-surface-app-with-windows-store-for-business) article in the TechNet Library.
+
+## Use prestaged media with Surface clients
+
+If your organization uses prestaged media to pre-load deployment resources on to machines prior to deployment with Configuration Manager, the nature of Surface devices as UEFI devices may require you to take additional steps. Specifically, a native UEFI environment requires that you create multiple partitions on the boot disk of the system. If you are following along with the [documentation for prestaged media](https://technet.microsoft.com/en-us/library/79465d90-4831-4872-96c2-2062d80f5583?f=255&MSPPError=-2147217396#BKMK_CreatePrestagedMedia), the instructions provide for only single partition boot disks and therefore will fail when applied to Surface devices.
+
+Instructions for applying prestaged media to UEFI devices, such as Surface devices, can be found in the [How to apply Task Sequence Prestaged Media on multi-partitioned disks for BIOS or UEFI PCs in System Center Configuration Manager](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2014/04/02/how-to-apply-task-sequence-prestaged-media-on-multi-partitioned-disks-for-bios-or-uefi-pcs-in-system-center-configuration-manager/) blog post.
+
+## Licensing conflicts with OEM Activation 3.0
+
+Surface devices come preinstalled with a licensed copy of Windows. For example, Surface Pro 4 is preinstalled with Windows 10 Professional. The license key for this preinstalled copy of Windows is embedded in the firmware of the device with OEM Activation 3.0 (OA 3.0). When you run Windows installation media on a device with an OA 3.0 key, Windows setup automatically reads the license key and uses it to install and activate Windows. In most situations, this simplifies the reinstallation of Windows, because the user does not have to find or enter a license key.
+
+When you reimage a device by using Windows Enterprise, this embedded license key does not cause a conflict. This is because the installation media for Windows Enterprise is configured to install only an Enterprise edition of Windows and therefore is incompatible with the license key embedded in the system firmware. If a product key is not specified (such as when you intend to activate with Key Management Services (KMS) or Active Directory Based Activation), a Generic Volume License Key (GVLK) is used until Windows is activated by one of those technologies.
+
+However, issues may arise when organizations intend to use versions of Windows that are compatible with the firmware embedded key. For example, an organization that wants to install Windows 10 Professional on a Surface 3 device that originally shipped with Windows 10 Home edition may encounter difficulty when Windows setup automatically reads the Home edition key during installation and installs as Home edition rather than Professional. To avoid this conflict, you can use the Ei.cfg or Pid.txt file (see [Windows Setup Edition Configuration and Product ID Files](https://technet.microsoft.com/en-us/library/hh824952.aspx)) to explicitly instruct Windows setup to prompt for a product key, or you can enter a specific product key in the deployment task sequence. If you do not have a specific key, you can use the default product keys for Windows, which you can find in [Customize and deploy a Windows 10 operating system](https://dpcenter.microsoft.com/en/Windows/Build/cp-Windows-10-build) on the Device Partner Center.
+
+## Apply an asset tag during deployment
+
+Surface Book, Surface Pro 4, Surface Pro 3, and Surface 3 devices all support the application of an asset tag in UEFI. This asset tag can be used to identify the device from UEFI even if the operating system fails, and it can also be queried from within the operating system. To read more about the Surface Asset Tag function, see the [Asset Tag Tool for Surface Pro 3](https://blogs.technet.microsoft.com/askcore/2014/10/20/asset-tag-tool-for-surface-pro-3/) blog post.
+
+To apply an asset tag using the [Surface Asset Tag CLI Utility](https://www.microsoft.com/en-us/download/details.aspx?id=44076) during a Configuration Manager deployment task sequence, use the script and instructions found in the [Set Surface Asset Tag During a Configuration Manager Task Sequence](https://blogs.technet.microsoft.com/jchalfant/set-surface-pro-3-asset-tag-during-a-configuration-manager-task-sequence/) blog post.
+
+## Configure push-button reset
+
+When you deploy Windows to a Surface device, the push-button reset functionality of Windows is configured by default to revert the system back to a state where the environment is not yet configured. When the reset function is used, the system discards any installed applications and settings. Although in some situations it can be beneficial to restore the system to a state without applications and settings, in a professional environment this effectively renders the system unusable to the end user.
+
+Push-button reset can be configured, however, to restore the system configuration to a state where it is ready for use by the end user. Follow the process outlined in [Deploy push-button reset features](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/manufacture/desktop/deploy-push-button-reset-features) to customize the push-button reset experience for your devices.
diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
index 4c35222e31..c2263b5065 100644
--- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md
+++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
@@ -91,7 +91,7 @@ To download the required frameworks for the Surface app, follow these steps:
##Install Surface app on your computer with PowerShell
The following procedure provisions the Surface app onto your computer and makes it available for any user accounts created on the computer afterwards.
-1. Using the procedure described in the [How to download Surface app from a Windows Store for Business account](#how-to-download-surface-app-from-a-windows-store-for-business-account) section of this article, download the Surface app AppxBundle and license file.
+1. Using the procedure described in the [How to download Surface app from a Windows Store for Business account](#download-surface-app-from-a-windows-store-for-business-account) section of this article, download the Surface app AppxBundle and license file.
2. Begin an elevated PowerShell session.
>**Note:** If you don’t run PowerShell as an Administrator, the session won’t have the required permissions to install the app.
3. In the elevated PowerShell session, copy and paste the following command:
@@ -119,7 +119,7 @@ Before the Surface app is functional on the computer where it has been provision
##Install Surface app with MDT
The following procedure uses MDT to automate installation of the Surface app at the time of deployment. The application is provisioned automatically by MDT during deployment and thus you can use this process with existing images. This is the recommended process to deploy the Surface app as part of a Windows deployment to Surface devices because it does not reduce the cross platform compatibility of the Windows image.
-1. Using the procedure described [earlier in this article](#how-to-download-surface-app-from-a-windows-store-for-business-account), download the Surface app AppxBundle and license file.
+1. Using the procedure described [earlier in this article](#download-surface-app-from-a-windows-store-for-business-account), download the Surface app AppxBundle and license file.
2. Using the New Application Wizard in the MDT Deployment Workbench, import the downloaded files as a new **Application with source files**.
3. On the **Command Details** page of the New Application Wizard, specify the default **Working Directory** and for the **Command** specify the file name of the AppxBundle, as follows:
diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md
index 517aca2f0b..03cdc49f49 100644
--- a/devices/surface/deploy.md
+++ b/devices/surface/deploy.md
@@ -16,6 +16,7 @@ Get deployment guidance for your Surface devices including information about MDT
| Topic | Description |
| --- | --- |
+| [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md) | Explains that LTSB is not supported for general-purpose Surface devices and should be used for specialized devices only. |
| [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) | Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.|
| [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)| Find out how to perform a Windows 10 upgrade deployment to your Surface devices. |
| [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.|
diff --git a/devices/surface/index.md b/devices/surface/index.md
index 1b70df3e57..3bd0c700bd 100644
--- a/devices/surface/index.md
+++ b/devices/surface/index.md
@@ -13,7 +13,7 @@ author: heatherpoulsen
# Surface
-This library provides guidance to help you deploy Windows on Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization.
+This library provides guidance to help you deploy Windows on Microsoft Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization.
For more information on planning for, deploying, and managing Surface devices in your organization, see the [Surface TechCenter](https://technet.microsoft.com/en-us/windows/surface).
@@ -23,12 +23,14 @@ For more information on planning for, deploying, and managing Surface devices in
| --- | --- |
| [Deploy Surface devices](deploy.md) | Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator. |
| [Surface firmware and driver updates](update.md) | Find out how to download and manage the latest firmware and driver updates for your Surface device. |
+| [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) | Get guidance on how to deploy and manage Surface devices with System Center Configuration Manager. |
| [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md) | Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT. |
| [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) | Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. |
| [Manage Surface UEFI settings](manage-surface-uefi-settings.md) | Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. |
| [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. |
| [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) | Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. |
| [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. |
+| [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. |
diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md
new file mode 100644
index 0000000000..91ae3a566b
--- /dev/null
+++ b/devices/surface/ltsb-for-surface.md
@@ -0,0 +1,44 @@
+---
+title: Long-Term Servicing Branch for Surface devices (Surface)
+description: LTSB is not supported for general-purpose Surface devices and should be used for specialized devices only.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Long-Term Servicing Branch (LTSB) for Surface devices
+
+
+General-purpose Surface devices running Long-Term Servicing Branch (LTSB) are not supported. As a general guideline, if a Surface device runs productivity software, such as Microsoft Office, it is a general-purpose device that does not qualify for LTSB and should instead run Current Branch (CB) or Current Branch for Business (CBB).
+
+>[!NOTE]
+>For more information about the servicing branches, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
+
+LTSB prevents Surface devices from receiving critical Windows 10 feature updates and certain non-security servicing updates. Customers with poor experiences using Surface devices in the LTSB configuration will be instructed to upgrade to CB or CBB. Furthermore, the Windows 10 Enterprise LTSB edition removes core features of Surface devices, including seamless inking and touch-friendly applications. It does not contain key in-box applications including Microsoft Edge, OneNote, Calendar or Camera. Therefore, productivity is impacted and functionality is limited. LTSB is not supported as a suitable servicing solution for general-purpose Surface devices.
+
+General-purpose Surface devices are intended to run CB or CBB to receive full servicing and firmware updates and forward compatibility with the introduction of new Surface features. With CB, feature updates are available as soon as Microsoft releases them. Customers in the CBB servicing model receive the same build of Windows 10 as those in CB, at a later date.
+
+Surface devices in specialized scenarios–such as PCs that control medical equipment, point-of-sale systems, and ATMs–may consider the use of LTSB. These special-purpose systems typically perform a single task and do not require feature updates as frequently as other devices in the organization.
+
+
+
+
+
+## Related topics
+
+- [Surface TechCenter](https://technet.microsoft.com/windows/surface)
+
+- [Surface for IT pros blog](http://blogs.technet.com/b/surface/)
+
+
+
+
+
+
+
+
+
+
+
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index 2e31b14786..8411e8ef7f 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -5,6 +5,7 @@
### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
### [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
+## [Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)
## [Get Minecraft Education Edition](get-minecraft-for-education.md)
### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index f03105f10d..3ce92ed3d0 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -12,6 +12,14 @@ author: jdeckerMS
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
+## November 2016
+
+| New or changed topic | Description|
+| --- | --- |
+| [Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md) | New. Learn about education scenarios for Windows Store for Business. |
+| [For teachers - get Minecraft: Education Edition](teacher-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. |
+| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. |
+
## September 2016
| New or changed topic | Description|
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 81002929b2..bcf28c02a2 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -35,8 +35,8 @@ App migration or replacement is an essential part of your Chromebook migration.
Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio).
-**Note**
-The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.
+> [!NOTE]
+> The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index dcfe03beba..766978b300 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -728,7 +728,7 @@ To implement this method, perform the following steps:
Put the student information in the format the bulk-import feature requires.
2. Bulk-import the student information into Azure AD.
- For more information about how to perform this step, see the [Bulk-import user and group accounts in Office 365](#bulk-import-user-and-group-accounts-in-office-365) section.
+ For more information about how to perform this step, see the [Bulk-import user and group accounts into Office 365](#bulk-import-user-and-group-accounts-into-office-365) section.
#### Summary
@@ -1851,4 +1851,4 @@ You have now identified the tasks you need to perform monthly, at the end of an
* [Manage Windows 10 updates and upgrades in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723347)
* [Reprovision devices at the end of the school year (video)](https://technet.microsoft.com/en-us/windows/mt723344)
* [Use MDT to deploy Windows 10 in a school (video)](https://technet.microsoft.com/en-us/windows/mt723343)
-* [Use Windows Store for Business in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723348)
\ No newline at end of file
+* [Use Windows Store for Business in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723348)
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
new file mode 100644
index 0000000000..8a42859576
--- /dev/null
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -0,0 +1,180 @@
+---
+title: Education scenarios Windows Store for Business
+description: Learn how IT admins and teachers can use Windows Store for Business to acquire and manage apps in schools.
+keywords: ["school"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: trudyha
+---
+
+# Working with Windows Store for Business – education scenarios
+
+Learn about education scenarios for Windows Store for Business. IT admins and teachers can use Windows Store for Business to find, acquire, distribute, and manage apps.
+
+## Manage Windows Store for Business settings
+
+### Access to Windows Store for Business
+Applies to: IT admins
+
+By default, when a teacher with a work or school account acquires Minecraft: Education Edition,they are automatically signed up for Window Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students.
+
+However, tenant admins can control whether or not teachers automatically sign up for Windows Store for Business, and get the **Basic Purchaser** role. You can configure this with **Allow educators in my organization to sign up for the Windows Store for Business.** You'll find this on the **Permissions** page.
+
+**To manage educator access to Windows Store for Business**
+1. In Windows Store for Business, click **Settings**, and then click **Permissions**.
+
+ 
+
+2. Select, or clear **Allow educators in my organization to sign up for the Windows Store for Business**.
+
+### Windows Store for Business permissions
+Applies to: IT admins
+
+**Minecraft: Education Edition** adds a new role for teachers: **Basic Purchaser**. As an Admin, you can assign this role to teachers in your organization. When a teacher has been granted this role, they can:
+- View the Minecraft: Education Edition product description page
+- Acquire and manage Minecraft: Education Edition, and other apps from Store for Business
+- Use info on Support page (including links to documentation and access to support through customer service)
+
+ 
+
+**To assign Basic Purchaser role**
+
+1. Sign in to Store for Business
+
+ > [!NOTE]
+ > You need to be a Global Administrator, or have the Store for Business Admin role to access the **Permissions** page.
+
+2. Click **Settings**, and then choose **Permissions**.
+
+ 
+3. Click **Add people**, type a name, select the correct person, choose the role you want to assign, and click **Save**.
+
+ 
+
+ Windows Store for Business updates the list of people and permissions.
+
+ 
+
+### Private store
+
+Applies to: IT admins
+
+When you create you Windows Store for Business account, you'll have a set of apps included for free in your private store. Apps in your private store are available for all people in your organization to install and use.
+
+These apps will automatically be in your private store:
+- Word mobile
+- Excel mobile
+- PowerPoint mobile
+- OneNote
+- Sway
+- Fresh Paint
+- Minecraft: Education Edition
+
+As an admin, you can remove any of these apps from the private store if you'd prefer to control how apps are distributed.
+
+## Manage domain settings
+
+Applies to: IT admins
+
+### Self-service sign up
+Self-service sign up makes it easier for teachers and students in your organization to get started with **Minecraft: Education Edition**. If you have self-service sign up enabled in your tenant, teachers can assign **Minecraft: Education Edition** to students before they have a work or school account. Students receive an email that steps them through the process of signing up for a work or school account. For more information on self-service sign up, see [Using self-service sign up in your organization](https://support.office.com/article/Using-self-service-sign-up-in-your-organization-4f8712ff-9346-4c6c-bb63-a21ad7a62cbd?ui=en-US&rs=en-US&ad=US).
+
+### Domain verification
+For education organizations, domain verification ensures you are on the academic verification list. As an admin, you might need to verify your domain using the Office 365 portal. For more information, see [Verify your Office 365 domain to prove ownership, nonprofit or education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590?ui=en-US&rs=en-US&ad=US).
+
+## Acquire apps
+Applies to: IT admins and teachers
+
+Find apps for your school using Windows Store for Business. Admins in an education setting can use the same processes as Admins in an enterprise setting to find and acquire apps.
+
+**To acquire apps**
+- For info on how to acquire apps, see [Acquire apps in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business#acquire-apps)
+
+**To add a payment method**
+
+If you the app you purchase has a price, you’ll need to provide a payment method.
+- Click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card.
+
+For more information on payment options, see [payment options](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business#payment-options).
+
+For more information on tax rates, see [tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information).
+
+### Get started with Minecraft: Education Edition
+Teachers and IT administrators can now get trials or subscriptions to Minecraft: Education Edition and add it to Windows Store for Business for distribution.
+- [Get started with Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/get-minecraft-for-education)
+- [For IT admins – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/school-get-minecraft)
+- [For teachers – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/teacher-get-minecraft)
+
+
+## Manage WSfB inventory
+Applies to: IT admins and teachers
+
+### Manage purchases
+IT admins and teachers in educational settings can purchase apps from Windows Store for Business. Teachers need to have the Basic purchaser role, but if they've acquired Minecraft: Education Edition, they have the role by default.
+
+While both groups can purchase apps, they can't manage purchases made by the other group.
+
+Admins can:
+- Manage and distribute apps they purchased and apps that are purchased by other admins in the organization.
+- View apps purchased by teachers.
+- View and manage apps on **Inventory**, under **Admin purchases**.
+
+Teachers can:
+- Manage and distribute apps they purchased.
+- View and manage apps on **Inventory**, under **User purchases**.
+
+> [!NOTE]
+> Teachers can't manage or view apps purchased by other teachers, or purchased by admins. Teachers can only work with the apps they purchased.
+
+
+### Distribute apps
+
+Manage and distribute apps to students and others in your organization. Different options are avaialble for admins and teachers.
+
+Applies to: IT admins
+
+**To manage and distribute apps**
+- For info on how to distribute **Minecraft: Education Edition**, see [For IT admins – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/school-get-minecraft#distribute_minecraft)
+- For info on how to manage and distribute other apps, see [App inventory management - Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-management-windows-store-for-business)
+
+Applies to: Teachers
+
+For info on how to distribute **Minecraft: Education Edition**, see [For teachers – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/teacher-get-minecraft#distribute-minecraft).
+
+**To assign an app to a student**
+
+1. Sign in to the Store for Business.
+2. Click **Manage**, and then choose **Inventory**.
+3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
+4. Type the email address, or name for the student that you're assigning the app to, and click **Confirm**.
+
+Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
+
+### Purchase additional licenses
+Applies to: IT admins and teachers
+
+You can manage current app licenses, or purchase more licenses for apps in your inventory.
+
+**To purchase additional app licenses**
+1. From **Inventory**, click an app.
+2. On the app page, click **View app details**.
+3. From this page, click **Buy more** to purchase more licenses
+-OR-
+Click **Manage** to distribute or reclaim current licenses.
+
+You'll have a summary of current license availability.
+
+**Minecraft: Education Edition subscriptions**
+
+Similarly, you can purchase additional subscriptions of **Minecraft: Education Edition** through Windows Store for Business. Find **Minecraft: Education Edition** in your inventory and use the previous steps for purchasing additional app licenses.
+
+## Manage WSfB order history
+Applies to: IT admins and teachers
+
+You can manage your orders through Windows Store for Business. For info on order history and how to refund an order, see [Manage app orders in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/manage-orders-windows-store-for-business).
+
+It can take up to 24 hours after a purchase, before a receipt is available on your **Order history page**.
+
+> [!NOTE]
+For **Minecraft: Education Edition**, you can request a refund through Windows Store for Business for two months from the purchase date. After two months, refunds require a support call.
\ No newline at end of file
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 2fedf96bda..200b8a1ce9 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -8,7 +8,7 @@ ms.sitesec: library
author: jdeckerMS
---
-# Get Minecraft Education Edition
+# Get Minecraft: Education Edition
**Applies to:**
@@ -19,24 +19,24 @@ author: jdeckerMS
-Teachers and IT administrators can now get early access to **Minecraft Education Edition** and add it their Microsoft Store for Business for distribution.
+Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution.
-
+
## Prerequisites
+
+- **Minecraft: Education Edition** requires Windows 10.
+- Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD).
+ - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
+ * Office 365 Education, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan)
+ * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
-- **Minecraft Education Edition** requires Windows 10.
-- Early access to **Minecraft Education Edition** is offered to education tenants that are managed by Azure Active Directory (Azure AD).
- - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft Education Edition**.
- * Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan)
- * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
+
-
-
-[Learn how teachers can get and distribute **Minecraft Education Edition**](teacher-get-minecraft.md)
+[Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md)
-
+
-[Learn how IT administrators can get and distribute **Minecraft Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
+[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
diff --git a/education/windows/images/PCicon.png b/education/windows/images/PCicon.png
new file mode 100644
index 0000000000..c97c137b83
Binary files /dev/null and b/education/windows/images/PCicon.png differ
diff --git a/education/windows/images/clipboard.png b/education/windows/images/clipboard.png
new file mode 100644
index 0000000000..bbfa2c9e8d
Binary files /dev/null and b/education/windows/images/clipboard.png differ
diff --git a/education/windows/images/education.png b/education/windows/images/education.png
new file mode 100644
index 0000000000..cc4f7fabb2
Binary files /dev/null and b/education/windows/images/education.png differ
diff --git a/education/windows/images/lightbulb.png b/education/windows/images/lightbulb.png
new file mode 100644
index 0000000000..95bea10957
Binary files /dev/null and b/education/windows/images/lightbulb.png differ
diff --git a/education/windows/images/list.png b/education/windows/images/list.png
new file mode 100644
index 0000000000..089827c373
Binary files /dev/null and b/education/windows/images/list.png differ
diff --git a/education/windows/images/mc-dnld-others-teacher.png b/education/windows/images/mc-dnld-others-teacher.png
index 24fa7ae20d..aa5df16595 100644
Binary files a/education/windows/images/mc-dnld-others-teacher.png and b/education/windows/images/mc-dnld-others-teacher.png differ
diff --git a/education/windows/images/mc-install-for-me-teacher.png b/education/windows/images/mc-install-for-me-teacher.png
index 7bc90ad129..e303e63660 100644
Binary files a/education/windows/images/mc-install-for-me-teacher.png and b/education/windows/images/mc-install-for-me-teacher.png differ
diff --git a/education/windows/images/minecraft-assign-to-people-name.png b/education/windows/images/minecraft-assign-to-people-name.png
index e39891698b..38994cc58f 100644
Binary files a/education/windows/images/minecraft-assign-to-people-name.png and b/education/windows/images/minecraft-assign-to-people-name.png differ
diff --git a/education/windows/images/minecraft-get-the-app.png b/education/windows/images/minecraft-get-the-app.png
index f30ab8ac68..47024aab6c 100644
Binary files a/education/windows/images/minecraft-get-the-app.png and b/education/windows/images/minecraft-get-the-app.png differ
diff --git a/education/windows/images/minecraft-student-install-email.png b/education/windows/images/minecraft-student-install-email.png
index aa562a0f01..225e8d899e 100644
Binary files a/education/windows/images/minecraft-student-install-email.png and b/education/windows/images/minecraft-student-install-email.png differ
diff --git a/education/windows/index.md b/education/windows/index.md
index f8d54749bf..98aaf94eef 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -1,32 +1,46 @@
---
title: Windows 10 for Education (Windows 10)
-description: Learn about using Windows 10 in schools.
+description: Learn how to use Windows 10 in schools.
+keywords: Windows 10, education
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
-author: jdeckerMS
+author: CelesteDG
---
# Windows 10 for Education
-[Windows 10 Education and Windows 10 Pro Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers and students to do great things.
+
-[Find out how to get Windows 10 Education or Windows 10 Pro Education for your school](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)
+[Windows 10 Education and Windows 10 Pro Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers, and students to do great things.
-[Learn more about what features and functionality are supported in each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
+##  Learn
-## In this section
+
+
+[Windows 10 editions for education customers](windows-editions-for-education-customers.md) Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
+
[Compare each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) Find out more about the features and functionality we support in each edition of Windows.
+[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools) When you've made your decision, find out how to buy Windows for your school.
+
-|Topic |Description |
-|------|------------|
-| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. |
-| [Provisioning options for Windows 10](set-up-windows-10.md) | Learn about your options for setting up Windows 10. |
-| [Get Minecraft Education Edition](get-minecraft-for-education.md) | Learn how to get early access to **Minecraft Education Edition**. |
-| [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the **Take a Test** app in Windows 10 |
-| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft. |
-| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in a school. |
-| [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) |Learn how to deploy Windows 10 in a school district.|
-| [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. |
+##  Plan
+
+
+
+[Provisioning options for Windows 10](set-up-windows-10.md) Depending on your school's device management needs, Windows offers a variety of options that you can use to set up Windows 10 on your devices.
+[Get Minecraft Education Edition](get-minecraft-for-education.md) Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.
+
[Take tests in Windows 10](take-tests-in-windows-10.md) Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
+
[Chromebook migration guide](chromebook-migration-guide.md) Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
+
+
+ ##  Deploy
+
+
+
[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
+
+ [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) Get step-by-step guidance to help you deploy Windows 10 in a school environment.
+ [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
+
## Related topics
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index e1d8f75c0d..0adea43fb7 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -8,59 +8,59 @@ ms.sitesec: library
author: jdeckerMS
---
-# For IT administrators: get Minecraft Education Edition
+# For IT administrators - get Minecraft: Education Edition
**Applies to:**
- Windows 10
-When you sign up for early access to [Minecraft Education Edition](http://education.minecraft.net), Minecraft will be added to the inventory in your Windows Store for Business, a private version of Windows Store associated with your Azure Active Directory (Azure AD) tenant. Your Store for Business is only displayed to members of your organization.
+When you sign up for a [Minecraft: Education Edition](http://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](http://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Windows Store for Business, a private version of Windows Store associated with your Azure Active Directory (Azure AD) tenant. Your Store for Business is only displayed to members of your organization.
-> **Note**: If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 subscription when you request Minecraft Education Edition.
+> **Note**: If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans).
## Add Minecraft to your Windows Store for Business
-You can start with the Minecraft: Education Edition trial to get individual copies of the app. For more information, see [Minecraft: Education Edition - individual copies](#individual-copies).
+You can start with the Minecraft: Education Edition trial to get individual copies of the app. For more information, see [Minecraft: Education Edition - direct purchase](#individual-copies).
-If you’ve been approved and are part of the Enrollment for Education Solutions program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license)
+If you’ve been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume licenses for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license).
-### Minecraft: Education Edition - individual copies
+### Minecraft: Education Edition - direct purchase
-1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **Get the app**.
+1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **GET STARTED**.
- 
+
-2. Enter your email address.
+2. Enter your email address, and select Educator, Administrator, or Student. If your email address isn't associated to an Azure AD or Office 365 Education tenant, you'll be asked to create one.
- 
-
- - If your email address isn't associated to an Azure AD or Office 365 tenant, you'll be asked to fill in a form. The information will be used to create an Office 365 subscription for your school.
+
3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store.
- 
+
4. Sign in to Windows Store for Business with your email address.
5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**.
-6. **Minecraft Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory.
+6. **Minecraft: Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory.
- 
+
Now that the app is in your Store for Business inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft).
-### Minecraft: Education Edition - volume license
+If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](https://technet.microsoft.com/edu/windows/education-scenarios-store-for-business#purchase-additional-licenses).
-Qualified education institutions can purchase Minecraft: Education Edition volume licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this:
+### Minecraft: Education Edition - volume licensing
-- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the copies will be available in [Windows Store for Business](https://www.microsoft.com/business-store) inventory.
+Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this:
+
+- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Windows Store for Business](https://www.microsoft.com/business-store) inventory.
- You’ll receive an email with a link to Windows Store for Business.
- Sign in to [Windows Store for Business](https://www.microsoft.com/business-store) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft)
## Distribute Minecraft
-After Minecraft Education Edition is added to your Windows Store for Business, you have three options:
+After Minecraft: Education Edition is added to your Windows Store for Business inventory, you have three options:
- You can install the app on your PC.
- You can assign the app to others.
@@ -68,11 +68,11 @@ After Minecraft Education Edition is added to your Windows Store for Business, y
Admins can also add Minecraft: Education Edition to the private store. This allows people in your organization to install the app from the private store. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).
-Here's the page you'll see for individual copies of **Minecraft: Education Edition**.
+Here's the page you'll see for Minecraft: Education Edition licenses purchased directly through the Windows Store for Business.
-
+
-Here's the page you'll see for volume licensed copies of of **Minecraft: Education Edition**.
+Here's the page you'll see for Minecraft: Education Edition licenses purchased through volume licensing.
@@ -80,27 +80,27 @@ Here's the page you'll see for volume licensed copies of of **Minecraft: Educati
You can install the app on your PC. This gives you a chance to test the app and know how you might help others in your organization use the app.
1. Sign in to Windows Store for Business.
-2. Click **Manage**, and then click **Install for me**.
+2. Click **Manage**, and then click **Install**.
- 
+ 
3. Click **Install**.
### Assign to others
-Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. You can assign the app to individuals, groups, or add it to your private store, where students and teachers in your organization can
+Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. You can assign the app to individuals, groups, or add it to your private store, where students and teachers in your organization can download the app.
+
**To assign to others**
1. Sign in to Windows Store for Business.
2. Click **Manage**.
- 
-4. Click **Assign to people**.
+ 
+3. Click **Invite people**.
- 
-5. Type the name, or email address of the student you want to assign the app to, and then click **Assign**.
+4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**.
- You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student.
-
+ You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student.
+
**To finish Minecraft install (for students)**
@@ -114,16 +114,16 @@ Enter email addresses for your students, and each student will get an email with
- After installing the app, students can find Minecraft: Education Edition in Windows Store app under **My Library**.
+ After installing the app, students can find Minecraft: Education Edition in Windows Store app under **My Library**. Windows Store app is preinstalled with Windows 10.
- When students click **My Libarary** they'll find apps assigned to them.
+ When students click **My Library** they'll find apps assigned to them.
### Download for others
-Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for younger students, and for shared computers. Choose this option when:
+Download for others allows teachers or IT admins to download an app that they can install on PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
- You have administrative permissions to install apps on the PC.
- You want to install this app on each of your student's Windows 10 (at least version 1511) PCs.
- Your students share Windows 10 computers, but sign in with their own Windows account.
@@ -152,7 +152,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
- 
+ 
2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.
@@ -161,12 +161,12 @@ You'll download a .zip file, extract the files, and then use one of the files to
6. **Restart**. Once installation is complete, restart each PC. Minecraft: Education Edition app is now ready for any student to use.
-## Manage Minecraft Education Edition
+
-### Access to Windows Store for Business
-By default, when a teacher with a work or school account in your edu tenant acquires Minecraft: Education Edition, they are automatically signed up for Window Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students.
+
+
+
+
+
-## Need more copies of Minecraft: Education Edition?
+
## Learn more
+[Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)
+Learn about overall Windows Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history.
[Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business)
@@ -230,6 +236,6 @@ If you’ve purchased a volume license, be sure to let other basic purchasers in
## Related topics
-[Get Minecraft Education Edition](get-minecraft-for-education.md)
+[Get Minecraft: Education Edition](get-minecraft-for-education.md)
-[For teachers get Minecraft Education Edition](teacher-get-minecraft.md)
+[For teachers get Minecraft: Education Edition](teacher-get-minecraft.md)
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 7c05de544c..e4002090f5 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -25,11 +25,9 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme
- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
- Cortana is turned off.
-> **Tip!**
+> [!TIP]
> To exit **Take a Test**, press Ctrl+Alt+Delete.
-
-
## How you use Take a Test
@@ -47,7 +45,10 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme
1. Sign into the device with an administrator account.
2. Go to **Settings** > **Accounts** > **Work or school access** > **Set up an account for taking tests**.
3. Select an existing account to use as the dedicated testing account.
- >**Note**: If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**.
+
+ > [!NOTE]
+ > If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**.
+
4. Specify an assessment URL.
5. Click **Save**.
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 7c7eda6f8e..362d143475 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -8,7 +8,7 @@ ms.sitesec: library
author: jdeckerMS
---
-# For teachers: get Minecraft Education Edition
+# For teachers - get Minecraft: Education Edition
**Applies to:**
@@ -18,29 +18,31 @@ Learn how teachers can get and distribute Minecraft: Education Edition.
## Add Minecraft to your Windows Store for Business
-1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **Get the app**.
+1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **GET STARTED**.
- 
+
2. Enter your email address.
- 
+
3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store.
- 
+
4. Sign in to Windows Store for Business with your email address.
5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**.
-6. **Minecraft Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft Education Edition** in your Store inventory.
+6. **Minecraft: Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft: Education Edition** in your Windows Store for Business inventory.
+If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](https://technet.microsoft.com/edu/windows/education-scenarios-store-for-business#purchase-additional-licenses).
+
## Distribute Minecraft
-After Minecraft Education Edition is added to your Windows Store for Business, you have three options:
+After Minecraft: Education Edition is added to your Windows Store for Business inventory, you have three options:
- You can install the app on your PC.
- You can assign the app to others.
@@ -52,7 +54,7 @@ After Minecraft Education Edition is added to your Windows Store for Business, y
You can install the app on your PC. This gives you a chance to work with the app before using it with your students.
1. Sign in to Windows Store for Business.
-2. Click **Manage**, and then click **Install for me**.
+2. Click **Manage**, and then click **Install**.
@@ -65,17 +67,17 @@ Enter email addresses for your students, and each student will get an email with
1. Sign in to Windows Store for Business.
2. Click **Manage**.
- 
+ 
-3. Click **Assign to people**.
-
- 
+3. Click **Invite people**.
-4. Type the name, or email address of the student you want to assign the app to, and then click **Assign**.
+4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**.
- You can only assign the app to students with work or school accounts. If you don't find the student, contact your IT admin to add a work or school account for the student.
+ 
+
+ You can assign the app to students with work or school accounts.
+ If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Office 365 portal where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin.
- 
**To finish Minecraft install (for students)**
@@ -97,7 +99,7 @@ Students will receive an email with a link that will install the app on their PC
### Download for others
-Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for younger students, and for shared computers. Choose this option when:
+Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
- You have administrative permissions to install apps on the PC.
- You want to install this app on each of your student's Windows 10 (at least version 1511) PCs.
- Your students share Windows 10 computers, but sign in with their own Windows account.
@@ -152,8 +154,11 @@ If you are still having trouble installing the app, you can get more help on our
## Related topics
-[Get Minecraft Education Edition](get-minecraft-for-education.md)
+[Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)
+Learn about overall Windows Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history.
-[For IT admins: get Minecraft Education Edition](school-get-minecraft.md)
+[Get Minecraft: Education Edition](get-minecraft-for-education.md)
+
+[For IT admins: get Minecraft: Education Edition](school-get-minecraft.md)
diff --git a/mdop/appv-v5/about-app-v-50-sp3.md b/mdop/appv-v5/about-app-v-50-sp3.md
index aeca744a26..4ea53c7fc1 100644
--- a/mdop/appv-v5/about-app-v-50-sp3.md
+++ b/mdop/appv-v5/about-app-v-50-sp3.md
@@ -109,7 +109,7 @@ Review the following information before you start the upgrade:
You must first upgrade to App-V 5.0. You cannot upgrade directly from App-V 4.x to App-V 5.0 SP3.
[Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v.md)
@@ -521,7 +521,7 @@ You can manage connection groups more easily by using optional packages and othe
Management console
-
[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-50.md#bkmk-admin-pub-pkg-only-posh)
+
[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-50.md)
PowerShell
diff --git a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
index a0615d5921..dfb5138d48 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
@@ -157,7 +157,6 @@ Complete the following steps to create an Office 2013 package for App-V 5.0 or l
**Important**
In App-V 5.0 and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
-
### Review prerequisites for using the Office Deployment Tool
@@ -189,11 +188,9 @@ The computer on which you are installing the Office Deployment Tool must have:
-
**Note**
In this topic, the term “Office 2013 App-V package” refers to subscription licensing and volume licensing.
-
### Create Office 2013 App-V Packages Using Office Deployment Tool
@@ -242,8 +239,6 @@ The XML file that is included in the Office Deployment Tool specifies the produc
**Note**
The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.
-
-
The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
@@ -300,8 +295,6 @@ The XML file that is included in the Office Deployment Tool specifies the produc
-
-
After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2013 applications that will later be converted into an App-V package. Below is an example command with description of details:
@@ -811,7 +804,7 @@ The following table describes the requirements and options for deploying Visio 2
How do I package and publish Visio 2013 and Project 2013 with Office?
You must include Visio 2013 and Project 2013 in the same package with Office.
-
If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the [Virtualizing Microsoft Office 2013 for Application Virtualization (App-V) 5.0](../solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions.md#bkmk-pkg-pub-reqs).
+
If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow [Deploying Microsoft Office 2010 by Using App-V](../appv-v5/deploying-microsoft-office-2010-by-using-app-v.md).
How can I deploy Visio 2013 and Project 2013 to specific users?
diff --git a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md
index cc8b0e0899..f3fcc6f7b2 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md
@@ -62,7 +62,6 @@ Use the following table to get information about supported versions of Office an
-
### Packaging, publishing, and deployment requirements
Before you deploy Office by using App-V, review the following requirements.
@@ -811,7 +810,7 @@ The following table describes the requirements and options for deploying Visio 2
How do I package and publish Visio 2013 and Project 2013 with Office?
You must include Visio 2013 and Project 2013 in the same package with Office.
-
If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the [Virtualizing Microsoft Office 2013 for Application Virtualization (App-V) 5.0](../solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions.md#bkmk-pkg-pub-reqs).
+
If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow [Deploying Microsoft Office 2010 by Using App-V](../appv-v5/deploying-microsoft-office-2010-by-using-app-v.md).
How can I deploy Visio 2013 and Project 2013 to specific users?
diff --git a/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages.md b/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages.md
index 446346aa98..5794aa6c8a 100644
--- a/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages.md
+++ b/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages.md
@@ -11,8 +11,6 @@ ms.prod: w10
# How to Create a Connection Group with User-Published and Globally Published Packages
-
-
You can create user-entitled connection groups that contain both user-published and globally published packages, using either of the following methods:
- [How to use PowerShell cmdlets to create the user-entitled connection groups](#bkmk-posh-userentitled-cg)
@@ -46,8 +44,7 @@ You can create user-entitled connection groups that contain both user-published
-
-**How to use PowerShell cmdlets to create user-entitled connection groups**
+**How to use PowerShell cmdlets to create user-entitled connection groups**
1. Add and publish packages by using the following commands:
@@ -67,7 +64,7 @@ You can create user-entitled connection groups that contain both user-published
**Enable-AppvClientConnectionGroup -GroupId CG\_Group\_ID -VersionId CG\_Version\_ID**
-**How to use the App-V Server to create user-entitled connection groups**
+**How to use the App-V Server to create user-entitled connection groups**
1. Open the App-V 5.0 Management Console.
diff --git a/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages51.md b/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages51.md
index e69999a07a..8f5736d581 100644
--- a/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages51.md
+++ b/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages51.md
@@ -45,9 +45,7 @@ You can create user-entitled connection groups that contain both user-published
-
-
-**How to use PowerShell cmdlets to create user-entitled connection groups**
+**How to use PowerShell cmdlets to create user-entitled connection groups**
1. Add and publish packages by using the following commands:
@@ -67,7 +65,7 @@ You can create user-entitled connection groups that contain both user-published
**Enable-AppvClientConnectionGroup -GroupId CG\_Group\_ID -VersionId CG\_Version\_ID**
-**How to use the App-V Server to create user-entitled connection groups**
+**How to use the App-V Server to create user-entitled connection groups**
1. Open the App-V 5.1 Management Console.
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-client-51gb18030.md b/mdop/appv-v5/how-to-deploy-the-app-v-client-51gb18030.md
index 37f02d475b..e80df8bb75 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-client-51gb18030.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-client-51gb18030.md
@@ -15,7 +15,7 @@ ms.prod: w10
Use the following procedure to install the Microsoft Application Virtualization (App-V) 5.1 client and Remote Desktop Services client. You must install the version of the client that matches the operating system of the target computer.
-**What to do before you start**
+**What to do before you start**
1. Review and install the software prerequisites:
@@ -143,8 +143,6 @@ Use the following procedure to install the Microsoft Application Virtualization
**Note**
The client Windows Installer (.msi) supports the same set of switches, except for the **/LOG** parameter.
-
-
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md b/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md
index 5210d0f706..a3e6644896 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md
@@ -15,7 +15,7 @@ ms.prod: w10
Use the following procedure to install the Microsoft Application Virtualization (App-V) 5.0 client and Remote Desktop Services client. You must install the version of the client that matches the operating system of the target computer.
-**What to do before you start**
+**What to do before you start**
1. Review and install the software prerequisites:
diff --git a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md
index 766726e8e7..93a93b1da0 100644
--- a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md
+++ b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md
@@ -88,12 +88,12 @@ Review the following requirements for using the App-V PowerShell cmdlets:
Run the Set-AppvClientConfiguration cmdlet with the -RequirePublishAsAdmin parameter.
[How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md#bkmk-admin-only-posh-topic-cg)
-
[How to Manage App-V 5.0 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-50-packages-running-on-a-stand-alone-computer-by-using-powershell.md#bkmk-admins-pub-pkgs)
+
[How to Manage App-V 5.0 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-50-packages-running-on-a-stand-alone-computer-by-using-powershell.md)
Enable the “Require publish as administrator” Group Policy setting for App-V Clients.
-
[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-50.md#bkmk-admin-pub-pkg-only-posh)
+
[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-50.md)
@@ -105,8 +105,6 @@ Review the following requirements for using the App-V PowerShell cmdlets:
## Loading the PowerShell cmdlets
-
-
To load the PowerShell cmdlet modules:
1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
@@ -143,8 +141,6 @@ To load the PowerShell cmdlet modules:
## Getting help for the PowerShell cmdlets
-
-
Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
@@ -204,15 +200,13 @@ Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
## Displaying the help for a PowerShell cmdlet
-
-
To display help for a specific PowerShell cmdlet:
1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
2. Type **Get-Help** <*cmdlet*>, for example, **Get-Help Publish-AppvClientPackage**.
-**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue**? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
diff --git a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md
index f3bec5b881..239b07e16e 100644
--- a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md
+++ b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md
@@ -88,12 +88,12 @@ Review the following requirements for using the App-V PowerShell cmdlets:
Run the Set-AppvClientConfiguration cmdlet with the -RequirePublishAsAdmin parameter.
[How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md#bkmk-admin-only-posh-topic-cg)
-
[How to Manage App-V 5.1 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-51-packages-running-on-a-stand-alone-computer-by-using-powershell.md#bkmk-admins-pub-pkgs)
+
[How to Manage App-V 5.1 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-51-packages-running-on-a-stand-alone-computer-by-using-powershell.md)
Enable the “Require publish as administrator” Group Policy setting for App-V Clients.
-
[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-51.md#bkmk-admin-pub-pkg-only-posh)
+
[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-51.md)
@@ -106,7 +106,6 @@ Review the following requirements for using the App-V PowerShell cmdlets:
## Loading the PowerShell cmdlets
-
To load the PowerShell cmdlet modules:
1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
@@ -140,11 +139,7 @@ To load the PowerShell cmdlet modules:
-
-
## Getting help for the PowerShell cmdlets
-
-
Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
@@ -201,11 +196,7 @@ Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
-
-
## Displaying the help for a PowerShell cmdlet
-
-
To display help for a specific PowerShell cmdlet:
1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
diff --git a/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md b/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md
index cc477758ac..780141e3d7 100644
--- a/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md
+++ b/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md
@@ -27,7 +27,7 @@ This topic explains the following procedures:
- [To allow only administrators to enable connection groups](#bkmk-admin-only-posh-topic-cg)
-**To add and publish the App-V packages in the connection group**
+**To add and publish the App-V packages in the connection group**
1. To add and publish the App-V 5.0 packages to the computer running the App-V client, type the following command:
@@ -35,7 +35,7 @@ This topic explains the following procedures:
2. Repeat **step 1** of this procedure for each package in the connection group.
-**To add and enable the connection group on the App-V client**
+**To add and enable the connection group on the App-V client**
1. Add the connection group by typing the following command:
@@ -47,7 +47,7 @@ This topic explains the following procedures:
When any virtual applications that are in the member packages are run on the target computer, they will run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group.
-**To enable or disable a connection group for a specific user**
+**To enable or disable a connection group for a specific user**
1. Review the parameter description and requirements:
@@ -88,9 +88,7 @@ This topic explains the following procedures:
-
-
-**To allow only administrators to enable connection groups**
+**To allow only administrators to enable connection groups**
1. Review the description and requirement for using this cmdlet:
@@ -126,8 +124,6 @@ This topic explains the following procedures:
-
-
**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
## Related topics
diff --git a/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md b/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md
index 695e3e6d58..8c0e37ebc8 100644
--- a/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md
+++ b/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md
@@ -27,7 +27,7 @@ This topic explains the following procedures:
- [To allow only administrators to enable connection groups](#bkmk-admin-only-posh-topic-cg)
-**To add and publish the App-V packages in the connection group**
+*To add and publish the App-V packages in the connection group**
1. To add and publish the App-V 5.1 packages to the computer running the App-V client, type the following command:
@@ -35,7 +35,7 @@ This topic explains the following procedures:
2. Repeat **step 1** of this procedure for each package in the connection group.
-**To add and enable the connection group on the App-V client**
+**To add and enable the connection group on the App-V client**
1. Add the connection group by typing the following command:
@@ -47,7 +47,7 @@ This topic explains the following procedures:
When any virtual applications that are in the member packages are run on the target computer, they will run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group.
-**To enable or disable a connection group for a specific user**
+**To enable or disable a connection group for a specific user**
1. Review the parameter description and requirements:
@@ -88,9 +88,7 @@ This topic explains the following procedures:
-
-
-**To allow only administrators to enable connection groups**
+**To allow only administrators to enable connection groups**
1. Review the description and requirement for using this cmdlet:
diff --git a/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-51.md b/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-51.md
index deb1811f39..0d98c22478 100644
--- a/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-51.md
+++ b/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-51.md
@@ -31,7 +31,7 @@ This topic explains how to:
- If you click **Modify an Existing Virtual Application Package** in the Sequencer in order to edit a package, but then make no changes and close the package, the streaming behavior of the package is changed. The primary feature block is removed from the StreamMap.xml file, and any files that were listed in the publishing feature block are removed. Users who receive the edited package experience that package as if it were stream-faulted, regardless of how the original package was configured.
-**Update an application in an existing virtual application package**
+**Update an application in an existing virtual application package**
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -46,8 +46,6 @@ This topic explains how to:
**Important**
If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package.
-
-
6. On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update does not have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
@@ -55,16 +53,12 @@ This topic explains how to:
**Note**
The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-
8. On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information. To proceed, click **Next**.
9. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all of the applications to run. After all applications have run, close each of the applications, and then click **Next**.
**Note**
- You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
-
-
+ You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it is saved. Click **Next**.
@@ -72,7 +66,7 @@ This topic explains how to:
11. On the **Completion** page, click **Close** to close the wizard. The package is now available in the sequencer.
-**Modify the properties associated with an existing virtual application package**
+**Modify the properties associated with an existing virtual application package**
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -111,11 +105,9 @@ This topic explains how to:
**Note**
To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.
-
-
6. When you finish changing the package properties, click **File** > **Save** to save the package.
-**Add a new application to an existing virtual application package**
+**Add a new application to an existing virtual application package**
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -130,8 +122,6 @@ This topic explains how to:
**Important**
If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
-
-
6. On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and locate and run the additional installation files. When you finish the installation, select **I am finished installing** > **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this is a new location so that you don’t overwrite the existing version of the virtual application package.
@@ -139,8 +129,6 @@ This topic explains how to:
**Note**
The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-
8. On the **Configure Software** page, optionally run the programs contained in the package. This step completes any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at the same time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**.
9. On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information, and then click **Next** to open the **Customize** page.
@@ -154,8 +142,6 @@ This topic explains how to:
**Note**
You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.
-
-
12. On the **Create Package** page, to modify the package without saving it, select the **Continue to modify package without saving using the package editor** check box. Selecting this option opens the package in the App-V Sequencer console, where you can modify the package before saving it. Click **Next**.
To save the package immediately, select the default **Save the package now**. Add optional **Comments** to associate with the package. Comments are useful for providing application versions and other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. The uncompressed package size is displayed. Click **Create**.
@@ -166,7 +152,6 @@ This topic explains how to:
## Related topics
-
[Operations for App-V 5.1](operations-for-app-v-51.md)
diff --git a/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-beta.md b/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-beta.md
index bb5bf4b894..a1e697e16a 100644
--- a/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-beta.md
+++ b/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-beta.md
@@ -31,7 +31,7 @@ This topic explains how to:
- If you click **Modify an Existing Virtual Application Package** in the Sequencer in order to edit a package, but then make no changes and close the package, the streaming behavior of the package is changed. The primary feature block is removed from the StreamMap.xml file, and any files that were listed in the publishing feature block are removed. Users who receive the edited package experience that package as if it were stream-faulted, regardless of how the original package was configured.
-**Update an application in an existing virtual application package**
+**Update an application in an existing virtual application package**
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -46,8 +46,6 @@ This topic explains how to:
**Important**
If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package.
-
-
6. On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update does not have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
@@ -55,8 +53,6 @@ This topic explains how to:
**Note**
The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-
8. On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information. To proceed, click **Next**.
9. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all of the applications to run. After all applications have run, close each of the applications, and then click **Next**.
@@ -64,15 +60,13 @@ This topic explains how to:
**Note**
You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
-
-
10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it is saved. Click **Next**.
To save the package immediately, select the default **Save the package now**. Add optional **Comments** to associate with the package. Comments are useful to identify the application version and provide other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. Click **Create**.
11. On the **Completion** page, click **Close** to close the wizard. The package is now available in the sequencer.
-**Modify the properties associated with an existing virtual application package**
+**Modify the properties associated with an existing virtual application package**
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -101,11 +95,9 @@ This topic explains how to:
**Note**
To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.
-
-
6. When you finish changing the package properties, click **File** > **Save** to save the package.
-**Add a new application to an existing virtual application package**
+**Add a new application to an existing virtual application package**
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -120,8 +112,6 @@ This topic explains how to:
**Important**
If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
-
-
6. On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and locate and run the additional installation files. When you finish the installation, select **I am finished installing** > **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this is a new location so that you don’t overwrite the existing version of the virtual application package.
@@ -129,8 +119,6 @@ This topic explains how to:
**Note**
The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-
8. On the **Configure Software** page, optionally run the programs contained in the package. This step completes any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at the same time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**.
9. On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information, and then click **Next** to open the **Customize** page.
@@ -144,8 +132,6 @@ This topic explains how to:
**Note**
You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.
-
-
12. On the **Create Package** page, to modify the package without saving it, select the **Continue to modify package without saving using the package editor** check box. Selecting this option opens the package in the App-V Sequencer console, where you can modify the package before saving it. Click **Next**.
To save the package immediately, select the default **Save the package now**. Add optional **Comments** to associate with the package. Comments are useful for providing application versions and other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. The uncompressed package size is displayed. Click **Create**.
@@ -156,7 +142,6 @@ This topic explains how to:
## Related topics
-
[Operations for App-V 5.0](operations-for-app-v-50.md)
diff --git a/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md b/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md
index 7d9df908fd..13ae4fd9fb 100644
--- a/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md
+++ b/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md
@@ -30,7 +30,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
-**To open the Administration and Monitoring Website**
+**To open the Administration and Monitoring Website**
1. Open a web browser and navigate to the Administration and Monitoring Website. The default URL for the Administration and Monitoring Website is:
@@ -47,7 +47,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
-**To generate an Enterprise Compliance Report**
+**To generate an Enterprise Compliance Report**
1. From the Administration and Monitoring Website, select the **Reports** node from the left navigation pane, select **Enterprise Compliance Report**, and select the filters that you want to use. The available filters for the Enterprise Compliance Report are:
@@ -61,7 +61,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
4. Select the plus sign (+) next to the computer name to view information about the volumes on the computer.
-**To generate a Computer Compliance Report**
+**To generate a Computer Compliance Report**
1. From the Administration and Monitoring Website, select the **Report** node from the left navigation pane, and then select **Computer Compliance Report**. Use the Computer Compliance Report to search for **User name** or **Computer name**.
@@ -74,9 +74,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
**Note**
An MBAM client computer is considered compliant if the computer matches or exceeds the requirements of the MBAM Group Policy settings.
-
-
-**To generate a Recovery Key Audit Report**
+**To generate a Recovery Key Audit Report**
1. From the Administration and Monitoring Website, select the **Report** node in the left navigation pane, and then select **Recovery Audit Report**. Select the filters for your Recovery Key Audit Report. The available filters for recovery key audits are as follows:
diff --git a/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md b/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md
index 609ec18b52..e1b330088f 100644
--- a/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md
+++ b/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md
@@ -11,19 +11,11 @@ ms.prod: w10
# How to Recover a Moved Drive
-
-
This topic explains how to use the Administration and Monitoring Website (also referred to as the Help Desk) to recover an operating system drive that was moved after being encrypted by Microsoft BitLocker Administration and Monitoring (MBAM). When a drive is moved, it no longer accepts the PIN that was used in the previous computer because the Trusted Platform Module (TPM) chip has changed. To recover the moved drive, you must obtain the recovery key ID to retrieve the recovery password.
To recover a moved drive, you must use the **Drive Recovery** area of the Administration and Monitoring Website. To access the **Drive Recovery** area, you must be assigned the MBAM Helpdesk Users role or the MBAM Advanced Helpdesk Users role. For more information about these roles, see [Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md#bkmk-helpdesk-roles).
-**Note**
-You may have given these roles different names when you created them. For more information, see [Access accounts for the Administration and Monitoring Website (Help Desk)](#bkmk-helpdesk-roles).
-
-
-
**To recover a moved drive**
-
1. On the computer that contains the moved drive, start the computer in Windows Recovery Environment (WinRE) mode, or start the computer by using the Microsoft Diagnostic and Recovery Toolset (DaRT).
2. After the computer has been started with WinRE or DaRT, MBAM will treat the moved operating system drive as a fixed data drive. MBAM will then display the drive’s recovery password ID and ask for the recovery password.
diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md
index bae880c439..38cf7a85aa 100644
--- a/mdop/mbam-v25/mbam-25-supported-configurations.md
+++ b/mdop/mbam-v25/mbam-25-supported-configurations.md
@@ -283,16 +283,21 @@ MBAM supports the following versions of Configuration Manager.
-
Microsoft System Center 2012 R2 Configuration Manager
+
Microsoft System Center Configuration Manager (Current Branch), version 1606
64-bit
+
Microsoft System Center 2012 R2 Configuration Manager
+
+
64-bit
+
+
Microsoft System Center 2012 Configuration Manager
SP1
64-bit
-
+
Microsoft System Center Configuration Manager 2007 R2 or later
SP1 or later
64-bit
diff --git a/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md b/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
index 3fcb31c12e..7779461ff4 100644
--- a/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
+++ b/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
@@ -72,8 +72,7 @@ Before you install the MBAM Client software on end users' computers, ensure that
**Important**
-If BitLocker was used without MBAM, you must decrypt the drive and then clear TPM using tpm.msc. MBAM cannot take ownership of TPM if the client PC is already encrypted and the TPM owner password created.
-
+If BitLocker was used without MBAM, MBAM can be installed and utilize the existing TPM information.
## Got a suggestion for MBAM?
diff --git a/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md b/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
index 41833fc753..a10a065f72 100644
--- a/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
+++ b/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
@@ -66,7 +66,7 @@ Windows PowerShell Help for MBAM cmdlets is available in the following formats:
At a Windows PowerShell command prompt, type Get-Help <cmdlet>
-
To upload the latest Windows PowerShell cmdlets, follow the instructions in [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md#bkmk-loadposhhelp)
+
To upload the latest Windows PowerShell cmdlets, follow the instructions in [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md)
On TechNet as webpages
diff --git a/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md b/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
index c4a9a942e4..548d28f073 100644
--- a/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
+++ b/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
@@ -51,7 +51,7 @@ Follow these steps to configure your MED-V image for running first time setup:
After you have completed customization of your MED-V image, you are ready to seal the image by using Sysprep.
-**Sealing the MED-V Image by Using Sysprep**
+**Sealing the MED-V Image by Using Sysprep**
1. The System Preparation tool (Sysprep) is a technology that you can use to perform image-based installations throughout the network with minimal intervention by an administrator or IT-Professional.
diff --git a/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md b/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
index 544141d6d3..51bf199255 100644
--- a/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
+++ b/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
@@ -29,7 +29,7 @@ You can add and remove URL redirection information by performing one of the foll
- [Edit the URL Redirection Text File and Rebuild the MED-V Workspace](#bkmk-edittext)
-**To update URL Redirection information by using Group Policy**
+**To update URL Redirection information by using Group Policy**
1. Edit the registry key multi-string value that is named `RedirectUrls`. This value is typically located at:
@@ -44,7 +44,7 @@ This method of editing URL redirection information is a MED-V best practice.
-**To rebuild the MED-V workspace by using an updated URL text file**
+**To rebuild the MED-V workspace by using an updated URL text file**
- Another method of adding and removing URLs from the redirection list is to update the URL redirection text file and then use it to build a new MED-V workspace. You can then redeploy the MED-V workspace as before, by using your standard process of deployment, such as an ESD system.
diff --git a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
index 171a89953e..202fcf0954 100644
--- a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
+++ b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
@@ -47,21 +47,15 @@ You must install the MED-V workspace packager and build your MED-V workspaces be
3. **MED-V Host Agent Installation File** – installs the Host Agent (MED-V\_HostAgent\_Setup installation file). For more information, see [How to Manually Install the MED-V Host Agent](how-to-manually-install-the-med-v-host-agent.md).
**Warning**
- Close Internet Explorer before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.
-
-
+ Close Internet Explorer before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.
4. **MED-V Workspace Installer, VHD, and Setup Executable** – created in the **MED-V Workspace Packager**. For more information, see [Create a MED-V Workspace Package](create-a-med-v-workspace-package.md).
**Important**
The compressed virtual hard disk file (.medv) and the Setup executable program (setup.exe) must be in the same folder as the MED-V workspace installer. Then, install the MED-V workspace installer by running setup.exe.
-
-
**Tip**
- Because problems that can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.
-
-
+ Because problems that can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.
3. Configure the packages to run in silent mode (no user interaction is required).
@@ -70,15 +64,11 @@ You must install the MED-V workspace packager and build your MED-V workspaces be
**Note**
Installation of Windows Virtual PC requires you to restart the computer. You can create a single installation process and install all the components at the same time if you suppress the restart and ignore the prerequisites necessary for MED-V to install. You can also do this by using command-line arguments. For an example of these arguments, see [To install the MED-V components by using a batch file](#bkmk-batch). MED-V automatically starts when the computer is restarted.
-
-
4. Install MED-V and its components before installing Windows Virtual PC. See the example batch file later in this topic.
**Important**
Select the **IGNORE\_PREREQUISITES** option as shown in the example batch file so that the MED-V components can be installed prior to the required VPC components. Install the MED-V components in this order to allow for the single restart.
-
-
5. Identify any other requirements necessary for the installation and for your software distribution system, such as target platforms and the free disk space.
6. Assign the packages to the target set of computers/users.
@@ -91,7 +81,7 @@ You must install the MED-V workspace packager and build your MED-V workspaces be
First time setup starts and might take several minutes to finish, depending on the size of the virtual hard disk that you specified and the number of policies applied to the MED-V workspace on startup. The end user can track the progress by watching the MED-V icon in the notification area. For more information about first time setup, see [MED-V 2.0 Deployment Overview](med-v-20-deployment-overview.md).
-**To install the MED-V components by using a batch file**
+**To install the MED-V components by using a batch file**
1. Run the installation at a command prompt with administrative credentials.
diff --git a/mdop/medv-v2/how-to-test-application-publishing.md b/mdop/medv-v2/how-to-test-application-publishing.md
index ad7c458632..7791f99e06 100644
--- a/mdop/medv-v2/how-to-test-application-publishing.md
+++ b/mdop/medv-v2/how-to-test-application-publishing.md
@@ -15,7 +15,7 @@ ms.prod: w7
After your test of first time setup finishes, you can verify that the application publishing functionality is working as expected by performing the following tasks.
-**To test application publishing**
+**To test application publishing**
1. Verify that the applications that you specified for publishing are visible.
@@ -34,8 +34,6 @@ After your test of first time setup finishes, you can verify that the applicatio
**Important**
Because Windows Virtual PC does not support creating a share from a folder that is already shared, redirection does not occur for any documents that open from a shared folder, such as a My Documents folder that is located on the network. For more information, see [Operations Troubleshooting](operations-troubleshooting-medv2.md).
-
-
After you have verified that published applications are installed and functioning correctly, you can test whether applications can be added or removed from the MED-V workspace.
**To test that an application can be added or removed**
@@ -51,15 +49,12 @@ After you have verified that published applications are installed and functionin
**Note**
If you encounter any problems when verifying your application publication settings, see [Operations Troubleshooting](operations-troubleshooting-medv2.md).
-
-
After you have completed testing application publishing, you can test other MED-V workspace configurations to verify that they function as intended.
After you have completed testing your MED-V workspace package and have verified that it is functioning as intended, you can deploy the MED-V workspace to your enterprise.
## Related topics
-
[How to Test URL Redirection](how-to-test-url-redirection.md)
[How to Verify First Time Setup Settings](how-to-verify-first-time-setup-settings.md)
diff --git a/mdop/medv-v2/how-to-test-url-redirection.md b/mdop/medv-v2/how-to-test-url-redirection.md
index 292c86b05c..21781c9cab 100644
--- a/mdop/medv-v2/how-to-test-url-redirection.md
+++ b/mdop/medv-v2/how-to-test-url-redirection.md
@@ -18,9 +18,7 @@ After your test of first time setup finishes, you can verify that the URL redire
**Important**
The MED-V Host Agent must be running for URL redirection to function correctly.
-
-
-**To test URL Redirection**
+**To test URL Redirection**
1. Open an Internet Explorer browser in the host computer and enter a URL that you specified for redirection.
@@ -45,20 +43,15 @@ The MED-V Host Agent must be running for URL redirection to function correctly.
**Note**
It can take several seconds for the URL redirection changes to take place.
-
-
**Note**
If you encounter any problems when verifying your URL redirection settings, see [Operations Troubleshooting](operations-troubleshooting-medv2.md).
-
-
After you have completed testing URL redirection in your MED-V workspace, you can test other configurations to verify that they function as intended.
After you have completed testing your MED-V workspace package and have verified that it is functioning as intended, you can deploy the MED-V workspace to your enterprise.
## Related topics
-
[How to Test Application Publishing](how-to-test-application-publishing.md)
[How to Verify First Time Setup Settings](how-to-verify-first-time-setup-settings.md)
diff --git a/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md b/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md
index 036cada1cc..cecf6f4ceb 100644
--- a/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md
+++ b/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md
@@ -103,9 +103,7 @@ It might be necessary to change the PowerShell execution policy to allow these s
2. In the **User Agent** tab, set the **PowerShell Execution Policy** to **Bypass**
-
-
-**Create the First UE-V Policy Configuration Item**
+**Create the First UE-V Policy Configuration Item**
1. Copy the default settings configuration file from the UE-V Config Pack installation directory to a location visible to your ConfigMgr Admin Console:
@@ -173,8 +171,6 @@ It might be necessary to change the PowerShell execution policy to allow these s
3. Reimport the CAB file. The version in ConfigMgr will be updated.
## Generate a UE-V Template Baseline
-
-
UE-V templates are distributed using a baseline containing multiple configuration items. Each configuration item contains the discovery and remediation scripts needed to install one UE-V template. The actual UE-V template is embedded within the remediation script for distribution using standard Configuration Item functionality.
The UE-V template baseline is created using the UevTemplateBaselineGenerator.exe command line tool, which has these parameters:
diff --git a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
index a97b55540e..886b343e52 100644
--- a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
+++ b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
@@ -45,7 +45,7 @@ This workflow diagram provides a high-level understanding of a UE-V deployment a
-**Planning a UE-V deployment:** First, you want to do a little bit of planning so that you can determine which UE-V components you’ll be deploying. Planning a UE-V deployment involves these things:
+**Planning a UE-V deployment:** First, you want to do a little bit of planning so that you can determine which UE-V components you’ll be deploying. Planning a UE-V deployment involves these things:
- [Decide whether to synchronize settings for custom applications](#deciding)
diff --git a/windows/deploy/activate-using-active-directory-based-activation-client.md b/windows/deploy/activate-using-active-directory-based-activation-client.md
index a3dce6ef96..f96e6edda3 100644
--- a/windows/deploy/activate-using-active-directory-based-activation-client.md
+++ b/windows/deploy/activate-using-active-directory-based-activation-client.md
@@ -68,13 +68,13 @@ You must be a member of the local Administrators group on all computers mentione
6. Enter your KMS host key and (optionally) a display name (Figure 14).
- 
+ 
**Figure 14**. Entering your KMS host key
7. Activate your KMS host key by phone or online (Figure 15).
- 
+ 
**Figure 15**. Choosing how to activate your product
@@ -91,7 +91,7 @@ To verify your Active Directory-based activation configuration, complete the fol
6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
**Note**
- If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmrg.vbs /dlv** command also indicates whether KMS has been used.
+ If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md
index d5ebe4beb3..f7e67993e5 100644
--- a/windows/deploy/change-history-for-deploy-windows-10.md
+++ b/windows/deploy/change-history-for-deploy-windows-10.md
@@ -11,6 +11,11 @@ author: greg-lindsay
# Change history for Deploy Windows 10
This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## October 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) | New |
+
## September 2016
| New or changed topic | Description |
|----------------------|-------------|
@@ -29,11 +34,6 @@ The topics in this library have been updated for Windows 10, version 1607 (also
=======
-## October 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) | New |
-
## August 2016
| New or changed topic | Description |
|----------------------|-------------|
diff --git a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index 3d55bb7385..bfb8f98424 100644
--- a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -47,10 +47,8 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**.
- **Note**
- The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
-
-
+ >[!NOTE]
+ >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**.
@@ -58,16 +56,14 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
- 
+ 
Figure 15. Add the DaRT component to the Configuration Manager boot image.
6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ ContosoBackground.bmp**. Then click **Next** twice.
- **Note**
- It will take a few minutes to generate the boot image.
-
-
+ >[!NOTE]
+ >It will take a few minutes to generate the boot image.
7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
@@ -75,9 +71,9 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
9. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads STATMSG: ID=2301. You also can view Content Status in the Configuration Manager Console by selecting **the Zero Touch WinPE x86** boot image.
- 
+ 
- Figure 16. Content status for the Zero Touch WinPE x64 boot image.
+ Figure 16. Content status for the Zero Touch WinPE x64 boot image
10. Using the Configuration Manager Console, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
diff --git a/windows/deploy/introduction-vamt.md b/windows/deploy/introduction-vamt.md
index 3d51c0dd02..133b8e6966 100644
--- a/windows/deploy/introduction-vamt.md
+++ b/windows/deploy/introduction-vamt.md
@@ -22,18 +22,18 @@ VAMT can be installed on, and can manage, physical or virtual instances. VAMT ca
- [Enterprise Environment](#bkmk-enterpriseenvironment)
- [VAMT User Interface](#bkmk-userinterface)
-## Managing Multiple Activation Key (MAK) and Retail Activation
+## Managing Multiple Activation Key (MAK) and Retail Activation
You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
-## Managing Key Management Service (KMS) Activation
+## Managing Key Management Service (KMS) Activation
In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
-## Enterprise Environment
+## Enterprise Environment
VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
@@ -42,7 +42,7 @@ VAMT is commonly implemented in enterprise environments. The following illustrat
In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
-## VAMT User Interface
+## VAMT User Interface
The following screenshot shows the VAMT graphical user interface.
diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index 4f25bc9987..ea62cd3903 100644
--- a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -49,25 +49,25 @@ To configure permissions for the various service accounts needed for operating s
2. Select the Service Accounts OU and create the CM\_JD account using the following settings:
- 1. Name: CM\_JD
+ * Name: CM\_JD
- 2. User logon name: CM\_JD
+ * User logon name: CM\_JD
- 3. Password: P@ssw0rd
+ * Password: P@ssw0rd
- 4. User must change password at next logon: Clear
+ * User must change password at next logon: Clear
- 5. User cannot change password: Select
+ * User cannot change password: Select
- 6. Password never expires: Select
+ * Password never expires: Select
3. Repeat the step, but for the CM\_NAA account.
4. After creating the accounts, assign the following descriptions:
- 1. CM\_JD: Configuration Manager Join Domain Account
+ * CM\_JD: Configuration Manager Join Domain Account
- 2. CM\_NAA: Configuration Manager Network Access Account
+ * CM\_NAA: Configuration Manager Network Access Account
@@ -93,39 +93,37 @@ In order for the Configuration Manager Join Domain Account (CM\_JD) to join mach
3. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted:
- 1. Scope: This object and all descendant objects
+ * Scope: This object and all descendant objects
- 2. Create Computer objects
+ * Create Computer objects
- 3. Delete Computer objects
+ * Delete Computer objects
- 4. Scope: Descendant Computer objects
+ * Scope: Descendant Computer objects
- 5. Read All Properties
+ * Read All Properties
- 6. Write All Properties
+ * Write All Properties
- 7. Read Permissions
+ * Read Permissions
- 8. Modify Permissions
+ * Modify Permissions
- 9. Change Password
+ * Change Password
- 10. Reset Password
+ * Reset Password
- 11. Validated write to DNS host name
+ * Validated write to DNS host name
- 12. Validated write to service principal name
+ * Validated write to service principal name
## Review the Sources folder structure
To support the packages you create in this section, the following folder structure should be created on the Configuration Manager primary site server (CM01):
-**Note**
-In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
-
-
+>[!NOTE]
+>In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
- E:\\Sources
@@ -168,9 +166,9 @@ To extend the Configuration Manager console with MDT 2013 Update 2 wizards and t
5. From the Start screen, run Configure ConfigManager Integration with the following settings:
- 1. Site Server Name: CM01.contoso.com
+ * Site Server Name: CM01.contoso.com
- 2. Site code: PS1
+ * Site code: PS1
@@ -221,15 +219,15 @@ Configuration Manager has many options for starting a deployment, but starting v
3. In the **PXE** tab, select the following settings:
- 1. Enable PXE support for clients
+ * Enable PXE support for clients
- 2. Allow this distribution point to respond to incoming PXE requests
+ * Allow this distribution point to respond to incoming PXE requests
- 3. Enable unknown computer support
+ * Enable unknown computer support
- 4. Require a password when computers use PXE
+ * Require a password when computers use PXE
- 5. Password and Confirm password: Passw0rd!
+ * Password and Confirm password: Passw0rd!
diff --git a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index fe8e875c6b..6f41793f47 100644
--- a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -40,30 +40,30 @@ In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with
1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
- 1. General
+ * General
- 2. Name: Install Windows 10 Enterprise x64
+ * Name: Install Windows 10 Enterprise x64
- 3. Limited Collection: All Systems
+ * Limited Collection: All Systems
- 4. Membership rules:
+ * Membership rules:
- 5. Direct rule
+ * Direct rule
- 6. Resource Class: System Resource
+ * Resource Class: System Resource
- 7. Attribute Name: Name
+ * Attribute Name: Name
- 8. Value: PC0003
+ * Value: PC0003
- 9. Select **Resources**
+ * Select **Resources**
- 10. Select **PC0003**
+ * Select **PC0003**
2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
-**Note**
-It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
+ >[!NOTE]
+ >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
@@ -82,8 +82,8 @@ Using the Configuration Manager console, in the Software Library workspace, sele
- Make available to the following: Configuration Manager clients, media and PXE
- **Note**
- It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
+ >[!NOTE]
+ >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
@@ -110,10 +110,8 @@ Now you can start the computer refresh on PC0003.
1. Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**.
- **Note**
- The Client Notification feature is new in Configuration Manager.
-
-
+ >[!NOTE]
+ >The Client Notification feature is new in Configuration Manager.
2. On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**.
diff --git a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
index 450e831b33..91eb3986c7 100644
--- a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
@@ -20,7 +20,7 @@ This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (L
For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
+
Figure 1. The machines used in this topic.
@@ -28,15 +28,21 @@ Figure 1. The machines used in this topic.
Even though a computer will appear, to the end user, to be upgraded, a computer refresh is not, technically, an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation.
For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will:
+
1. Back up data and settings locally, in a backup folder.
+
2. Wipe the partition, except for the backup folder.
+
3. Apply the new operating system image.
+
4. Install other applications.
+
5. Restore data and settings.
+
During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data.
-**Note**
-In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
+>[!NOTE]
+>In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
### Multi-user migration
@@ -45,8 +51,8 @@ by configuring command-line switches to ScanState (added as rules in MDT).
As an example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
-**Note**
-You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
+>[!NOTE]
+>You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
### Support for additional settings
@@ -55,12 +61,15 @@ In addition to the command-line switches that control which profiles to migrate,
## Create a custom User State Migration Tool (USMT) template
In this section, you learn to migrate additional data using a custom template. You configure the environment to use a custom USMT XML template that will:
+
1. Back up the **C:\\Data** folder (including all files and folders).
+
2. Scan the local disk for PDF documents (\*.pdf files) and restore them into the **C:\\Data\\PDF Documents** folder on the destination machine.
-The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
-- [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361)
-- [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script
-- [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363)
+ The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
+
+ * [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361)
+ * [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script
+ * [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363)
### Add the custom XML template
@@ -77,27 +86,30 @@ In order to use the custom MigContosoData.xml USMT template, you need to copy it
After adding the additional USMT template and configuring the CustomSettings.ini file to use it, you are now ready to refresh a Windows 7 SP1 client to Windows 10. In these steps, we assume you have a Windows 7 SP1 client named PC0001 in your environment that is ready for a refresh to Windows 10.
-**Note**
-MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+>[!NOTE]
+>MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
### Upgrade (refresh) a Windows 7 SP1 client
1. On PC0001, log on as **CONTOSO\\Administrator**. Start the Lite Touch Deploy Wizard by executing **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. Complete the deployment guide using the following settings:
- 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
- 2. Computer name: <default>
- 3. Specify where to save a complete computer backup: Do not back up the existing computer
- **Note**
- Skip this optional full WIM backup. The USMT backup will still run.
+
+ * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
+ * Computer name: <default>
+ * Specify where to save a complete computer backup: Do not back up the existing computer
+ >[!NOTE]
+ >Skip this optional full WIM backup. The USMT backup will still run.
2. Select one or more applications to install: Install - Adobe Reader XI - x86
-3. The setup now starts and does the following:
- 1. Backs up user settings and data using USMT.
- 2. Installs the Windows 10 Enterprise x64 operating system.
- 3. Installs the added application(s).
- 4. Updates the operating system via your local Windows Server Update Services (WSUS) server.
- 5. Restores user settings and data using USMT.
-
+3. The setup now starts and does the following:
+
+ * Backs up user settings and data using USMT.
+ * Installs the Windows 10 Enterprise x64 operating system.
+ * Installs the added application(s).
+ * Updates the operating system via your local Windows Server Update Services (WSUS) server.
+ * Restores user settings and data using USMT.
+
+
Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
@@ -109,7 +121,6 @@ Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
-
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
diff --git a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 5691f94681..397914bb14 100644
--- a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -32,9 +32,9 @@ In this topic, you will create a backup-only task sequence that you run on PC000
3. On the **General** page, assign the following settings and click **Next**:
- 1. Task sequence name: Replace Task Sequence
+ * Task sequence name: Replace Task Sequence
- 2. Task sequence comments: USMT backup only
+ * Task sequence comments: USMT backup only
4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
@@ -48,9 +48,11 @@ In this topic, you will create a backup-only task sequence that you run on PC000
9. On the **Confirmation** page, click **Finish**.
-10. Review the Replace Task Sequence. Note: This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
+10. Review the Replace Task Sequence.
+>[!NOTE]
+>This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
-
+
Figure 34. The backup-only task sequence (named Replace Task Sequence).
@@ -67,13 +69,13 @@ This section walks you through the process of associating a blank machine, PC000
4. On the **Single Computer** page, use the following settings and then click **Next**:
- 1. Computer Name: PC0006
+ * Computer Name: PC0006
- 2. MAC Address: <the mac address from step 1>
+ * MAC Address: <the mac address from step 1>
- 3. Source Computer: PC0004
+ * Source Computer: PC0004
- 
+ 
Figure 35. Creating the computer association between PC0004 and PC0006.
@@ -96,25 +98,25 @@ This section walks you through the process of associating a blank machine, PC000
1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings.
- 1. General
+ * General
- 2. Name: USMT Backup (Replace)
+ * Name: USMT Backup (Replace)
- 3. Limited Collection: All Systems
+ * Limited Collection: All Systems
- 4. Membership rules:
+ * Membership rules:
- 5. Direct rule
+ * Direct rule
- 6. Resource Class: System Resource
+ * Resource Class: System Resource
- 7. Attribute Name: Name
+ * Attribute Name: Name
- 8. Value: PC0004
+ * Value: PC0004
- 9. Select **Resources**
+ * Select **Resources**
- 10. Select **PC0004**
+ * Select **PC0004**
2. Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection.
@@ -158,10 +160,8 @@ This section assumes that you have a machine named PC0004 with the Configuration
2. In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**.
- **Note**
- You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
-
-
+ >[!NOTE]
+ >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
3. Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**.
@@ -173,8 +173,8 @@ This section assumes that you have a machine named PC0004 with the Configuration
7. Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
-**Note**
-It may take a few minutes for the user state store location to be populated.
+ >[!NOTE]
+ >It may take a few minutes for the user state store location to be populated.
@@ -183,21 +183,21 @@ It may take a few minutes for the user state store location to be populated.
1. Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
- 1. Password: P@ssw0rd
+ * Password: P@ssw0rd
- 2. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
+ * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
2. The setup now starts and does the following:
- 1. Installs the Windows 10 operating system
+ * Installs the Windows 10 operating system
- 2. Installs the Configuration Manager client
+ * Installs the Configuration Manager client
- 3. Joins it to the domain
+ * Joins it to the domain
- 4. Installs the applications
+ * Installs the applications
- 5. Restores the PC0004 backup
+ * Restores the PC0004 backup
When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored.
diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
index c4d80c812b..a3e51c36b6 100644
--- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -19,7 +19,7 @@ author: mtniehaus
A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it.
For the purposes of this topic, we will use four machines: DC01, MDT01, PC0002, and PC0007. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. PC0002 is an old machine running Windows 7 SP1. It is going to be replaced by a new Windows 10 machine, PC0007. User State Migration Tool (USMT) will be used to backup and restore data and settings. MDT01, PC0002, and PC0007 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
+
Figure 1. The machines used in this topic.
@@ -30,11 +30,13 @@ When preparing for the computer replace, you need to create a folder in which to
### Configure the rules on the Microsoft Deployment Toolkit (MDT) Production share
1. On MDT01, using the Deployment Workbench, update the MDT Production deployment share rules.
+
2. Change the **SkipUserData=YES** option to **NO**, and click **OK**.
### Create and share the MigData folder
1. On MDT01, log on as **CONTOSO\\Administrator**.
+
2. Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
``` syntax
New-Item -Path E:\MigData -ItemType directory
@@ -45,75 +47,90 @@ When preparing for the computer replace, you need to create a folder in which to
### Create a backup only (replace) task sequence
1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node and create a new folder named **Other**.
+
2. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- 1. Task sequence ID: REPLACE-001
- 2. Task sequence name: Backup Only Task Sequence
- 3. Task sequence comments: Run USMT to backup user data and settings
- 4. Template: Standard Client Replace Task Sequence
+
+ * Task sequence ID: REPLACE-001
+ * Task sequence name: Backup Only Task Sequence
+ * Task sequence comments: Run USMT to backup user data and settings
+ * Template: Standard Client Replace Task Sequence
+
3. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
- 
+ 
Figure 2. The Backup Only Task Sequence action list.
## Perform the computer replace
During a computer replace, these are the high-level steps that occur:
+
1. On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Window Imaging (WIM) backup.
+
2. On the new machine, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
### Execute the replace task sequence
1. On PC0002, log on as **CONTOSO\\Administrator**.
+
2. Verify that you have write access to the **\\\\MDT01\\MigData$** share.
+
3. Execute **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
+
4. Complete the Windows Deployment Wizard using the following settings:
+
1. Select a task sequence to execute on this computer: Backup Only Task Sequence
- 1. Specify where to save your data and settings: Specify a location
- 2. Location: \\\\MDT01\\MigData$\\PC0002
- **Note**
- If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
+ * Specify where to save your data and settings: Specify a location
+ * Location: \\\\MDT01\\MigData$\\PC0002
+
+ >[!NOTE]
+ >If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
2. Specify where to save a complete computer backup: Do not back up the existing computer
3. Password: P@ssw0rd
The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the machine.
- 
+ 
Figure 3. The new task sequence running the Capture User State action on PC0002.
5. On MDT01, verify that you have an USMT.MIG compressed backup file in the **E:\\MigData\\PC0002\\USMT** folder.
- 
+ 
Figure 4. The USMT backup of PC0002.
### Deploy the PC0007 virtual machine
1. Create a virtual machine with the following settings:
- 1. Name: PC0007
- 2. Location: C:\\VMs
- 3. Generation: 2
- 4. Memory: 2048 MB
- 5. Hard disk: 60 GB (dynamic disk)
+
+ * Name: PC0007
+ * Location: C:\\VMs
+ * Generation: 2
+ * Memory: 2048 MB
+ * Hard disk: 60 GB (dynamic disk)
+
2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server.
- 
+ 
Figure 5. The initial PXE boot process of PC0005.
3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
- 1. Password: P@ssw0rd
- 2. Select a task sequence to execute on this computer:
- 1. Windows 10 Enterprise x64 RTM Custom Image
- 2. Computer Name: PC0007
- 3. Applications: Select the Install - Adobe Reader XI - x86 application.
+
+ * Password: P@ssw0rd
+ * Select a task sequence to execute on this computer:
+ * Windows 10 Enterprise x64 RTM Custom Image
+ * Computer Name: PC0007
+ * Applications: Select the Install - Adobe Reader XI - x86 application.
+
4. The setup now starts and does the following:
- 1. Installs the Windows 10 Enterprise operating system.
- 2. Installs the added application.
- 3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
- 4. Restores the USMT backup from PC0002.
+
+ * Installs the Windows 10 Enterprise operating system.
+ * Installs the added application.
+ * Updates the operating system via your local Windows Server Update Services (WSUS) server.
+ * Restores the USMT backup from PC0002.
## Related topics
diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deploy/resolve-windows-10-upgrade-errors.md
index bf0d615201..dc86e81da7 100644
--- a/windows/deploy/resolve-windows-10-upgrade-errors.md
+++ b/windows/deploy/resolve-windows-10-upgrade-errors.md
@@ -18,6 +18,8 @@ localizationpriority: high
This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
+If you are not an IT administrator, you can try the [quick fixes](#quick-fixes) listed in this topic. If the quick fixes do not resolve your issue, see [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/en-us/help/10587/windows-10-get-help-with-upgrade-installation-errors) for more information.
+
## In this topic
The following sections and procedures are provided in this guide:
@@ -31,7 +33,7 @@ The following sections and procedures are provided in this guide:
- [Log entry structure](#log-entry-structure): The format of a log entry is described.
- [Analyze log files](#analyze-log-files): General procedures for log file analysis, and an example.
- [Resolution procedures](#resolution-procedures): Causes and mitigation procedures associated with specific error codes.
- - [0xC1900101](#0xC1900101): Information about the 0xC1900101 result code.
+ - [0xC1900101](#0xc1900101): Information about the 0xC1900101 result code.
- [0x800xxxxx](#0x800xxxxx): Information about result codes that start with 0x800.
- [Other result codes](#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
- [Other error codes](#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
@@ -63,6 +65,7 @@ WIM = Windows image (Microsoft)
The following steps can resolve many Windows upgrade problems.
+
Remove nonessential external hardware, such as docks and USB devices.
Check all hard drives for errors and attempt repairs. To automatically repair hard drives, open an elevated command prompt, switch to the drive you wish to repair, and type the following command. You will be required to reboot the computer if the hard drive being repaired is also the system drive.
chkdsk /F
@@ -81,14 +84,12 @@ The following steps can resolve many Windows upgrade problems.
Verify compatibility information and re-install antivirus applications after the upgrade.
Uninstall all nonessential software.
-
Remove nonessential external hardware, such as docks and USB devices.
Update firmware and drivers.
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.
Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS.
-
## Upgrade error codes
If the upgrade process is not successful, Windows Setup will return two codes:
@@ -102,7 +103,7 @@ Note: If only a result code is returned, this can be because a tool is being use
### Result codes
->A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Other error codes](#other-error-codes) section later in this topic.
+>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](#resolution-procedures) section later in this topic.
Result codes can be matched to the type of error encountered. To match a result code to an error:
@@ -245,16 +246,13 @@ A setupact.log or setuperr.log entry includes the following elements:
See the following example:
-
-
2016-09-08 09:23:50
-
Warning
-
MIG
-
Could not replace object C:\Users\user1\Cookies. Target Object cannot be removed.
@@ -336,13 +334,10 @@ Therefore, Windows Setup failed because it was not able to migrate the corrupt f
This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file. Note: In this example, the full, unshortened file name is C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f.
-
## Resolution procedures
-
### 0xC1900101
-
A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:
- The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp,
@@ -742,6 +737,12 @@ This error has more than one possible cause. Attempt [quick fixes](#quick-fixes)
Mitigation
+
+
0xC1800118
+
WSUS has downloaded content that it cannot use due to a missing decryption key.
+
See [Steps to resolve error 0xC1800118](https://blogs.technet.microsoft.com/wsus/2016/09/21/resolving-error-0xc1800118/) for information.
+
+
0xC1900200
Setup.exe has detected that the machine does not meet the minimum system requirements.
@@ -771,7 +772,7 @@ This error has more than one possible cause. Attempt [quick fixes](#quick-fixes)
0x80246007
The update was not downloaded successfully.
-
Attempt other methods of upgrading the operatign system.
+
Attempt other methods of upgrading the operating system.
Download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10).
Attempt to upgrade using .ISO or USB.
**Note**: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx).
@@ -865,7 +866,7 @@ Alternatively, re-create installation media the [Media Creation Tool](https://ww
[Analyze log files](#analyze-log-files) to determine the issue.
0xC1900101 - 0x4001E
Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.
-
This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xC1900101) section of this guide and review general troubleshooting procedures described in that section.
+
This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xc1900101) section of this guide and review general troubleshooting procedures described in that section.
0x80070005 - 0x4000D
The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data.
[Analyze log files](#analyze-log-files) to determine the data point that is reporting access denied.
diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md
index 8307a9bfbf..1d08d1f5cb 100644
--- a/windows/deploy/upgrade-analytics-get-started.md
+++ b/windows/deploy/upgrade-analytics-get-started.md
@@ -2,33 +2,31 @@
title: Get started with Upgrade Analytics (Windows 10)
description: Explains how to get started with Upgrade Analytics.
ms.prod: w10
-author: MaggiePucciEvans
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
---
# Get started with Upgrade Analytics
-Use Upgrade Analytics to plan and manage your upgrade project end to end. After you’ve established communications between user computers and Microsoft, Upgrade Analytics collects computer, application, and driver data for analysis. We use this data to identify compatibility issues that can block your upgrade and suggest fixes that are known to Microsoft.
+This topic explains how to obtain and set up Upgrade Analytics components. If you haven’t done so already, see [Upgrade Analytics requirements](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements) for information about requirements for using Upgrade Analytics. Also, check out the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/UpgradeAnalytics) for new announcements and helpful tips for using Upgrade Analytics.
-For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
+You can use Upgrade Analytics to plan and manage your upgrade project end to end. After you’ve established communications between user computers and Microsoft, Upgrade Analytics collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft.
+
+To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see the following topics:
- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
-
- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-
- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
-
-This topic explains how to obtain and set up Upgrade Analytics components. If you haven’t done so already, see [Upgrade Analytics requirements](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements) for information about requirements for using Upgrade Analytics.
-
To configure Upgrade Analytics, you’ll need to:
- Add the Upgrade Analytics solution to a workspace in the Operations Management Suite portal
-
- Establish communications and enable data sharing between your organization and Microsoft
Each task is explained in detail in the following sections.
-
## Add Upgrade Analytics to Operations Management Suite
Upgrade Analytics is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
@@ -101,7 +99,7 @@ IMPORTANT: Restart user computers after you install the compatibility update KBs
| **Site discovery** | **KB** |
|----------------------|-----------------------------------------------------------------------------|
-| [Review site discovery](upgrade-analytics-review-site-discovery.md) | Site discovery requires the [July 2016 security update for Internet Explorer](https://support.microsoft.com/en-us/kb/3170106) (KB3170106) or later. |
+| [Review site discovery](upgrade-analytics-review-site-discovery.md) | Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
### Automate data collection
@@ -109,9 +107,7 @@ IMPORTANT: Restart user computers after you install the compatibility update KBs
To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes.
- Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing.
-
- Schedule the Upgrade Analytics deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated. Computers are re-scanned only when the compatibility KBs are updated, so if your inventory changes significantly between KB releases you won’t see the changes in Upgrade Analytics until you run the script again.
-
- Schedule monthly user computer scans to view monthly active computer and usage information.
## Run the Upgrade Analytics deployment script
@@ -170,6 +166,40 @@ To run the Upgrade Analytics deployment script:
6. After you finish editing the parameters in RunConfig.bat, run the script as an administrator.
+The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
+
+
+
+
+
Exit code
Meaning
+
0
Success
+
1
Unexpected error occurred while executing the script
+
2
Error when logging to console. $logMode = 0.
+
3
Error when logging to console and file. $logMode = 1.
+
4
Error when logging to file. $logMode = 2.
+
5
Error when logging to console and file. $logMode = unknown.
+
6
The commercialID parameter is set to unknown. Modify the script.
+
7
Function -CheckCommercialId: Unexpected failure.
+
8
Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection.
+
9
Error when writing CommercialId to registry.
+
10
Error when writing CommercialDataOptIn to registry.
+
11
Function -SetupCommercialId: Unexpected failure.
+
12
Can’t connect to Microsoft – Vortex. Check your network/proxy settings.
+
13
Can’t connect to Microsoft – setting. Check your network/proxy settings.
+
14
Can’t connect to Microsoft – compatexchange. Check your network/proxy settings.
+
15
Error connecting to Microsoft. Check your network/proxy settings.
+
16
Machine requires reboot.
+
17
Function -CheckRebootRequired: Unexpected failure.
+
18
Outdated compatibility update KB package. Update via Windows Update/WSUS.
+
19
This machine doesn’t have the proper KBs installed. Make sure you have recent compatibility update KB downloaded.
+
Function – SetRequestAllAppraiserVersions: Unexpected failure.
+
22
Error when running inventory scan.
+
23
Error finding system variable %WINDIR%.
+
+
+
+
## Seeing data from computers in Upgrade Analytics
After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Analytics. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Analytics. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers.
diff --git a/windows/deploy/upgrade-analytics-review-site-discovery.md b/windows/deploy/upgrade-analytics-review-site-discovery.md
index f236d85945..5f0e5067ad 100644
--- a/windows/deploy/upgrade-analytics-review-site-discovery.md
+++ b/windows/deploy/upgrade-analytics-review-site-discovery.md
@@ -15,7 +15,7 @@ This section of the Upgrade Analytics workflow provides an inventory of web site
Ensure the following prerequisites are met before using site discovery:
-1. Install the latest Internet Explorer 11 Cumulative Update. This update provides the capability for site discovery and is available in the [July 2016 cumulative update](https://support.microsoft.com/kb/3170106) and later.
+1. Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update.
2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)).
3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Analytics deployment script](upgrade-analytics-get-started.md#run-the-upgrade-analytics-deployment-script) to allow Internet Explorer data collection before you run it.
diff --git a/windows/deploy/usmt-exclude-files-and-settings.md b/windows/deploy/usmt-exclude-files-and-settings.md
index e856679334..975f11e54a 100644
--- a/windows/deploy/usmt-exclude-files-and-settings.md
+++ b/windows/deploy/usmt-exclude-files-and-settings.md
@@ -32,7 +32,7 @@ If you specify an <exclude> rule, always specify a corresponding <inclu
- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)
-- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-c-data-except-files-in-c-data-tmp)
+- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp)
- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders)
@@ -246,7 +246,7 @@ The following .xml file unconditionally excludes the system folders of `C:\Windo
```
-## Create a Config.xml File
+## Create a Config XML File
You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows.
- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the <Applications> section of the Config.xml file.
diff --git a/windows/deploy/windows-10-upgrade-paths.md b/windows/deploy/windows-10-upgrade-paths.md
index 9356e2c31c..e555794d61 100644
--- a/windows/deploy/windows-10-upgrade-paths.md
+++ b/windows/deploy/windows-10-upgrade-paths.md
@@ -23,7 +23,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
>**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
->**Free upgrade**: The Windows 10 free upgrade offer expired on July 29, 2016. For more information, see [Free upgrade paths](#Free-upgrade-paths).
+>**Free upgrade**: The Windows 10 free upgrade offer expired on July 29, 2016. For more information, see [Free upgrade paths](#free-upgrade-paths).
✔ = Full upgrade is supported including personal data, settings, and applications.
D = Edition downgrade; personal data is maintained, applications and settings are removed.
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index c2f86a7621..eaedfbf278 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -34,6 +34,7 @@
### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
#### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
+#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md)
#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
#### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
@@ -681,6 +682,18 @@
###### [Shut down the system](shut-down-the-system.md)
###### [Synchronize directory service data](synchronize-directory-service-data.md)
###### [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md)
+### [Smart Cards](smart-card-windows-smart-card-technical-reference.md)
+#### [How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
+##### [Smart Card Architecture](smart-card-architecture.md)
+##### [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md)
+##### [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md)
+##### [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md)
+##### [Certificate Propagation Service](smart-card-certificate-propagation-service.md)
+##### [Smart Card Removal Policy Service](smart-card-removal-policy-service.md)
+#### [Smart Card Tools and Settings](smart-card-tools-and-settings.md)
+##### [Smart Cards Debugging Information](smart-card-debugging-information.md)
+##### [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md)
+##### [Smart Card Events](smart-card-events.md)
### [Trusted Platform Module](trusted-platform-module-overview.md)
#### [TPM fundamentals](tpm-fundamentals.md)
#### [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
@@ -696,6 +709,13 @@
#### [How User Account Control works](how-user-account-control-works.md)
#### [User Account Control security policy settings](user-account-control-security-policy-settings.md)
#### [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md)
+### [Virtual Smart Cards](virtual-smart-card-overview.md)
+#### [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
+##### [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
+##### [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
+##### [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
+##### [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
+#### [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
#### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
#### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
index 69108c1fcc..d03cb6cbe3 100644
--- a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
@@ -37,7 +37,7 @@ In this topic:
- [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)
-- [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
+- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
## To add domain devices to the GPO membership group
diff --git a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
index 11b782d3f8..84cdd96dc6 100644
--- a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
@@ -25,11 +25,11 @@ To complete these procedures, you must be a member of the Domain Administrators
In this topic:
-- [Add the test devices to the GPO membership groups](#to-add-domain-devices-to-the-gpo-membership-group)
+- [Add the test devices to the GPO membership groups](#to-add-test-devices-to-the-gpo-membership-groups)
- [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device)
-- [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
+- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
## To add test devices to the GPO membership groups
diff --git a/windows/keep-secure/advanced-security-audit-policy-settings.md b/windows/keep-secure/advanced-security-audit-policy-settings.md
index 14ecaca52f..dd4bf9d8d5 100644
--- a/windows/keep-secure/advanced-security-audit-policy-settings.md
+++ b/windows/keep-secure/advanced-security-audit-policy-settings.md
@@ -27,7 +27,7 @@ You can access these audit policy settings through the Local Security Policy sna
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
-**Account Logon**
+## Account Logon
Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used. This category includes the following subcategories:
@@ -36,7 +36,7 @@ Configuring policy settings in this category can help you document attempts to a
- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
-**Account Management**
+## Account Management
The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories:
@@ -47,7 +47,7 @@ The security audit policy settings in this category can be used to monitor chang
- [Audit Security Group Management](audit-security-group-management.md)
- [Audit User Account Management](audit-user-account-management.md)
-**Detailed Tracking**
+## Detailed Tracking
Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories:
@@ -57,7 +57,7 @@ Detailed Tracking security policy settings and audit events can be used to monit
- [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md)
-**DS Access**
+## DS Access
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories:
@@ -66,7 +66,7 @@ DS Access security audit policy settings provide a detailed audit trail of attem
- [Audit Directory Service Changes](audit-directory-service-changes.md)
- [Audit Directory Service Replication](audit-directory-service-replication.md)
-**Logon/Logoff**
+## Logon/Logoff
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
@@ -82,11 +82,11 @@ Logon/Logoff security policy settings and audit events allow you to track attemp
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
- [Audit Special Logon](audit-special-logon.md)
-**Object Access**
+## Object Access
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
-Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#bkmk-globalobjectaccess).
+Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access-auditing).
This category includes the following subcategories:
@@ -105,7 +105,7 @@ This category includes the following subcategories:
- [Audit SAM](audit-sam.md)
- [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
-**Policy Change**
+## Policy Change
Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. This category includes the following subcategories:
@@ -116,7 +116,7 @@ Policy Change audit events allow you to track changes to important security poli
- [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
- [Audit Other Policy Change Events](audit-other-policy-change-events.md)
-**Privilege Use**
+## Privilege Use
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:
@@ -124,7 +124,7 @@ Permissions on a network are granted for users or computers to complete defined
- [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
- [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
-**System**
+## System
System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. This category includes the following subcategories:
@@ -134,7 +134,7 @@ System security policy settings and audit events allow you to track system-level
- [Audit Security System Extension](audit-security-system-extension.md)
- [Audit System Integrity](audit-system-integrity.md)
-**Global Object Access**
+## Global Object Access Auditing
Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
diff --git a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
index 09000d467d..3a4746998e 100644
--- a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -36,7 +36,7 @@ Highlighted area|Area name|Description
:---|:---|:---
(1)|**Alerts queue**| Select to show **New**, **In Progress**, or **Resolved alerts**
(2)|Alerts|Each alert shows:
The severity of an alert as a colored bar
A short description of the alert, including the name of the threat actor (in cases where the attribution is possible)
The last occurrence of the alert on any machine
The number of days the alert has been in the queue
The severity of the alert
The general category or type of alert, or the alert's kill-chain stage
The affected machine (if there are multiple machines, the number of affected machines will be shown)
A **Manage Alert** menu icon  that allows you to update the alert's status and add comments
Clicking an alert expands to display more information about the threat and brings you to the date in the timeline when the alert was detected.
-(3)|Alerts sorting and filters | You can sort alerts by:
**Newest** (when the threat was last seen on your network)
**Time in queue** (how long the threat has been in your queue)
**Severity**
You can also filter the displayed alerts by:
Severity
Time period
See [Windows Defender ATP alerts](use-windows-defender-advanced-threat-protection.md#windows-defender-atp-alerts) for more details.
+(3)|Alerts sorting and filters | You can sort alerts by:
**Newest** (when the threat was last seen on your network)
**Time in queue** (how long the threat has been in your queue)
**Severity**
You can also filter the displayed alerts by:
Severity
Time period
See [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) for more details.
##Sort and filter the Alerts queue
You can filter and sort (or "pivot") the Alerts queue to identify specific alerts based on certain criteria.
diff --git a/windows/keep-secure/app-behavior-with-wip.md b/windows/keep-secure/app-behavior-with-wip.md
new file mode 100644
index 0000000000..55939649d4
--- /dev/null
+++ b/windows/keep-secure/app-behavior-with-wip.md
@@ -0,0 +1,131 @@
+---
+title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) (Windows 10)
+description: How unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) networking policies, app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
+keywords: WIP, Enterprise Data Protection, EDP, Windows Information Protection, unenlightened apps, enlightened apps
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.pagetype: security
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+Windows Information Protection (WIP) classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data is encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or people will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.
+
+To avoid the automatic encryption of data, developers can enlighten apps by adding and compiling code using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that:
+
+- Don’t use common controls for saving files.
+- Don’t use common controls for text boxes.
+- Simultaneously work on personal and corporate data (for example, contact apps that display personal and corporate data in a single view or a browser that displays personal and corporate web pages on tabs within a single instance).
+
+We strongly suggest that the only unenlightened apps you add to your allowed apps list are Line-of-Business (LOB) apps.
+
+>[!Note]
+>For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](https://msdn.microsoft.com/en-us/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center.
+
+## Unenlightened app behavior
+This table includes info about how unenlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
+
+
+
+
App rule setting
+
Networking policy configuration
+
+
+
+
Name-based policies, without the /*AppCompat*/ string
+
Name-based policies, using the /*AppCompat*/ string or proxy-based policies
+
+
+
Not required. App connects to enterprise cloud resources directly, using an IP address.
+
+
+
App is entirely blocked from both personal and enterprise cloud resources.
+
No encryption is applied.
+
App can’t access local Work files.
+
+
+
+
+
App can access both personal and enterprise cloud resources. However, you might encounter apps using policies that restrict access to enterprise cloud resources.
+
No encryption is applied.
+
App can’t access local Work files.
+
+
+
+
+
Not required. App connects to enterprise cloud resources, using a hostname.
+
+
+
App is blocked from accessing enterprise cloud resources, but can access other network resources.
+
No encryption is applied.
+
App can’t access local Work files.
+
+
+
+
+
Allow. App connects to enterprise cloud resources, using an IP address or a hostname.
+
+
+
App can access both personal and enterprise cloud resources.
+
Auto-encryption is applied.
+
App can access local Work files.
+
+
+
+
+
Exempt. App connects to enterprise cloud resources, using an IP address or a hostname.
+
+
+
App can access both personal and enterprise cloud resources.
+
No encryption is applied.
+
App can access local Work files.
+
+
+
+
+
+## Enlightened app behavior
+This table includes info about how enlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
+
+
+
+
App rule setting
+
Networking policy configuration for name-based policies, possibly using the /*AppCompat*/ string, or proxy-based policies
+
+
+
Not required. App connects to enterprise cloud resources, using an IP address or a hostname.
+
+
+
App is blocked from accessing enterprise cloud resources, but can access other network resources.
+
No encryption is applied.
+
App can't access local Work files.
+
+
+
+
+
Allow. App connects to enterprise cloud resources, using an IP address or a hostname.
+
+
+
App can access both personal and enterprise cloud resources.
+
App protects work data and leaves personal data unprotected.
+
App can access local Work files.
+
+
+
+
+
Exempt. App connects to enterprise cloud resources, using an IP address or a hostname.
+
+
+
App can access both personal and enterprise cloud resources.
+
App protects work data and leaves personal data unprotected.
+
App can access local Work files.
+
+
+
+
diff --git a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
index 0beb5a8932..3f72f93ba5 100644
--- a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
@@ -117,7 +117,7 @@ When you need to recover the TPM owner information from AD DS and use it to man
**To obtain TPM owner backup information from AD DS and create a password file**
1. Sign in to a domain controller by using domain administrator credentials.
-2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#ms-tpm-ownerinformation), to a location on your computer.
+2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#bkmk-get-tpmownerinfo), to a location on your computer.
3. Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step.
4. At the command prompt, type **cscript Get-TPMOwnerInfo.vbs**.
diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md
index c329ed5d14..6e3ae93c32 100644
--- a/windows/keep-secure/bitlocker-frequently-asked-questions.md
+++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md
@@ -319,7 +319,7 @@ When an administrator selects the **Require BitLocker backup to AD DS** check b
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#bkmk-adretro) to capture the information after connectivity is restored.
+When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
## Security
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index ee3f4325ff..759d44b4af 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -12,11 +12,23 @@ author: brianlic-msft
# Change history for Keep Windows 10 secure
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## November 2016
+| New or changed topic | Description |
+| --- | --- |
+|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md), [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md), and [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |Added additional details about what happens when you turn off WIP. |
+|[Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) |Changed WIPModeID to EDPModeID, to match the CSP. |
+
+
## October 2016
| New or changed topic | Description |
| --- | --- |
-| [VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic |
+|[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Added Microsoft Remote Desktop information. |
+|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) and [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the text about where the optioanl icon overlay appears.|
+|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added content about using ActiveX controls.|
+|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |New |
+|[VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic |
+|[Windows security baselines](windows-security-baselines.md) | Added Windows 10, version 1607 and Windows Server 2016 baseline |
## September 2016
diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index 731d00b2c5..59f309b4ab 100644
--- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -67,7 +67,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
4. Click **Policies**, then **Administrative templates**.
-5. Click **Windows components** and then **Windows Advanced Threat Protection**.
+5. Click **Windows components** and then **Windows Defender ATP**.
6. Choose to enable or disable sample sharing from your endpoints.
diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index 3b4fddffaf..b5b16faf54 100644
--- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -33,15 +33,54 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
- a. Click **Endpoint Management** on the **Navigation pane**.
+ a. Select **Endpoint Management** on the **Navigation pane**.
- b. Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file.
+ b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
+
+ 
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
-Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
+ a. Select **Policy** > **Configuration Policies** > **Add**.
+ 
+
+ b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
+ 
+
+ c. Type a name and description for the policy.
+ 
+
+ d. Under OMA-URI settings, select **Add...**.
+ 
+
+ e. Type the following values then select **OK**:
+
+ 
+
+ - **Setting name**: Type a name for the setting.
+ - **Setting description**: Type a description for the setting.
+ - **Data type**: Select **String**.
+ - **OMA-URI**: *./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding*
+ - **Value**: Copy and paste the contents of the *WindowsDefenderATP.onboarding* file you downloaded.
+
+
+ f. Save the policy.
+
+ 
+
+ g. Deploy the policy.
+
+ 
+
+ h. Select the device group to deploy the policy to:
+
+ 
+
+When the policy is deployed and is propagated, endpoints will be shown in the **Machines view**.
+
+You can use the following onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
- Onboarding
- Health Status for onboarded machines
- Configuration for onboarded machines
@@ -49,10 +88,10 @@ Onboarding - Use the onboarding policies to deploy configuration settings on end
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file | Onboarding
-Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running
- | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
- | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
- Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 Default value: 1 | Windows Defender ATP Sample sharing is enabled
+Health Status for onboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running
+Health Status for onboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
+Health Status for onboarded machines: Organization ID | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
+Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 Default value: 1 | Windows Defender ATP Sample sharing is enabled
> [!NOTE]
@@ -83,8 +122,8 @@ Offboarding - Use the offboarding policies to remove configuration settings on e
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding
- Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
- | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
+ Health Status for offboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
+Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
> [!NOTE]
> The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.
diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 5aaa60e929..c24886d168 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -28,14 +28,17 @@ The embedded Windows Defender ATP sensor runs in system context using the LocalS
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
-- Configure the proxy server manually using a static proxy
+ - Auto-discovery methods:
+ - Transparent proxy
+ - Web Proxy Auto-discovery Protocol (WPAD)
- - Auto-discovery methods:
- - Transparent proxy
+> [!NOTE]
+> If you're using Transparent proxy or WPAD in your network topology, you don't need special endpoint configuration settings. For more information on Windows Defender ATP URL exclusions in the proxy, see [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server).
- - Manual static proxy configuration
- - WinHTTP configured using netsh command
- - Registry based configuration
+
+ - Manual static proxy configuration:
+ - WinHTTP configured using netsh command
+ - Registry based configuration
## Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report telemetry and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
@@ -77,12 +80,9 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec
Primary Domain Controller | .Microsoft.com DNS record
:---|:---
- Central US | winatp-gw-cus.microsoft.com us.vortex-win.data.microsoft.com crl.microsoft.com *.blob.core.windows.net
- East US (2)| winatp-gw-eus.microsoft.com us.vortex-win.data.microsoft.com crl.microsoft.com *.blob.core.windows.net
- West Europe | winatp-gw-weu.microsoft.com eu.vortex-win.data.microsoft.com crl.microsoft.com *.blob.core.windows.net
- North Europe | winatp-gw-neu.microsoft.com eu.vortex-win.data.microsoft.com crl.microsoft.com *.blob.core.windows.net
+ US |```*.blob.core.windows.net``` ```crl.microsoft.com``` ```us.vortex-win.data.microsoft.com``` ```winatp-gw-cus.microsoft.com``` ```winatp-gw-eus.microsoft.com```
+Europe |```*.blob.core.windows.net``` ```crl.microsoft.com``` ```eu.vortex-win.data.microsoft.com``` ```winatp-gw-neu.microsoft.com``` ```winatp-gw-weu.microsoft.com```
-
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.
If you selected US as your region, you should permit anonymous traffic for URLs listed in both Central US and East US (2).
diff --git a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md
index 339d6b3da3..45ed365fe2 100644
--- a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md
+++ b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md
@@ -30,7 +30,7 @@ Follow these steps to create the VPN policy you want to use with WIP.
-3. Type *WIPModeID* into the **Name** box, along with an optional description for your policy into the **Description** box.
+3. Type *Contoso_VPN_Win10* into the **Name** box, along with an optional description for your policy into the **Description** box.
@@ -69,7 +69,7 @@ The added people move to the **Selected Groups** list on the right-hand pane.
The policy is deployed to the selected users' devices.
## Link your WIP and VPN policies and deploy the custom configuration policy
-The final step to making your VPN configuration work with WIP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **WIPModeID** setting, and then deploying the policy to the same group you deployed your WIP and VPN policies
+The final step to making your VPN configuration work with WIP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EDPModeID** setting, and then deploying the policy to the same group you deployed your WIP and VPN policies
**To link your VPN policy**
@@ -83,19 +83,19 @@ The final step to making your VPN configuration work with WIP, is to link your t
-4. In the **OMA-URI Settings** area, click **Add** to add your **WIPModeID** info.
+4. In the **OMA-URI Settings** area, click **Add** to add your **EDPModeID** info.
5. In the **OMA-URI Settings** area, type the following info:
- - **Setting name.** Type **WIPModeID** as the name.
+ - **Setting name.** Type **EDPModeID** as the name.
- **Data type.** Pick the **String** data type.
- - **OMA-URI.** Type `./Vendor/MSFT/VPNv2//WIPModeId`, replacing *<your\_wip\_policy\_name>* with the name you gave to your WIP policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/WIPModeId`.
+ - **OMA-URI.** Type `./Vendor/MSFT/VPNv2//EDPModeId`, replacing <*VPNProfileName*> with the name you gave to your VPN policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EDPModeId`.
- **Value.** Your fully-qualified domain that should be used by the OMA-URI setting.
- 
+ 
6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.**
diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md
index ed6a4793e9..44bf2930a2 100644
--- a/windows/keep-secure/create-wip-policy-using-intune.md
+++ b/windows/keep-secure/create-wip-policy-using-intune.md
@@ -160,7 +160,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the
All fields left as “*”
-
All files signed by any publisher. (Not recommended.)
+
All files signed by any publisher. (Not recommended)
Publisher selected
@@ -329,7 +329,7 @@ We recommend that you start with **Silent** or **Override** while verifying with
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
-|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.|
+|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
@@ -455,13 +455,13 @@ After you've decided where your protected apps can access enterprise data on you
- **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
- - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
+ - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
- - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files or in the **Start** menu, on top of the tiles for your unenlightened protected apps. The options are:
+ - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
- - **Yes (recommended).** Allows the Windows Information Protection icon overlay to appear for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
+ - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu.
- - **No, or not configured.** Stops the Windows Information Protection icon overlay from appearing for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
+ - **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option.
2. Click **Save Policy**.
diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md
index 9c13f0506b..468b8308d4 100644
--- a/windows/keep-secure/create-wip-policy-using-sccm.md
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@@ -80,7 +80,7 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the **
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
- Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick **Store App** from the **Rule template** drop-down list.
@@ -164,7 +164,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
- Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick **Desktop App** from the **Rule template** drop-down list.
@@ -304,7 +304,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
- Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick the **AppLocker policy file** from the **Rule template** drop-down list.
@@ -349,7 +349,7 @@ We recommend that you start with **Silent** or **Override** while verifying with
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
-|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.|
+|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
@@ -382,7 +382,7 @@ There are no default locations included with WIP, you must add each of your netw
2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
-
+
Network location type
@@ -401,13 +401,8 @@ There are no default locations included with WIP, you must add each of your netw
Enterprise Proxy Servers
-<<<<<<< HEAD
-
proxy.contoso.com:80;proxy2.contoso.com:137
-
Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.
This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.
TThis setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.
If you have multiple resources, you must separate them using the ";" delimiter.
-=======
proxy.contoso.com:80;proxy2.contoso.com:443
Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.
This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.
This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.
If you have multiple resources, you must separate them using the ";" delimiter.
->>>>>>> refs/remotes/origin/master
Enterprise Internal Proxy Servers
@@ -435,15 +430,15 @@ There are no default locations included with WIP, you must add each of your netw
The **Add or edit corporate network definition** box closes.
-4. Decide if you want to Windows to look for additional network settings.
+4. Decide if you want to Windows to look for additional network settings and if you want to show the WIP icon on your corporate files while in File Explorer.
- - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
+ - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
- - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
+ - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
- - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
+ - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 2ed94b71f9..ce40f1c03f 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -48,7 +48,8 @@ The following tables provide more information about the hardware, firmware, and
> [!NOTE]
> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
-> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).
+> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).
+> Starting in Widows 10, 1607, TPM 2.0 is required.
## Credential Guard requirements for baseline protections
@@ -57,11 +58,9 @@ The following tables provide more information about the hardware, firmware, and
|---------------------------------------------|----------------------------------------------------|
| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
| Hardware: **CPU virtualization extensions**, plus **extended page tables** | **Requirements**: These hardware features are required for VBS: One of the following virtualization extensions: - VT-x (Intel) or - AMD-V And: - Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
-| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU
**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Firmware: **Secure MOR implementation** | **Requirement**: Secure MOR implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
> [!IMPORTANT]
@@ -75,7 +74,9 @@ The following tables describes additional hardware and firmware requirements, an
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
+| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU
**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
| Firmware: **Securing Boot Configuration and Management** | **Requirements**: - BIOS password or stronger authentication must be supported. - In the BIOS configuration, BIOS authentication must be set. - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system. - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**: - BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access. - Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Firmware: **Secure MOR implementation** | **Requirement**: Secure MOR implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
@@ -92,20 +93,21 @@ The following tables describes additional hardware and firmware requirements, an
-### 2017 Additional Qualification Requirements for Credential Guard (announced as options for future Windows operating systems for 2017)
+### 2017 Additional Qualification Requirements for Credential Guard (starting with the next major release of Windows 10)
-| Protections for Improved Security - requirement | Description |
+| Protection for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
-| Firmware: **UEFI NX Protections** | **Requirements**: - All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.
UEFI Runtime Services: - Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table. - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both. - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.
**Security benefits**: - Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS. - Reduces attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**: - Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS. - Reduces attack surface to VBS from system firmware. - Blocks additional security attacks against SMM. |
## Manage Credential Guard
-Credential Guard uses virtualization-based security features that must be enabled on each PC before you can use it.
+### Enable Credential Guard
+Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool).
-### Turn on Credential Guard by using Group Policy
+#### Turn on Credential Guard by using Group Policy
+
+You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed.
-You can use Group Policy to enable Credential Guard because it will add the virtualization-based security features for you.
1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**.
2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
@@ -115,43 +117,46 @@ You can use Group Policy to enable Credential Guard because it will add the virt
5. Close the Group Policy Management Console.
-### Add Credential Guard to an image
+To enforce processing of the group policy, you can run ```gpupdate /force```.
-If you would like to add Credential Guard to an image, you can do this by adding the virtualization-based security features and then turning on Credential Guard.
+#### Turn on Credential Guard by using the registry
-### Add the virtualization-based security features
+If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
-First, you must add the virtualization-based security features. You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
+##### Add the virtualization-based security features
+
+Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
+
+If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
+You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
> [!NOTE]
> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
+
**Add the virtualization-based security features by using Programs and Features**
+
1. Open the Programs and Features control panel.
2. Click **Turn Windows feature on or off**.
3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
-4. Click **OK**.
+4. Select the **Isolated User Mode** check box at the top level of the feature selection.
+5. Click **OK**.
**Add the virtualization-based security features to an offline image by using DISM**
+
1. Open an elevated command prompt.
2. Add the Hyper-V Hypervisor by running the following command:
``` syntax
dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
```
+3. Add the Isolated User Mode feature by running the following command:
+ ``` syntax
+ dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
+ ```
> [!NOTE]
> You can also add these features to an online image by using either DISM or Configuration Manager.
-
-In Windows 10, version 1607 and Windows Server 2016, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode:
-
-``` syntax
-dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
-```
-### Turn on Credential Guard
-
-If you don't use Group Policy, you can enable Credential Guard by using the registry.
-
-**Turn on Credential Guard by using the registry**
+##### Enable virtualization-based security and Credential Guard
1. Open Registry Editor.
2. Enable virtualization-based security:
@@ -167,14 +172,30 @@ If you don't use Group Policy, you can enable Credential Guard by using the regi
> [!NOTE]
> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
-**Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool**
+
+#### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot
```
-
+
+#### Credential Guard deployment in virtual machines
+
+Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine.
+
+Credential Guard protects secrets from non-priviledged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine:
+
+``` PowerShell
+Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
+```
+
+Requirements for running Credential Guard in Hyper-V virtual machines
+- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
+- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
+
+
### Remove Credential Guard
If you have to remove Credential Guard on a PC, you need to do the following:
diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
index 8192f42f7f..112382f305 100644
--- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
@@ -51,7 +51,7 @@ This tile shows you a list of machines with the highest number of active alerts.
-Click the name of the machine to see details about that machine. For more information see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine).
+Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
diff --git a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
index e3df30dc93..91bec22e77 100644
--- a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -30,4 +30,4 @@ Windows Defender will continue to receive updates, and the *mspeng.exe* process
The Windows Defender interface will be disabled, and users on the endpoint will not be able to use Windows Defender to perform on-demand scans or configure most options.
-For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).
+For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md).
diff --git a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
index 2a41a2d649..ba8e5d4999 100644
--- a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
+++ b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
@@ -74,9 +74,9 @@ When finished, the files will be saved to your desktop. You can double-click the
To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be added to the code integrity policy, and the catalog file can be distributed to the individual client computers.
-For information about signing catalog files by using a certificate and SignTool.exe, a free tool available in the Windows SDK, see the next section, [Catalog signing with SignTool.exe](#catalog-signing-with-signtool.exe).
+For information about signing catalog files by using a certificate and SignTool.exe, a free tool available in the Windows SDK, see the next section, [Catalog signing with SignTool.exe](#catalog-signing-with-signtoolexe).
-For information about adding the signing certificate to a code integrity policy, see [Add a catalog signing certificate to a code integrity policy](deploy-code-integrity-policies-steps.md#add-a-catalog-signing-certificate-to-a-code-integrity-policy).
+For information about adding the signing certificate to a code integrity policy, see [Add a catalog signing certificate to a code integrity policy](#add-a-catalog-signing-certificate-to-a-code-integrity-policy).
## Catalog signing with SignTool.exe
diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
index bf63f5df7f..9f7be87cbb 100644
--- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
@@ -20,65 +20,43 @@ Hardware-based security features, also called virtualization-based security or V
2. **Verify that hardware and firmware requirements are met**. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).
-3. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security).
+3. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).
-4. **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs), later in this topic.
+4. **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs-and-device-guard), later in this topic.
For information about enabling Credential Guard, see [Protect derived domain credentials with Credential Guard](credential-guard.md).
-## Windows feature requirements for virtualization-based security
+## Windows feature requirements for virtualization-based security and Device Guard
-In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must enable certain operating system features before you can enable VBS:
+In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS:
- With Windows 10, version 1607 or Windows Server 2016:
-Hyper-V Hypervisor (shown in Figure 1).
+Hyper-V Hypervisor, which is enabled automatically. No further action is needed.
- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
-Hyper-V Hypervisor and Isolated User Mode (not shown).
+Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1).
-> **Note** You can configure these features manually by using Windows PowerShell or Deployment Image Servicing and Management. For specific information about these methods, see [Protect derived domain credentials with Credential Guard](credential-guard.md).
+> **Note** You can configure these features by using Group Policy or Deployment Image Servicing and Management, or manually by using Windows PowerShell or the Windows Features dialog box.
-Figure 1. Enable operating system feature for VBS
+**Figure 1. Enable operating system features for VBS, Windows 10, version 1511**
After you enable the feature or features, you can enable VBS for Device Guard, as described in the following sections.
-## Enable Virtualization Based Security (VBS)
+## Enable Virtualization Based Security (VBS) and Device Guard
-Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security).
+Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).
-There are multiple ways to configure VBS features for Device Guard. You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic, or you can use the following procedures, either to configure the appropriate registry keys manually or to use Group Policy.
+There are multiple ways to configure VBS features for Device Guard:
-> **Important**
-> - The settings in the following procedure include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you simply choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled. In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can still have code integrity policies enabled. For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
-> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
-
-**To configure VBS manually**
-
-1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
-
-2. Set the **EnableVirtualizationBasedSecurity DWORD** value to **1**.
-
-3. Set the **RequirePlatformSecurityFeatures DWORD** value as appropriate:
-
- | **With Windows 10, version 1607, or Windows Server 2016** | **With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier** |
- | ---------------- | ---------------- |
- | **1** enables the **Secure Boot** option **3** enables the **Secure Boot and DMA protection** option | **1** enables the **Secure Boot** option **2** enables the **Secure Boot and DMA protection** option |
-
-4. With a supported operating system earlier than Windows 10, version 1607, or Windows Server 2016, skip this step, and remain in the same registry subkey.
-
- With Windows 10, version 1607, or Windows Server 2016, navigate to **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios**.
-
-5. Set the **HypervisorEnforcedCodeIntegrity DWORD** value to **1**.
-
-6. Restart the client computer.
-
-Unfortunately, it would be time consuming to perform these steps manually on every protected computer in your enterprise. Group Policy offers a much simpler way to deploy these features to your organization. This example creates a test organizational unit (OU) called *DG Enabled PCs*. If you want, you can instead link the policy to an existing OU, and then scope the GPO by using appropriately named computer security groups.
+- You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic.
+- You can use Group Policy, as described in the procedure that follows.
+- You can configure VBS manually, as described in [Use registry keys to enable VBS and Device Guard](#use-registry-keys-to-enable-vbs-and-device-guard), later in this topic.
> **Note** We recommend that you test-enable these features on a group of test computers before you enable them on users' computers. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail.
-### Use Group Policy to enable VBS
+### Use Group Policy to enable VBS and Device Guard
1. To create a new GPO, right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
@@ -104,7 +82,12 @@ Unfortunately, it would be time consuming to perform these steps manually on eve
> **Important** These settings include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled. In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled. For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
-6. For **Virtualization Based Protection of Code Integrity**, select the appropriate option:
+6. For **Virtualization Based Protection of Code Integrity**, select the appropriate option.
+
+ > [!WARNING]
+ > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
+
+ Select an option as follows:
- With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option: For an initial deployment or test deployment, we recommend **Enabled without lock**. When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
@@ -120,6 +103,116 @@ Unfortunately, it would be time consuming to perform these steps manually on eve
Processed Device Guard policies are logged in event viewer at **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational**. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
+>**Note** Events will be logged in this event channel only when Group Policy is used to enable Device Guard features, not through other methods. If other methods such as registry keys are used, Device Guard features will be enabled but the events won’t be logged in this event channel.
+
+### Use registry keys to enable VBS and Device Guard
+
+Set the following registry keys to enable VBS and Device Guard. This provides exactly the same set of configuration options provided by Group Policy.
+
+> [!WARNING]
+> Virtualization-based protection of code integrity (controlled through the registry key **HypervisorEnforcedCodeIntegrity**) may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
+
+
+
+> **Important**
+> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you simply choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled. In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can still have code integrity policies enabled. For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
+
+#### For Windows 1607 and above
+
+Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
+
+``` commands
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
+
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
+
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
+
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
+
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
+```
+
+If you want to customize the preceding recommended settings, use the following settings.
+
+**To enable VBS**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
+```
+
+**To enable VBS and require Secure boot only (value 1)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
+```
+
+> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**.
+
+**To enable VBS without UEFI lock (value 0)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
+```
+
+> To enable **VBS with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**.
+
+**To enable virtualization-based protection of Code Integrity policies**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
+```
+
+**To enable virtualization-based protection of Code Integrity policies without UEFI lock (value 0)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
+```
+
+> To enable **virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**.
+
+#### For Windows 1511 and below
+
+Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
+
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
+
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
+
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f
+```
+
+If you want to customize the preceding recommended settings, use the following settings.
+
+**To enable VBS (it is always locked to UEFI)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
+```
+
+**To enable VBS and require Secure boot only (value 1)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
+```
+
+> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**.
+
+**To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
+```
+
+**To enable virtualization-based protection of Code Integrity policies without UEFI lock**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f
+```
### Validate enabled Device Guard hardware-based security features
diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
index 9793cfc53f..f6b1ea7f6e 100644
--- a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
+++ b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
@@ -21,7 +21,7 @@ localizationpriority: high
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
## Enlightened versus unenlightened apps
-Apps can be enlightened (policy-aware) or unenlightened (policy-unaware).
+Apps can be enlightened (also referred to as WIP-aware) or unenlightened (also referred to as WIP-unaware).
- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
@@ -34,27 +34,29 @@ Apps can be enlightened (policy-aware) or unenlightened (policy-unaware).
## List of enlightened Microsoft apps
Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
-- Microsoft Edge
+- Microsoft Edge
-- Internet Explorer 11
+- Internet Explorer 11
-- Microsoft People
+- Microsoft People
-- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
+- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
-- Microsoft Photos
+- Microsoft Photos
-- Groove Music
+- Groove Music
-- Notepad
+- Notepad
-- Microsoft Paint
+- Microsoft Paint
-- Microsoft Movies & TV
+- Microsoft Movies & TV
-- Microsoft Messaging
+- Microsoft Messaging
+
+- Microsoft Remote Desktop
## Adding enlightened Microsoft apps to the allowed apps list
You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
@@ -75,4 +77,5 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Binary Name:** iexplore.exe **App Type:** Desktop app |
|Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Binary Name:** onedrive.exe **App Type:** Desktop app|
|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Binary Name:** notepad.exe **App Type:** Desktop app |
-|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Binary Name:** mspaint.exe **App Type:** Desktop app |
\ No newline at end of file
+|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Binary Name:** mspaint.exe **App Type:** Desktop app |
+|Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Binary Name:** mstsc.exe **App Type:** Desktop app |
\ No newline at end of file
diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
index cdde9f9522..2c68fb6704 100644
--- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -82,7 +82,7 @@ This URL will match that seen in the Firewall or network activity.
Windows Defender Advanced Threat Protection service failed to connect to the server at ```variable```.
Variable = URL of the Windows Defender ATP processing servers.
The service could not contact the external processing servers at that URL.
-
Check the connection to the URL. See [Configure proxy and Internet connectivity](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#configure-proxy-and-Internet-connectivity).
+
Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md).
6
@@ -145,13 +145,13 @@ It may take several hours for the endpoint to appear in the portal.
Windows Defender Advanced Threat Protection cannot start command channel with URL: ```variable```.
Variable = URL of the Windows Defender ATP processing servers.
The service could not contact the external processing servers at that URL.
-
Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).
+
Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md).
17
Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```.
An error occurred with the Windows telemetry service.
-
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).
+
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```.
An error occurred with the Windows telemetry service.
-
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).
+
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```.
An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.
-
[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).
+
[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
32
@@ -237,7 +237,7 @@ If the identifier does not persist, the same machine might appear twice in the p
34
Windows Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```.
An error occurred with the Windows telemetry service.
-
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).
+
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
diff --git a/windows/keep-secure/images/atp-intune-add-oma.png b/windows/keep-secure/images/atp-intune-add-oma.png
new file mode 100644
index 0000000000..87586e7bd2
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-add-oma.png differ
diff --git a/windows/keep-secure/images/atp-intune-add-policy.png b/windows/keep-secure/images/atp-intune-add-policy.png
new file mode 100644
index 0000000000..570ab0a688
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-add-policy.png differ
diff --git a/windows/keep-secure/images/atp-intune-deploy-policy.png b/windows/keep-secure/images/atp-intune-deploy-policy.png
new file mode 100644
index 0000000000..a4f155428d
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-deploy-policy.png differ
diff --git a/windows/keep-secure/images/atp-intune-manage-deployment.png b/windows/keep-secure/images/atp-intune-manage-deployment.png
new file mode 100644
index 0000000000..450cb83369
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-manage-deployment.png differ
diff --git a/windows/keep-secure/images/atp-intune-new-policy.png b/windows/keep-secure/images/atp-intune-new-policy.png
new file mode 100644
index 0000000000..1e3661e63f
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-new-policy.png differ
diff --git a/windows/keep-secure/images/atp-intune-oma-uri-setting.png b/windows/keep-secure/images/atp-intune-oma-uri-setting.png
new file mode 100644
index 0000000000..f201f402da
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-oma-uri-setting.png differ
diff --git a/windows/keep-secure/images/atp-intune-policy-name.png b/windows/keep-secure/images/atp-intune-policy-name.png
new file mode 100644
index 0000000000..b45b2c5211
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-policy-name.png differ
diff --git a/windows/keep-secure/images/atp-intune-save-policy.png b/windows/keep-secure/images/atp-intune-save-policy.png
new file mode 100644
index 0000000000..b4adb7c064
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-save-policy.png differ
diff --git a/windows/keep-secure/images/atp-onboard-mdm.png b/windows/keep-secure/images/atp-onboard-mdm.png
new file mode 100644
index 0000000000..18b70c8c27
Binary files /dev/null and b/windows/keep-secure/images/atp-onboard-mdm.png differ
diff --git a/windows/keep-secure/images/dg-fig1-enableos.png b/windows/keep-secure/images/dg-fig1-enableos.png
index a114c520de..cefb124344 100644
Binary files a/windows/keep-secure/images/dg-fig1-enableos.png and b/windows/keep-secure/images/dg-fig1-enableos.png differ
diff --git a/windows/keep-secure/images/intune-vpn-omaurisettings.png b/windows/keep-secure/images/intune-vpn-omaurisettings.png
index c7016e13c4..66415d57fd 100644
Binary files a/windows/keep-secure/images/intune-vpn-omaurisettings.png and b/windows/keep-secure/images/intune-vpn-omaurisettings.png differ
diff --git a/windows/keep-secure/images/intune-vpn-wipmodeid.png b/windows/keep-secure/images/intune-vpn-wipmodeid.png
index 6c45fd0a25..19892b3a7c 100644
Binary files a/windows/keep-secure/images/intune-vpn-wipmodeid.png and b/windows/keep-secure/images/intune-vpn-wipmodeid.png differ
diff --git a/windows/keep-secure/images/sc-image101.png b/windows/keep-secure/images/sc-image101.png
new file mode 100644
index 0000000000..d0c7a632b5
Binary files /dev/null and b/windows/keep-secure/images/sc-image101.png differ
diff --git a/windows/keep-secure/images/sc-image201.gif b/windows/keep-secure/images/sc-image201.gif
new file mode 100644
index 0000000000..226a747881
Binary files /dev/null and b/windows/keep-secure/images/sc-image201.gif differ
diff --git a/windows/keep-secure/images/sc-image203.gif b/windows/keep-secure/images/sc-image203.gif
new file mode 100644
index 0000000000..de2a310572
Binary files /dev/null and b/windows/keep-secure/images/sc-image203.gif differ
diff --git a/windows/keep-secure/images/sc-image205.png b/windows/keep-secure/images/sc-image205.png
new file mode 100644
index 0000000000..69b536054c
Binary files /dev/null and b/windows/keep-secure/images/sc-image205.png differ
diff --git a/windows/keep-secure/images/sc-image206.gif b/windows/keep-secure/images/sc-image206.gif
new file mode 100644
index 0000000000..07e187cfaa
Binary files /dev/null and b/windows/keep-secure/images/sc-image206.gif differ
diff --git a/windows/keep-secure/images/sc-image302.gif b/windows/keep-secure/images/sc-image302.gif
new file mode 100644
index 0000000000..346db734db
Binary files /dev/null and b/windows/keep-secure/images/sc-image302.gif differ
diff --git a/windows/keep-secure/images/sc-image402.png b/windows/keep-secure/images/sc-image402.png
new file mode 100644
index 0000000000..ec97224017
Binary files /dev/null and b/windows/keep-secure/images/sc-image402.png differ
diff --git a/windows/keep-secure/images/sc-image403.png b/windows/keep-secure/images/sc-image403.png
new file mode 100644
index 0000000000..22965326bc
Binary files /dev/null and b/windows/keep-secure/images/sc-image403.png differ
diff --git a/windows/keep-secure/images/sc-image404.png b/windows/keep-secure/images/sc-image404.png
new file mode 100644
index 0000000000..2bb988a668
Binary files /dev/null and b/windows/keep-secure/images/sc-image404.png differ
diff --git a/windows/keep-secure/images/sc-image405.png b/windows/keep-secure/images/sc-image405.png
new file mode 100644
index 0000000000..99e7a7b21a
Binary files /dev/null and b/windows/keep-secure/images/sc-image405.png differ
diff --git a/windows/keep-secure/images/sc-image406.png b/windows/keep-secure/images/sc-image406.png
new file mode 100644
index 0000000000..8eb3c3c630
Binary files /dev/null and b/windows/keep-secure/images/sc-image406.png differ
diff --git a/windows/keep-secure/images/sc-image407.png b/windows/keep-secure/images/sc-image407.png
new file mode 100644
index 0000000000..47ceb8f10a
Binary files /dev/null and b/windows/keep-secure/images/sc-image407.png differ
diff --git a/windows/keep-secure/images/sc-image501.gif b/windows/keep-secure/images/sc-image501.gif
new file mode 100644
index 0000000000..b1463b5d14
Binary files /dev/null and b/windows/keep-secure/images/sc-image501.gif differ
diff --git a/windows/keep-secure/images/vsc-02-mmc-add-snap-in.png b/windows/keep-secure/images/vsc-02-mmc-add-snap-in.png
new file mode 100644
index 0000000000..2d626ecf94
Binary files /dev/null and b/windows/keep-secure/images/vsc-02-mmc-add-snap-in.png differ
diff --git a/windows/keep-secure/images/vsc-03-add-certificate-templates-snap-in.png b/windows/keep-secure/images/vsc-03-add-certificate-templates-snap-in.png
new file mode 100644
index 0000000000..e5c40ce136
Binary files /dev/null and b/windows/keep-secure/images/vsc-03-add-certificate-templates-snap-in.png differ
diff --git a/windows/keep-secure/images/vsc-04-right-click-smartcard-logon-template.png b/windows/keep-secure/images/vsc-04-right-click-smartcard-logon-template.png
new file mode 100644
index 0000000000..b6fa6b75ba
Binary files /dev/null and b/windows/keep-secure/images/vsc-04-right-click-smartcard-logon-template.png differ
diff --git a/windows/keep-secure/images/vsc-05-certificate-template-compatibility.png b/windows/keep-secure/images/vsc-05-certificate-template-compatibility.png
new file mode 100644
index 0000000000..110fb05099
Binary files /dev/null and b/windows/keep-secure/images/vsc-05-certificate-template-compatibility.png differ
diff --git a/windows/keep-secure/images/vsc-06-add-certification-authority-snap-in.png b/windows/keep-secure/images/vsc-06-add-certification-authority-snap-in.png
new file mode 100644
index 0000000000..f770d2f259
Binary files /dev/null and b/windows/keep-secure/images/vsc-06-add-certification-authority-snap-in.png differ
diff --git a/windows/keep-secure/images/vsc-07-right-click-certificate-templates.png b/windows/keep-secure/images/vsc-07-right-click-certificate-templates.png
new file mode 100644
index 0000000000..893abc8f34
Binary files /dev/null and b/windows/keep-secure/images/vsc-07-right-click-certificate-templates.png differ
diff --git a/windows/keep-secure/images/vsc-08-enable-certificate-template.png b/windows/keep-secure/images/vsc-08-enable-certificate-template.png
new file mode 100644
index 0000000000..f060ca7e3e
Binary files /dev/null and b/windows/keep-secure/images/vsc-08-enable-certificate-template.png differ
diff --git a/windows/keep-secure/images/vsc-09-stop-service-start-service.png b/windows/keep-secure/images/vsc-09-stop-service-start-service.png
new file mode 100644
index 0000000000..4f3a65766f
Binary files /dev/null and b/windows/keep-secure/images/vsc-09-stop-service-start-service.png differ
diff --git a/windows/keep-secure/images/vsc-10-cmd-run-as-administrator.png b/windows/keep-secure/images/vsc-10-cmd-run-as-administrator.png
new file mode 100644
index 0000000000..b9a6538540
Binary files /dev/null and b/windows/keep-secure/images/vsc-10-cmd-run-as-administrator.png differ
diff --git a/windows/keep-secure/images/vsc-11-certificates-request-new-certificate.png b/windows/keep-secure/images/vsc-11-certificates-request-new-certificate.png
new file mode 100644
index 0000000000..4eeba26de7
Binary files /dev/null and b/windows/keep-secure/images/vsc-11-certificates-request-new-certificate.png differ
diff --git a/windows/keep-secure/images/vsc-12-certificate-enrollment-select-certificate.png b/windows/keep-secure/images/vsc-12-certificate-enrollment-select-certificate.png
new file mode 100644
index 0000000000..b8fb5e9635
Binary files /dev/null and b/windows/keep-secure/images/vsc-12-certificate-enrollment-select-certificate.png differ
diff --git a/windows/keep-secure/images/vsc-physical-smart-card-lifecycle.png b/windows/keep-secure/images/vsc-physical-smart-card-lifecycle.png
new file mode 100644
index 0000000000..17357828f0
Binary files /dev/null and b/windows/keep-secure/images/vsc-physical-smart-card-lifecycle.png differ
diff --git a/windows/keep-secure/images/vsc-process-of-accessing-user-key.png b/windows/keep-secure/images/vsc-process-of-accessing-user-key.png
new file mode 100644
index 0000000000..29682f1cd0
Binary files /dev/null and b/windows/keep-secure/images/vsc-process-of-accessing-user-key.png differ
diff --git a/windows/keep-secure/images/vsc-virtual-smart-card-icon.png b/windows/keep-secure/images/vsc-virtual-smart-card-icon.png
new file mode 100644
index 0000000000..4614d7684b
Binary files /dev/null and b/windows/keep-secure/images/vsc-virtual-smart-card-icon.png differ
diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index d56e60b02a..ee6e108018 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -131,7 +131,7 @@ The following table lists the Group Policy settings that you can configure for H
diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
index 8670def085..cc8625adb9 100644
--- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
@@ -40,7 +40,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
2. On the **Action** menu, click **Initialize TPM** to start the TPM Initialization Wizard.
3. If the TPM has never been initialized or is turned off, the TPM Initialization Wizard displays the **Turn on the TPM security hardware** dialog box. This dialog box provides guidance for initializing or turning on the TPM. Follow the instructions in the wizard.
- >**Note:** If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the [To set ownership of the TPM](#bkmk-setownership) procedure.
+ >**Note:** If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the **To set ownership of the TPM** procedure.
>**Note:** If the TPM Initialization Wizard detects that you do not have a compatible BIOS, you cannot continue with the TPM Initialization Wizard, and you are alerted to consult the computer manufacturer's documentation for instructions to initialize the TPM.
@@ -57,7 +57,7 @@ To finish initializing the TPM for use, you must set an owner for the TPM. The p
**To set ownership of the TPM**
-1. If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure [To start the TPM Initialization Wizard](#bkmk-starttpminitwizard).
+1. If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure **To start the TPM Initialization Wizard**.
2. In the **Create the TPM owner password** dialog box, click **Automatically create the password (recommended)**.
3. In the **Save your TPM owner password** dialog box, click **Save the password**.
4. In the **Save As** dialog box, select a location to save the password, and then click **Save**. The password file is saved as *computer\_name.tpm*.
diff --git a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md
index f2741165ce..d1d0b00b2e 100644
--- a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -35,7 +35,7 @@ A malicious user might install malware that looks like the standard logon dialog
### Best practices
-- It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Disabled**. Unless they are using a smart card to log on, users will have to simultaneously press three keys before the logon dialog box appears.
+- It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Not configured**.
### Location
diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
index 51e68f1fee..5d547bd269 100644
--- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
@@ -122,7 +122,7 @@ If you encounter a problem when trying to submit a file, try each of the followi
a. Change the following registry entry and values to change the policy on specific endpoints:
```
-HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection
+HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Value = 0 - block sample collection
Value = 1 - allow sample collection
```
diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
index fb34c03d1f..eec0ada5a4 100644
--- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -69,7 +69,7 @@ The threat category filter lets you filter the view by the following categories:
- Threat
- Low severity
-For more information on the description of each category see, [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections).
+For more information on the description of each category see, [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#machines-with-active-malware-detections).
You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon  to download the entire list as a CSV file.
@@ -81,7 +81,7 @@ Investigate the details of an alert raised on a specific machine to identify oth
You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
-- The [Machines view](#Investigate-machines-in-the-Windows-Defender-ATP-Machines-view)
+- The [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
- The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- Any individual alert
@@ -104,7 +104,7 @@ You'll see an aggregated view of alerts, a short description of the alert, detai
This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.
-You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alerts-spotlight) feature to see the correlation between alerts and events on a specific machine.
+You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-spotlight) feature to see the correlation between alerts and events on a specific machine.
diff --git a/windows/keep-secure/isolating-apps-on-your-network.md b/windows/keep-secure/isolating-apps-on-your-network.md
index c8adf77620..9743da28c0 100644
--- a/windows/keep-secure/isolating-apps-on-your-network.md
+++ b/windows/keep-secure/isolating-apps-on-your-network.md
@@ -44,7 +44,7 @@ To isolate Windows Store apps on your network, you need to use Group Policy to d
- [Prerequisites](#prerequisites)
-- [Step 1: Define your network](#step-1-Define-your-network)
+- [Step 1: Define your network](#step-1-define-your-network)
- [Step 2: Create custom firewall rules](#step-2-create-custom-firewall-rules)
diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md
index 947cee9c66..dc2429d6b3 100644
--- a/windows/keep-secure/limitations-with-wip.md
+++ b/windows/keep-secure/limitations-with-wip.md
@@ -71,7 +71,12 @@ This table provides info about the most common problems you might encounter whil
You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.
-
A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.
-
Open File Explorer and change the file ownership to **Personal** before you upload.
+
A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal.
+
Open File Explorer and change the file ownership to Personal before you upload.
+
+
+
ActiveX controls should be used with caution.
+
Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.
+
We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.
For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
diff --git a/windows/keep-secure/local-accounts.md b/windows/keep-secure/local-accounts.md
index 3e94ade971..3e50de5cc8 100644
--- a/windows/keep-secure/local-accounts.md
+++ b/windows/keep-secure/local-accounts.md
@@ -81,7 +81,7 @@ The default Administrator account is initially installed differently for Windows
In summary, for Windows Server operating systems, the Administrator account is used to set up the local server only for tasks that require administrative rights. The default Administrator account is set up by using the default settings that are provided on installation. Initially, the Administrator account is not associated with a password. After installation, when you first set up Windows Server, your first task is to set up the Administrator account properties securely. This includes creating a strong password and securing the **Remote control** and **Remote Desktop Services Profile** settings. You can also disable the Administrator account when it is not required.
-In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**. For more information, see [Security considerations](#sec-administrator-security).
+In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**.
**Account group membership**
diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
index 71b7ad88c9..d91d7bbb04 100644
--- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@@ -19,7 +19,7 @@ localizationpriority: high
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
>[!NOTE]
-> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
Hello addresses the following problems with passwords:
- Passwords can be difficult to remember, and users often reuse passwords on multiple sites.
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index 8fa747d356..0fd2edc0d3 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -108,7 +108,7 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
## Windows Defender signature updates are configured
The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](windows-defender-in-windows-10.md).
-When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).
+When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md).
## Windows Defender Early Launch Antimalware (ELAM) driver is enabled
If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
diff --git a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
index 0790236e3f..2846134874 100644
--- a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
+++ b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
@@ -53,5 +53,9 @@ This topic provides a roadmap for planning and getting started on the Device Gua
- [Enforce code integrity policies](deploy-code-integrity-policies-steps.md#enforce-code-integrity-policies)
- [Deploy and manage code integrity policies with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-code-integrity-policies-with-group-policy)
-8. **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). For information about enabling VBS features, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
+8. **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+ > [!WARNING]
+ > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
+
+ For information about enabling VBS features, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md
index 44ee846cb2..dc661d0dbd 100644
--- a/windows/keep-secure/protect-enterprise-data-using-wip.md
+++ b/windows/keep-secure/protect-enterprise-data-using-wip.md
@@ -128,10 +128,10 @@ You can set your WIP policy to use 1 of 4 protection and management modes:
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
-|Off |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.
**Note** For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
+|Off |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.
**Note** For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
## Turn off WIP
-You can turn off all Windows Information Protection and restrictions, reverting to where you were pre-WIP, with no data loss. However, turning off WIP isn't recommended. If you choose to turn it off, you can always turn it back on, but WIP won't retain your decryption and policies info.
+You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied.
## Next steps
After deciding to use WIP in your enterprise, you need to:
diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
index 13b3f05f42..13754fa34c 100644
--- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -20,6 +20,7 @@ This article describes the following:
- [Device Guard requirements for baseline protections](#device-guard-requirements-for-baseline-protections)
- [Device Guard requirements for improved security](#device-guard-requirements-for-improved-security)
- [Device Guard deployment in different scenarios: types of devices](#device-guard-deployment-in-different-scenarios-types-of-devices)
+- [Device Guard deployment in virtual machines](#device-guard-deployment-in-virtual-machines)
- [Reviewing your applications: application signing and catalog files](#reviewing-your-applications-application-signing-and-catalog-files)
- [Code integrity policy formats and signing](#code-integrity-policy-formats-and-signing)
@@ -35,6 +36,9 @@ For example, hardware that includes CPU virtualization extensions and SLAT will
You can deploy Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
+> [!WARNING]
+> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
+
The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
> **Notes**
@@ -96,6 +100,19 @@ Typically, deployment of Device Guard happens best in phases, rather than being
| **Lightly managed devices**: Company-owned, but users are free to install software. Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.
- Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. |
| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A |
+## Device Guard deployment in virtual machines
+
+Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The enablement steps are the same from within the virtual machine.
+
+Device Guard protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable Device Guard for a virtual machine:
+
+` Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true`
+
+
+### Requirements for running Device Guard in Hyper-V virtual machines
+ - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
+ - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
+
## Reviewing your applications: application signing and catalog files
Typically, code integrity policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a “catalog file” from the applications, sign it, and through the signed catalog file, configure the code integrity policy to recognize the applications as signed.
diff --git a/windows/keep-secure/smart-card-and-remote-desktop-services.md b/windows/keep-secure/smart-card-and-remote-desktop-services.md
new file mode 100644
index 0000000000..5a2d8f9ed9
--- /dev/null
+++ b/windows/keep-secure/smart-card-and-remote-desktop-services.md
@@ -0,0 +1,99 @@
+---
+title: Smart Card and Remote Desktop Services (Windows 10)
+description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Card and Remote Desktop Services
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
+
+The content in this topic applies to the versions of Windows that are designated in the **Applies To** list at the beginning of this topic. In these versions, smart card redirection logic and **WinSCard** API are combined to support multiple redirected sessions into a single process.
+
+Smart card support is required to enable many Remote Desktop Services scenarios. These include:
+
+- Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session.
+
+- Enabling Encrypting File System (EFS) to locate the user's smart card reader from the Local Security Authority (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files.
+
+## Remote Desktop Services redirection
+
+In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in.
+
+
+
+**Remote Desktop redirection**
+
+Notes about the redirection model:
+
+1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as "Client session"), the user runs **net use /smartcard**.
+
+2. Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer.
+
+3. The authentication is performed by the LSA in session 0.
+
+4. The CryptoAPI processing is performed in the LSA (Lsass.exe). This is possible because RDP redirector (rdpdr.sys) allows per-session, rather than per-process, context.
+
+5. The WinScard and SCRedir components, which were separate modules in operating systems earlier than Windows Vista, are now included in one module. The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol.
+
+6. The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the SCardEstablishContext call.
+
+7. Changes to WinSCard.dll implementation were made in Windows Vista to improve smart card redirection.
+
+## RD Session Host server single sign-in experience
+
+As a part of the Common Criteria compliance, the RDC client must be configurable to use Credential Manager to acquire and save the user's password or smart card PIN. Common Criteria compliance requires that applications not have direct access to the user's password or PIN.
+
+Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it cannot be unencrypted during transit.
+
+When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user is not prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user does not receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.
+
+### Remote Desktop Services and smart card sign-in
+
+Remote Desktop Services enable users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.
+
+In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.
+
+To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer is not in the same domain or workgroup, the following command can be used to deploy the certificate:
+
+**certutil -dspublish NTAuthCA** "*DSCDPContainer*"
+
+The *DSCDPContainer* Common Name (CN) is usually the name of the certification authority.
+
+Example:
+
+**certutil -dspublish NTAuthCA** <*CertFile*> **"CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com"**
+
+For information about this option for the command-line tool, see [-dsPublish](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx#BKMK_dsPublish).
+
+### Remote Desktop Services and smart card sign-in across domains
+
+To enable remote access to resources in an enterprise, the root certificate for the domain must be provisioned on the smart card. From a computer that is joined to a domain, run the following command at the command line:
+
+**certutil -scroots update**
+
+For information about this option for the command-line tool, see [-SCRoots](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx#BKMK_SCRoots).
+
+For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the client computer's NTAUTH store. To add the store, run the following command at the command line:
+
+**certutil -addstore -enterprise NTAUTH** <*CertFile*>
+
+Where <*CertFile*> is the root certificate of the KDC certificate issuer.
+
+For information about this option for the command-line tool, see [-addstore](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx#BKMK_addstore).
+
+> **Note** If you use the credential SSP on computers running the supported versions of the operating system that are designated in the **Applies To** list at the beginning of this topic: To sign in with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller.
+
+Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following form: <*ClientName*>@<*DomainDNSName*>
+
+The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol cannot determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+
+## See also
+
+[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
diff --git a/windows/keep-secure/smart-card-architecture.md b/windows/keep-secure/smart-card-architecture.md
new file mode 100644
index 0000000000..84d38741cf
--- /dev/null
+++ b/windows/keep-secure/smart-card-architecture.md
@@ -0,0 +1,337 @@
+---
+title: Smart Card Architecture (Windows 10)
+description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Card Architecture
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture.
+
+Authentication is a process for verifying the identity of an object or person. When you authenticate an object, such as a smart card, the goal is to verify that the object is genuine. When you authenticate a person, the goal is to verify that you are not dealing with an imposter.
+
+In a networking context, authentication is the act of proving identity to a network application or resource. Typically, identity is proven by a cryptographic operation that uses a key only the user knows (such as with public key cryptography), or a shared key. The server side of the authentication exchange compares the signed data with a known cryptographic key to validate the authentication attempt. Storing the cryptographic keys in a secure central location makes the authentication process scalable and maintainable.
+
+For smart cards, Windows supports a provider architecture that meets the secure authentication requirements and is extensible so that you can include custom credential providers. This topic includes information about:
+
+- [Credential provider architecture](#credential-provider-architecture)
+
+- [Smart card subsystem architecture](#smart-card-subsystem-architecture)
+
+
+
+## Credential provider architecture
+
+The following table lists the components that are included in the interactive sign-in architecture of the Windows Server and Windows operating systems.
+
+| **Component** | **Description** |
+|------------------------------------------------|-----|
+| Winlogon | Provides an interactive sign-in infrastructure. |
+| Logon UI | Provides interactive UI rendering. |
+| Credential providers (password and smart card) | Describes credential information and serializing credentials. |
+| Local Security Authority (LSA) | Processes sign-in credentials. |
+| Authentication packages | Includes NTLM and the Kerberos protocol. Communicates with server authentication packages to authenticate users. |
+
+Interactive sign-in in Windows begins when the user presses CTRL+ALT+DEL. The CTRL+ALT+DEL key combination is called a secure attention sequence (SAS). To keep other programs and processes from using it, Winlogon registers this sequence during the boot process.
+
+After receiving the SAS, the UI then generates the sign-in tile from the information received from the registered credential providers. The following graphic shows the architecture for credential providers in the Windows operating system.
+
+
+
+**Figure 1** **Credential provider architecture**
+
+Typically, a user who signs in to a computer by using a local account or a domain account must enter a user name and password. These credentials are used to verify the user's identity. For smart card sign-in, a user's credentials are contained on the smart card's security chip. A smart card reader lets the computer interact with the security chip on the smart card. When users sign in with a smart card, they enter a personal identification number (PIN) instead of a user name and password.
+
+Credential providers are in-process COM objects that run on the local system and are used to collect credentials. The Logon UI provides interactive UI rendering, Winlogon provides interactive sign-in infrastructure, and credential providers work with both of these components to help gather and process credentials.
+
+Winlogon instructs the Logon UI to display credential provider tiles after it receives an SAS event. The Logon UI queries each credential provider for the number of credentials it wants to enumerate. Credential providers have the option of specifying one of these tiles as the default. After all providers have enumerated their tiles, the Logon UI displays them to the user. The user interacts with a tile to supply the proper credentials. The Logon UI submits these credentials for authentication.
+
+Combined with supporting hardware, credential providers can extend the Windows operating system to enable users to sign in by using biometrics (for example, fingerprint, retinal, or voice recognition), password, PIN, smart card certificate, or any custom authentication package. Enterprises and IT professionals can develop and deploy custom authentication mechanisms for all domain users, and they may explicitly require users to use this custom sign-in mechanism.
+
+> **Note** Credential providers are not enforcement mechanisms. They are used to gather and serialize credentials. The LSA and authentication packages enforce security.
+
+Credential providers can be designed to support single sign-in (SSO). In this process, they authenticate users to a secure network access point (by using RADIUS and other technologies) for signing in to the computer. Credential providers are also designed to support application-specific credential gathering, and they can be used for authentication to network resources, joining computers to a domain, or to provide administrator consent for User Account Control (UAC).
+
+Multiple credential providers can coexist on a computer.
+
+Credential providers must be registered on a computer running Windows, and they are responsible for:
+
+- Describing the credential information that is required for authentication.
+
+- Handling communication and logic with external authentication authorities.
+
+- Packaging credentials for interactive and network sign-in.
+
+> **Note** The Credential Provider API does not render the UI. It describes what needs to be rendered. Only the password credential provider is available in safe mode. The smart card credential provider is available in safe mode during networking.
+
+## Smart card subsystem architecture
+
+Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](http://www.pcscworkgroup.com/specifications/overview.php). Each smart card must have a Credential Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware.
+
+### Base CSP and smart card minidriver architecture
+
+Figure 2 illustrates the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers.
+
+
+
+**Figure 2** **Base CSP and smart card minidriver architecture**
+
+### Caching with Base CSP and smart card KSP
+
+Smart card architecture uses caching mechanisms to assist in streamlining operations and to improve a user’s access to a PIN.
+
+- [Data caching](#data-caching): The data cache provides for a single process to minimize smart card I/O operations.
+
+- [PIN caching](#pin-caching): The PIN cache helps the user from having to reenter a PIN each time the smart card is unauthenticated.
+
+#### Data caching
+
+Each CSP implements the current smart card data cache separately. The Base CSP implements a robust caching mechanism that allows a single process to minimize smart card I/O operations.
+
+The existing global cache works as follows:
+
+1. The application requests a cryptographic operation. For example, a user certificate is to be read from the smart card.
+
+2. The CSP checks its cache for the item.
+
+3. If the item is not found in the cache, or if the item is cached but is not up-to-date, the item is read from the smart card.
+
+4. After any item has been read from the smart card, it is added to the cache. Any existing out-of-date copy of that item is replaced.
+
+Three types of objects or data are cached by the CSP: pins (for more information, see [PIN caching](#pin-caching)), certificates, and files. If any of the cached data changes, the corresponding object is read from the smart card in successive operations. For example, if a file is written to the smart card, the CSP cache becomes out-of-date for the files, and other processes read the smart card at least once to refresh their CSP cache.
+
+The global data cache is hosted in the Smart Cards for Windows service. Windows includes two public smart card API calls, SCardWriteCache and SCardReadCache. These API calls make global data caching functionality available to applications. Every smart card that conforms to the smart card minidriver specification has a 16-byte card identifier. This value is used to uniquely identify cached data that pertains to a given smart card. The standard Windows GUID type is used. These APIs allow an application to add data to and read data from the global cache.
+
+#### PIN caching
+
+The PIN cache protects the user from entering a PIN every time the smart card is unauthenticated. After a smart card is authenticated, it will not differentiate among host-side applications—any application can access private data on the smart card.
+
+To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications cannot communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it require multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times.
+
+The following example illustrates how this works. In this scenario, there are two applications: Outlook and Internet Explorer. The applications use smart cards for different purposes.
+
+1. The user starts Outlook and tries to send a signed e-mail. The private key is on the smart card.
+
+2. Outlook prompts the user for the smart card PIN. The user enters the correct PIN.
+
+3. E-mail data is sent to the smart card for the signature operation. The Outlook client formats the response and sends the e-mail.
+
+4. The user opens Internet Explorer and tries to access a protected site that requires Transport Layer Security (TLS) authentication for the client.
+
+5. Internet Explorer prompts the user for the smart card PIN. The user enters the correct PIN.
+
+6. The TLS-related private key operation occurs on the smart card, and the user is authenticated and signed in.
+
+7. The user returns to Outlook to send another signed e-mail. This time, the user is not prompted for a PIN because the PIN is cached from the previous operation. Similarly, if the user uses Internet Explorer again for another operation, Internet Explorer will not prompt the user for a PIN.
+
+The Base CSP internally maintains a per-process cache of the PIN. The PIN is encrypted and stored in memory. The functions that are used to secure the PIN are RtlEncryptMemory, RtlDecryptMemory, and RtlSecureZeroMemory, which will empty buffers that contained the PIN.
+
+### Smart card selection
+
+The following sections in this topic describe how Windows leverages the smart card architecture to select the correct smart card reader software, provider, and credentials for a successful smart card sign-in:
+
+- [Container specification levels](#container-specification-levels)
+
+- [Container operations](#container-operations)
+
+- [Context flags](#context-flags)
+
+- [Create a new container in silent context](#create-a-new-container-in-silent-context)
+
+- [Smart card selection behavior](#smart-card-selection-behavior)
+
+- [Make a smart card reader match](#make-a-smart-card-reader-match)
+
+- [Make a smart card match](#make-a-smart-card-match)
+
+- [Open an existing default container (no reader specified)](#open-an-existing-default-container-no-reader-specified)
+
+- [Open an existing GUID-named container (no reader specified)](#open-an-existing-guid-named-container-no-reader-specified)
+
+- [Create a new container (no reader specified)](#create-a-new-container-no-reader-specified)
+
+- [Delete a container](#delete-a-container)
+
+#### Container specification levels
+
+In response to a CryptAcquireContext call in CryptoAPI, the Base CSP tries to match the container that the caller specifies to a specific smart card and reader. The caller can provide a container name with varying levels of specificity, as shown in the following table, and sorted from most-specific to least-specific requests.
+
+Similarly, in response to a NCryptOpenKey call in CNG, the smart card KSP tries to match the container the same way, and it takes the same container format, as shown in the following table.
+
+> **Note** Before opening a key by using the smart card KSP, a call to NCryptOpenStorageProvider (MS\_SMART\_CARD\_KEY\_STORAGE\_PROVIDER) must be made.
+
+| **Type** | **Name** | **Format** |
+|----------|----------|------------|
+| I | Reader Name and Container Name | \\\\.\\<Reader Name>\\<Container Name> |
+| II | Reader Name and Container Name (NULL) | \\\\.\\<Reader Name> |
+| III | Container Name Only | <Container Name> |
+| IV | Default Container (NULL) Only | NULL |
+
+The Base CSP and smart card KSP cache smart card handle information about the calling process and about the smart cards the process has accessed. When searching for a smart card container, the Base CSP or smart card KSP first checks its cache for the process. If the cached handle is invalid or no match is found, the SCardUIDlg API is called to get the card handle.
+
+#### Container operations
+
+The following three container operations can be requested by using CryptAcquireContext:
+
+1. Create a new container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT\_NEWKEYSET is NCryptCreatePersistedKey.)
+
+2. Open an existing container. (The CNG equivalent of CryptAcquireContext to open the container is NCryptOpenKey.)
+
+3. Delete a container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT\_DELETEKEYSET is NCryptDeleteKey.)
+
+The heuristics that are used to associate a cryptographic handle with a particular smart card and reader are based on the container operation requested and the level of container specification used.
+
+The following table shows the restrictions for the container creation operation.
+
+| **Specification** | **Restriction** |
+|------------------------------------|-----------|
+| No silent context | Key container creation must always be able to show UI, such as the PIN prompt. |
+| No overwriting existing containers | If the specified container already exists on the chosen smart card, choose another smart card or cancel the operation. |
+
+#### Context flags
+
+The following table shows the context flags used as restrictions for the container creation operation.
+
+| **Flag** | **Description** |
+|------------------------|------------------------------------------------------|
+| CRYPT\_SILENT | No UI can be displayed during this operation. |
+| CRYPT\_MACHINE\_KEYSET | No cached data should be used during this operation. |
+| CRYPT\_VERIFYCONTEXT | Only public data can be accessed on the smart card. |
+
+In addition to container operations and container specifications, you must consider other user options, such as the CryptAcquireContext flags, during smart card selection.
+
+> **Important** The CRYPT\_SILENT flag cannot be used to create a new container.
+
+#### Create a new container in silent context
+
+Applications can call the Base CSP with CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL, set the PIN in silent context, and then create a new container in silent context. This operation occurs as follows:
+
+1. Call CryptAcquireContext by passing the smart card reader name in as a type II container specification level, and specifying the CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL flag.
+
+2. Call CryptSetProvParam by specifying PP\_KEYEXCHANGE\_PIN or PP\_SIGNATURE\_PIN and a null-terminated ASCII PIN.
+
+3. Release the context acquired in Step 1.
+
+4. Call CryptAcquireContext with CRYPT\_NEWKEYSET, and specify the type I container specification level.
+
+5. Call CryptGenKey to create the key.
+
+#### Smart card selection behavior
+
+In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or click **Cancel**. If the user cancels the operation, the operation fails. The flow chart in Figure 3 shows the selection steps performed by the Windows operating system.
+
+
+
+**Figure 3** **Smart card selection behavior**
+
+In general, smart card selection behavior is handled by the SCardUIDlgSelectCard API. The Base CSP interacts with this API by calling it directly. The Base CSP also sends callback functions that have the purpose of filtering and matching candidate smart cards. Callers of CryptAcquireContext provide smart card matching information. Internally, the Base CSP uses a combination of smart card serial numbers, reader names, and container names to find specific smart cards.
+
+Each call to SCardUI \* may result in additional information read from a candidate smart card. The Base CSP smart card selection callbacks cache this information.
+
+#### Make a smart card reader match
+
+For type I and type II container specification levels, the smart card selection process is less complex because only the smart card in the named reader can be considered a match. The process for matching a smart card with a smart card reader is:
+
+1. Find the requested smart card reader. If it cannot be found, the process fails. (This requires a cache search by reader name.)
+
+2. If no smart card is in the reader, the user is prompted to insert a smart card. (This is only in non-silent mode; if the call is made in silent mode, it will fail.)
+
+3. For container specification level II only, the name of the default container on the chosen smart card is determined.
+
+4. To open an existing container or delete an existing container, find the specified container. If the specified container cannot be found on this smart card, the user is prompted to insert a smart card.
+
+5. If the system attempts to create a new container, if the specified container already exists on this smart card, the process fails.
+
+#### Make a smart card match
+
+For container specification levels III and IV, a broader method is used to match an appropriate smart card with a user context, because multiple cached smart cards might meet the criteria provided.
+
+#### Open an existing default container (no reader specified)
+
+> **Note** This operation requires that you use the smart card with the Base CSP.
+
+1. For each smart card that has been accessed by the Base CSP and the handle and container information are cached, the Base CSP looks for a valid default container. An operation is attempted on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the Base CSP continues to search for a new smart card.
+
+2. If a matching smart card is not found in the Base CSP cache, the Base CSP calls to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with a valid default container.
+
+#### Open an existing GUID-named container (no reader specified)
+
+> **Note** This operation requires that you use the smart card with the Base CSP.
+
+1. For each smart card that is already registered with the Base CSP, search for the requested container. Attempt an operation on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the smart card's serial number is passed to the SCardUI \* API to continue searching for this specific smart card (rather than only a general match for the container name).
+
+2. If a matching smart card is not found in the Base CSP cache, a call is made to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with the requested container. Or, if a smart card serial number resulted from the search in Step 1, the callback filter attempts to match the serial number, not the container name.
+
+#### Create a new container (no reader specified)
+
+> **Note** This operation requires that you use the smart card with the Base CSP.
+
+If the PIN is not cached, no CRYPT\_SILENT is allowed for the container creation because the user must be prompted for a PIN, at a minimum.
+
+For other operations, the caller may be able to acquire a "verify" context against the default container (CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL) and then make a call with CryptSetProvParam to cache the user PIN for subsequent operations.
+
+1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
+
+ 1. If the smart card has been removed, continue the search.
+
+ 2. If the smart card is present, but it already has the named container, continue the search.
+
+ 3. If the smart card is available, but a call to CardQueryFreeSpace indicates that the smart card has insufficient storage for an additional key container, continue the search.
+
+ 4. Otherwise, use the first available smart card that meets the above criteria for the container creation.
+
+2. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards verifies that a candidate smart card does not already have the named container, and that CardQueryFreeSpace indicates the smart card has sufficient space for an additional container. If no suitable smart card is found, the user is prompted to insert a smart card.
+
+#### Delete a container
+
+1. If the specified container name is NULL, the default container is deleted. Deleting the default container causes a new default container to be selected arbitrarily. For this reason, this operation is not recommended.
+
+2. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
+
+ 1. If the smart card does not have the named container, continue the search.
+
+ 2. If the smart card has the named container, but the smart card handle is no longer valid, store the serial number of the matching smart card and pass it to SCardUI \*.
+
+3. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards should verify that a candidate smart card has the named container. If a serial number was provided as a result of the previous cache search, the callback should filter enumerated smart cards on serial number rather than on container matches. If the context is non-silent and no suitable smart card is found, display UI that prompts the user to insert a smart card.
+
+### Base CSP and KSP-based architecture in Windows
+
+Figure 4 shows the Cryptography architecture that is used by the Windows operating system.
+
+
+
+**Figure 4** **Cryptography architecture**
+
+### Base CSP and smart card KSP properties in Windows
+
+The following properties are supported in versions of Windows designated in the **Applies To** list at the beginning of this topic.
+
+> **Note** The API definitions are located in WinCrypt.h and WinSCard.h.
+
+| **Property** | **Description** |
+|-----------------------|------------------|
+| PP\_USER\_CERTSTORE | - Used to return an HCERTSTORE that contains all user certificates on the smart card - Read-only (used only by CryptGetProvParam) - Caller responsible for closing the certificate store - Certificate encoded using PKCS\_7\_ASN\_ENCODING or X509\_ASN\_ENCODING - CSP should set KEY\_PROV\_INFO on certificates - Certificate store should be assumed to be an in-memory store - Certificates should have a valid CRYPT\_KEY\_PROV\_INFO as a property |
+| PP\_ROOT\_CERTSTORE | - Read and Write (used by CryptGetProvParam and CryptSetProvParam) - Used to write a collection of root certificates to the smart card or return HCERTSTORE, which contains root certificates from the smart card - Used primarily for joining a domain by using a smart card - Caller responsible for closing the certificate store |
+| PP\_SMARTCARD\_READER | - Read-only (used only by CryptGetProvParam) - Returns the smart card reader name as an ANSI string that is used to construct a fully qualified container name (that is, a smart card reader plus a container) |
+| PP\_SMARTCARD\_GUID | - Return smart card GUID (also known as a serial number), which should be unique for each smart card - Used by the certificate propagation service to track the source of a root certificate|
+| PP\_UI\_PROMPT | - Used to set the search string for the SCardUIDlgSelectCard card insertion dialog box - Persistent for the entire process when it is set - Write-only (used only by CryptSetProvParam) |
+
+### Implications for CSPs in Windows
+
+Credential Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach is not recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES.
+
+If a smart card is registered by a CSP and a smart card minidriver, the one that was installed most recently will be used to communicate with the smart card.
+
+### Write a smart card minidriver, CSP, or KSP
+
+CSPs and KSPs are meant to be written only if specific functionality is not available in the current smart card minidriver architecture. For example, the smart card minidriver architecture supports hardware security modules, so a minidriver could be written for a hardware security module, and a CSP or KSP may not be required unless it is needed to support algorithms that are not implemented in the Base CSP or smart card KSP.
+
+For more information about how to write a smart card minidriver, CSP, or KSP, see [Smart Card Minidrivers](https://msdn.microsoft.com/windows/hardware/drivers/smartcard/smart-card-minidrivers).
diff --git a/windows/keep-secure/smart-card-certificate-propagation-service.md b/windows/keep-secure/smart-card-certificate-propagation-service.md
new file mode 100644
index 0000000000..4668d29aa8
--- /dev/null
+++ b/windows/keep-secure/smart-card-certificate-propagation-service.md
@@ -0,0 +1,75 @@
+---
+title: Certificate Propagation Service (Windows 10)
+description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Certificate Propagation Service
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
+
+The certificate propagation service activates when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+
+> **Note** The certificate propagation service must be running for smart card Plug and Play to work.
+
+The following figure shows the flow of the certificate propagation service. The action begins when a signed-in user inserts a smart card.
+
+1. The arrow labeled **1** indicates that the Service Control Manager (SCM) notifies the certificate propagation service (CertPropSvc) when a user signs in, and CertPropSvc begins to monitor the smart cards in the user session.
+
+2. The arrow labeled **R** represents the possibility of a remote session and the use of smart card redirection.
+
+3. The arrow labeled **2** indicates the certification to the reader.
+
+4. The arrow labeled **3** indicates the access to the certificate store during the client session.
+
+**Certificate propagation service**
+
+
+
+1. A signed-in user inserts a smart card.
+
+2. CertPropSvc is notified that a smart card was inserted.
+
+3. CertPropSvc reads all certificates from all inserted smart cards. The certificates are written to the user's personal certificate store.
+
+> **Note** The certificate propagation service is started as a Remote Desktop Services dependency.
+
+Properties of the certificate propagation service include:
+
+- CERT\_STORE\_ADD\_REPLACE\_EXISTING\_INHERIT\_PROPERTIES adds certificates to a user's Personal store.
+
+- If the certificate has the CERT\_ENROLLMENT\_PROP\_ID property (as defined by wincrypt.h), it filters empty requests and places them in the current user's request store, but it does not propagate them to the user's Personal store.
+
+- The service does not propagate any computer certificates to a user's Personal store or propagate user certificates to a computer store.
+
+- The service propagates certificates according to Group Policy options that are set, which may include:
+
+ - **Turn on certificate propagation from the smart card** specifies whether a user's certificate should be propagated.
+
+ - **Turn on root certificate propagation from smart card** specifies whether root certificates should be propagated.
+
+ - **Configure root certificate cleanup** specifies how root certificates are removed.
+
+## Root certificate propagation service
+
+Root certificate propagation is responsible for the following smart card deployment scenarios when public key infrastructure (PKI) trust has not yet been established:
+
+- Joining the domain
+
+- Accessing a network remotely
+
+In both cases, the computer is not joined to a domain, and therefore, trust is not being managed by Group Policy. However, the objective is to authenticate to a remote server, such as the domain controller. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
+
+When the smart card is inserted, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise resources. You may also use a subsequent cleanup action when the user's smart card is removed from the reader, or when the user signs out. This is configurable with Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+
+For more information about root certificate requirements, see [Smart card root certificate requirements for use with domain sign-in](smart-card-certificate-requirements-and-enumeration.md#smart-card-root-certificate-requirements-for-use-with-domain-sign-in).
+
+## See also
+
+[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
diff --git a/windows/keep-secure/smart-card-certificate-requirements-and-enumeration.md b/windows/keep-secure/smart-card-certificate-requirements-and-enumeration.md
new file mode 100644
index 0000000000..16e40288d5
--- /dev/null
+++ b/windows/keep-secure/smart-card-certificate-requirements-and-enumeration.md
@@ -0,0 +1,317 @@
+---
+title: Certificate Requirements and Enumeration (Windows 10)
+description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Certificate Requirements and Enumeration
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
+
+When a smart card is inserted, the following steps are performed.
+
+> **Note** Unless otherwise mentioned, all operations are performed silently (CRYPT\_SILENT is passed to CryptAcquireContext).
+
+1. The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
+
+2. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is *\\\\.\\<Reader name>*\\
+
+3. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card will be unusable for smart card sign-in.
+
+4. The name of the container is retrieved by using the PP\_CONTAINER parameter with CryptGetProvParam.
+
+5. Using the context acquired in Step 3, the CSP is queried for the PP\_USER\_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
+
+6. If the operation in Step 5 fails, the default container context from Step 3 is queried for the AT\_KEYEXCHANGE key.
+
+7. The certificate is then queried from the key context by using KP\_CERTIFICATE. The certificate is added to an in-memory certificate store.
+
+8. For each certificate in the certificate store from Step 5 or Step 7, the following checks are performed:
+
+ 1. The certificate must be valid, based on the computer system clock (not expired or valid with a future date).
+
+ 2. The certificate must not be in the AT\_SIGNATURE part of a container.
+
+ 3. The certificate must have a valid user principal name (UPN).
+
+ 4. The certificate must have the digital signature key usage.
+
+ 5. The certificate must have the smart card logon EKU.
+
+ Any certificate that meets these requirements is displayed to the user with the certificate's UPN (or e-mail address or subject, depending on the presence of the certificate extensions).
+
+ > **Note** These requirements are the same as those in Windows Server 2003, but they are performed before the user enters the PIN. You can override many of them by using Group Policy settings.
+
+9. The process then chooses a certificate, and the PIN is entered.
+
+10. LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt.
+
+11. If successful, LogonUI.exe closes. This causes the context acquired in Step 3 to be released.
+
+## About Certificate support for compatibility
+
+Although versions of Windows earlier than Windows Vista include support for smart cards, the types of certificates that smart cards can contain are limited. The limitations are:
+
+- Each certificate must have a user principal name (UPN) and the smart card sign-in object identifier (also known as OID) in the enhanced key usage (EKU) attribute field. There is a Group Policy setting, Allow ECC certificates to be used for logon and authentication, to make the EKU optional.
+
+- Each certificate must be stored in the AT\_KEYEXCHANGE portion of the default CryptoAPI container, and non-default CryptoAPI containers are not supported.
+
+The following table lists the certificate support in older Windows operating system versions.
+
+| **Operating system** | **Certificate support** |
+|---------------------------------------|----------------------------------------------------------------------------------------------------------|
+| Windows Server 2008 R2 and Windows 7 | Support for smart card sign-in with ECC-based certificates. ECC smart card sign-in is enabled through Group Policy.
ECDH\_P256 ECDH Curve P-256 from FIPS 186-2
ECDSA\_P256 ECDSA Curve P-256 from FIPS 186-2
ECDH\_P384 ECDH Curve P-384 from FIPS 186-2
ECDH\_P521 ECDH Curve P-521 from FIPS 186-2
ECDSA\_P256 ECDH Curve P-256 from FIPS 186-2
ECDSA\_P384 ECDSA Curve P-384 from FIPS 186-2
ECDSA\_P521 ECDSA Curve P-384 from FIPS 186-2 |
+| Windows Server 2008 and Windows Vista | Valid certificates are enumerated and displayed from all smart cards and presented to the user. Keys are no longer restricted to the default container, and certificates in different containers can be chosen. Elliptic curve cryptography (ECC)-based certificates are not supported for smart card sign-in |
+
+## Smart card sign-in flow in Windows
+
+Most issues during authentication occur because of session behavior changes. When changes occur, the Local Security Authority (LSA) does not reacquire the session context; it relies instead on the Cryptographic Service Provider to handle the session change.
+
+In the supported versions of Windows designated in the **Applies To** list at the beginning of this topic, client certificates that do not contain a UPN in the **subjectAltName** (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
+
+Support for multiple certificates on the same card is enabled by default. New certificate types must be enabled through Group Policy.
+
+If you enable the **Allow signature keys valid for Logon** credential provider policy, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen. This allows users to select their sign-in experience. If the policy is disabled or not configured, smart card signature-key-based certificates are not listed on the sign-in screen.
+
+The following diagram illustrates how smart card sign-in works in the supported versions of Windows.
+
+
+
+**Smart card sign-in flow**
+
+Following are the steps that are performed during a smart card sign-in:
+
+1. Winlogon requests the sign-in UI credential information.
+
+2. Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
+
+ 1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected).
+
+ 2. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
+
+ 3. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
+
+ > **Note** Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior after Windows Vista, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
+
+ 4. Notifies the sign-in UI that it has new credentials.
+
+3. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
+
+4. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
+
+5. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB\_CERTIFICATE\_LOGON structure. The main contents of the KERB\_CERTIFICATE\_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain is not in the same forest because it enables a certificate to be mapped to multiple user accounts.
+
+6. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
+
+7. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
+
+8. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB\_AS\_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
+
+ If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key. If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
+
+9. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).
+
+10. The Kerberos SSP sends an authentication request for a ticket-granting-ticket (TGT) (per RFC 4556) to the Key Distribution Center (KDC) service that runs on a domain controller.
+
+11. The KDC finds the user's account object in Active Directory Domain Services (AD DS), as detailed in [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings), and uses the user's certificate to verify the signature.
+
+12. The KDC validates the user's certificate (time, path, and revocation status) to ensure that the certificate is from a trusted source. The KDC uses CryptoAPI to build a certification path from the user's certificate to a root certification authority (CA) certificate that resides in the root store on the domain controller. The KDC then uses CryptoAPI to verify the digital signature on the signed authenticator that was included in the preauthentication data fields. The domain controller verifies the signature and uses the public key from the user's certificate to prove that the request originated from the owner of the private key that corresponds to the public key. The KDC also verifies that the issuer is trusted and appears in the NTAUTH certificate store.
+
+13. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT’s authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
+
+14. The domain controller returns the TGT to the client as part of the KRB\_AS\_REP response.
+
+ > **Note** The KRB\_AS\_REP packet consists of:
+ >- Privilege attribute certificate (PAC)
+ >- User's SID
+ >- SIDs of any groups of which the user is a member
+ >- A request for ticket-granting service (TGS)
+ >- Preauthentication data
+
+ TGT is encrypted with the master key of the KDC, and the session key is encrypted with a temporary key. This temporary key is derived based on RFC 4556. Using CryptoAPI, the temporary key is decrypted. As part of the decryption process, if the private key is on a smart card, a call is made to the smart card subsystem by using the specified CSP to extract the certificate corresponding to the user's public key. (Programmatic calls for the certificate include CryptAcquireContext, CryptSetProvParam with the PIN, CryptgetUserKey, and CryptGetKeyParam.) After the temporary key is obtained, the Kerberos SSP decrypts the session key.
+
+15. The client validates the reply from the KDC (time, path, and revocation status). It first verifies the KDC's signature by the construction of a certification path from the KDC's certificate to a trusted root CA, and then it uses the KDC's public key to verify the reply signature.
+
+16. Now that a TGT has been obtained, the client obtains a service ticket, which is used to sign in to the local computer.
+
+17. With success, LSA stores the tickets and returns a success message to LSALogonUser. After this success message is issued, user profile for the device is selected and set, Group Policy refresh is instantiated, and other actions are performed.
+
+18. After the user profile is loaded, the Certification Propagation Service (CertPropSvc) detects this event, reads the certificates from the smart card (including the root certificates), and then populates them into the user's certificate store (MYSTORE).
+
+19. CSP to smart card resource manager communication happens on the LRPC Channel.
+
+20. On successful authentication, certificates are propagated to the user's store asynchronously by the Certificate Propagation Service (CertPropSvc).
+
+21. When the card is removed, certificates in the temporary secure cache store are removed. The Certificates are no longer available for sign-in, but they remain in the user's certificate store.
+
+> **Note** A SID is created for each user or group at the time a user account or a group account is created within the local security accounts database or within AD DS. The SID never changes, even if the user or group account is renamed.
+
+For more information about the Kerberos protocol, see [Microsoft Kerberos](https://msdn.microsoft.com/library/windows/desktop/aa378747(v=vs.85).aspx).
+
+By default, the KDC verifies that the client's certificate contains the smart card client authentication EKU szOID\_KP\_SMARTCARD\_LOGON. However, if enabled, the **Allow certificates with no extended key usage certificate attribute** Group Policy setting allows the KDC to not require the SC-LOGON EKU. SC-LOGON EKU is not required for account mappings that are based on the public key.
+
+## KDC certificate
+
+Active Directory Certificate Services provides three kinds of certificate templates:
+
+- Domain controller
+
+- Domain controller authentication
+
+- Kerberos authentication
+
+Depending on the configuration of the domain controller, one of these types of certificates is sent as a part of the AS\_REP packet.
+
+## Client certificate requirements and mappings
+
+Certificate requirements are listed by versions of the Windows operating system. Certificate mapping describes how information from the certificate is mapped to the user account.
+
+### Certificate requirements
+
+The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
+
+| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, and Windows Vista** | **Requirements for Windows XP** |
+|--------------------------------------|--------------------------------|------|
+| CRL distribution point location | Not required | The location must be specified, online, and available, for example: \[1\]CRL Distribution Point Distribution Point Name: Full Name: URL=http://server1.contoso.com/CertEnroll/caname.crl |
+| Key usage | Digital signature | Digital signature |
+| Basic constraints | Not required | \[Subject Type=End Entity, Path Length Constraint=None\] (Optional) |
+| Enhanced key usage (EKU) | The smart card sign-in object identifier is not required.
**Note** If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. | - Client Authentication (1.3.6.1.5.5.7.3.2) The client authentication object identifier is required only if a certificate is used for SSL authentication.
- Smart Card Sign-in (1.3.6.1.4.1.311.20.2.2) |
+| Subject alternative name | E-mail ID is not required for smart card sign-in. | Other Name: Principal Name=(UPN), for example: UPN=user1@contoso.com The UPN OtherName object identifier is 1.3.6.1.4.1.311.20.2.3. The UPN OtherName value must be an ASN1-encoded UTF8 string. |
+| Subject | Not required | Distinguished name of user. This field is a mandatory extension, but the population of this field is optional. |
+| Key exchange (AT\_KEYEXCHANGE field) | Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.) | Not required |
+| CRL | Not required | Not required |
+| UPN | Not required | Not required |
+| Notes | You can enable any certificate to be visible for the smart card credential provider. | There are two predefined types of private keys. These keys are Signature Only (AT\_SIGNATURE) and Key Exchange (AT\_KEYEXCHANGE). Smart card sign-in certificates must have a Key Exchange (AT\_KEYEXCHANGE) private key type. |
+
+### Client certificate mappings
+
+Certificate mapping is based on the UPN that is contained in the subjectAltName (SAN) field of the certificate. Client certificates that do not contain information in the SAN field are also supported.
+
+SSL/TLS can map certificates that do not have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID, which is used by SSL/TLS client authentication is of the form "X509: <I>"*<Issuer Name>*"<S>"*<Subject Name>*. The *<Issuer Name>* and *<Subject Name>* are taken from the client certificate, with '\\r' and '\\n' replaced with ','.
+
+**Certificate revocation list distribution points**
+
+
+
+**UPN in Subject Alternative Name field**
+
+
+
+**Subject and Issuer fields**
+
+
+
+This account mapping is supported by the KDC in addition to six other mapping methods. The following figure demonstrates a flow of user account mapping logic that is used by the KDC.
+
+**High-level flow of certificate processing for sign-in**
+
+
+
+The certificate object is parsed to look for content to perform user account mapping.
+
+- When a user name is provided with the certificate, the user name is used to locate the account object. This operation is the fastest, because string matching occurs.
+
+- When only the certificate object is provided, a series of operations are performed to locate the user name to map the user name to an account object.
+
+- When no domain information is available for authentication, the local domain is used by default. If any other domain is to be used for lookup, a domain name hint should be provided to perform the mapping and binding.
+
+Mapping based on generic attributes is not possible because there is no generic API to retrieve attributes from a certificate. Currently, the first method that locates an account successfully stops the search. But a configuration error occurs if two methods map the same certificate to different user accounts when the client does not supply the client name through the mapping hints.
+
+The following figure illustrates the process of mapping user accounts for sign-in in the directory by viewing various entries in the certificate.
+
+**Certificate processing logic**
+
+
+
+NT\_AUTH policy is best described in the CERT\_CHAIN\_POLICY\_NT\_AUTH parameter section of the CertVerifyCertificateChainPolicy function. For more information, see [CertVerifyCertificateChainPolicy](https://msdn.microsoft.com/library/aa377163.aspx).
+
+## Smart card sign-in for a single user with one certificate into multiple accounts
+
+A single user certificate can be mapped to multiple accounts. For example, a user might be able to sign in to a user account and also to sign in as a domain administrator. The mapping is done by using the constructed AltSecID based on attributes from client accounts. For information about how this mapping is evaluated, see [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings).
+
+> **Note** Because each account has a different user name, we recommend that you enable the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) to provide the optional fields that allow users to enter their user names and domain information to sign in.
+
+Based on the information that is available in the certificate, the sign-in conditions are:
+
+1. If no UPN is present in the certificate:
+
+ 1. Sign-in can occur in the local forest or in another forest if a single user with one certificate needs to sign in to different accounts.
+
+ 2. A hint must be supplied if mapping is not unique (for example, if multiple users are mapped to the same certificate).
+
+2. If a UPN is present in the certificate:
+
+ 1. The certificate cannot be mapped to multiple users in the same forest.
+
+ 2. The certificate can be mapped to multiple users in different forests. For a user to sign in to other forests, an X509 hint must be supplied to the user.
+
+## Smart card sign-in for multiple users into a single account
+
+A group of users might sign in to a single account (for example, an administrator account). For that account, user certificates are mapped so that they are enabled for sign-in.
+
+Several distinct certificates can be mapped to a single account. For this to work properly, the certificate cannot have UPNs.
+
+For example, if Certificate1 has CN=CNName1, Certificate2 has CN=User1, and Certificate3 has CN=User2, the AltSecID of these certificates can be mapped to a single account by using the Active Directory Users and Computers name mapping.
+
+## Smart card sign-in across forests
+
+For account mapping to work across forests, particularly in cases where there is not enough information available on the certificate, the user might enter a hint in the form of a user name, such as *domain\\user*, or a fully qualified UPN such as *user@contoso.com*.
+
+> **Note** For the hint field to appear during smart card sign-in, the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) must be enabled on the client.
+
+## OCSP support for PKINIT
+
+Online Certificate Status Protocol (OCSP), which is defined in RFC 2560, enables applications to obtain timely information about the revocation status of a certificate. Because OCSP responses are small and well bound, constrained clients might want to use OCSP to check the validity of the certificates for Kerberos on the KDC, to avoid transmission of large CRLs, and to save bandwidth on constrained networks. For information about CRL registry keys, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+
+The KDCs in Windows attempt to get OCSP responses and use them when available. This behavior cannot be disabled. CryptoAPI for OCSP caches OCSP responses and the status of the responses. The KDC supports only OCSP responses for the signer certificate.
+
+Windows client computers attempt to request the OCSP responses and use them in the reply when they are available. This behavior cannot be disabled.
+
+## Smart card root certificate requirements for use with domain sign-in
+
+For sign-in to work in a smart card-based domain, the smart card certificate must meet the following conditions:
+
+- The KDC root certificate on the smart card must have an HTTP CRL distribution point listed in its certificate.
+
+- The smart card sign-in certificate must have the HTTP CRL distribution point listed in its certificate.
+
+- The CRL distribution point must have a valid CRL published and a delta CRL, if applicable, even if the CRL distribution point is empty.
+
+- The smart card certificate must contain one of the following:
+
+ - A subject field that contains the DNS domain name in the distinguished name. If it does not, resolution to an appropriate domain fails, so Remote Desktop Services and the domain sign-in with the smart card fail.
+
+ - A UPN where the domain name resolves to the actual domain. For example, if the domain name is Engineering.Corp.Contoso, the UPN is username@engineering.corp.contoso.com. If any part of the domain name is omitted, the Kerberos client cannot find the appropriate domain.
+
+Although the HTTP CRL distribution points are on by default in Windows Server 2008, subsequent versions of the Windows Server operating system do not include HTTP CRL distribution points. To allow smart card sign-in to a domain in these versions, do the following:
+
+1. Enable HTTP CRL distribution points on the CA.
+
+2. Restart the CA.
+
+3. Reissue the KDC certificate.
+
+4. Issue or reissue the smart card sign-in certificate.
+
+5. Propagate the updated root certificate to the smart card that you want to use for the domain sign-in.
+
+The workaround is to enable the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key), which allows the user to supply a hint in the credentials user interface for domain sign-in.
+
+If the client computer is not joined to the domain or if it is joined to a different domain, the client computer can resolve the server domain only by looking at the distinguished name on the certificate, not the UPN. For this scenario to work, the certificate requires a full subject, including DC=*<DomainControllerName>*, for domain name resolution.
+
+To deploy root certificates on a smart card for the currently joined domain, you can use the following command:
+
+**certutil -scroots update**
+
+For more information about this option for the command-line tool, see [-SCRoots](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx#BKMK_SCRoots).
+
+## See also
+
+[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
+
diff --git a/windows/keep-secure/smart-card-debugging-information.md b/windows/keep-secure/smart-card-debugging-information.md
new file mode 100644
index 0000000000..c793347093
--- /dev/null
+++ b/windows/keep-secure/smart-card-debugging-information.md
@@ -0,0 +1,239 @@
+---
+title: Smart Cards Debugging Information (Windows 10)
+description: This topic explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Cards Debugging Information
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
+
+Debugging and tracing smart card issues requires a variety of tools and approaches. The following sections provide guidance about tools and approaches you can use.
+
+- [Certutil](#certutil)
+
+- [Debugging and tracing using WPP](#debugging-and-tracing-using-wpp)
+
+- [Kerberos protocol, KDC and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
+
+- [Smart Card service](#smart-card-service)
+
+- [Smart card readers](#smart-card-readers)
+
+- [CryptoAPI 2.0 Diagnostics](#cryptoapi-20-diagnostics)
+
+## Certutil
+
+For a complete description of Certutil including examples that show how to use it, see [Certutil \[W2012\]](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx).
+
+### List certificates available on the smart card
+
+To list certificates that are available on the smart card, type certutil -scinfo.
+
+> **Note** Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
+
+### Delete certificates on the smart card
+
+Each certificate is enclosed in a container. When you delete a certificate on the smart card, you are deleting the container for the certificate.
+
+To find the container value, type certutil -scinfo.
+
+To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider"** "<*ContainerValue*>".
+
+## Debugging and tracing using WPP
+
+Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider, and it provides a mechanism for the trace provider to log real-time binary messages. Logged messages can subsequently be converted to a human-readable trace of the operation of the trace provider. For more information about WPP, see [Diagnostics with WPP - The NDIS blog](http://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
+
+### Enable the trace
+
+Using WPP, use one of the following commands to enable tracing:
+
+- **tracelog.exe -kd -rt -start** <*FriendlyName*> **-guid \#**<*GUID*> **-f .\\**<*LogFileName*>**.etl -flags** <*flags*> **-ft 1**
+
+- **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>***.etl -mode 0x00080000**
+
+You can use the parameters in the following table.
+
+| **Friendly name** | **GUID** | **Flags** |
+|-------------------|--------------------------------------|-----------|
+| scardsvr | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
+| winscard | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
+| basecsp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
+| scksp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
+| msclmd | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 |
+| credprov | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff |
+| certprop | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff |
+| scfilter | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
+| wudfusbccid | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
+
+Examples
+
+To enable tracing for the SCardSvr service:
+
+- tracelog.exe -kd -rt -start scardsvr -guid \#13038e47-ffec-425d-bc69-5707708075fe -f .\\scardsvr.etl -flags 0xffff -ft 1
+
+- logman start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\\scardsvr.etl -mode 0x00080000
+
+To enable tracing for scfilter.sys:
+
+tracelog.exe -kd -rt -start scfilter -guid \#eed7f3c9-62ba-400e-a001-658869df9a91 -f .\\scfilter.etl -flags 0xffff -ft 1
+
+### Stop the trace
+
+Using WPP, use one of the following commands to stop the tracing:
+
+- **tracelog.exe -stop** <*FriendlyName*>
+
+- **logman -stop** <*FriendlyName*> **-ets**
+
+Examples
+
+To stop a trace:
+
+- tracelog.exe -stop scardsvr
+
+- logman -stop scardsvr -ets
+
+## Kerberos protocol, KDC and NTLM debugging and tracing
+
+
+
+You can use the following resources to begin troubleshooting these protocols and the KDC:
+
+- [Kerberos and LDAP Troubleshooting Tips](https://technet.microsoft.com/library/bb463167.aspx)
+
+- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit) You can use the trace log tool in this SDK to debug Kerberos authentication failures.
+
+To begin tracing, you can use Tracelog. Different components use different control GUIDs as explained in the following examples. For more information, see [Tracelog](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
+
+### NTLM
+
+To enable tracing for NTLM authentication, run the following at the command line:
+
+tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1
+
+To stop tracing for NTLM authentication, run the following at the command line:
+
+tracelog -stop ntlm
+
+### Kerberos authentication
+
+To enable tracing for Kerberos authentication, run the following at the command line:
+
+tracelog.exe -kd -rt -start kerb -guid \#6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\\kerb.etl -flags 0x43 -ft 1
+
+To stop tracing for Kerberos authentication, run the following at the command line:
+
+tracelog.exe -stop kerb
+
+### KDC
+
+To enable tracing for the Key Distribution Center (KDC), run the following at the command line:
+
+tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1
+
+To stop tracing for the KDC, run the following at the command line:
+
+tracelog.exe -stop kdc
+
+To stop tracing from a remote computer, run the following at the command line: logman.exe -s *<ComputerName>*.
+
+> **Note** The default location for logman.exe is %systemroot%system32\\. Use the **-s** option to supply a computer name.
+
+### Configure tracing with the registry
+
+You can also configure tracing by editing the Kerberos registry values shown in the following table.
+
+| **Element** | **Registry Key Setting** |
+|-------------|----------------------------------------------------|
+| NTLM | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1\_0 Value name: NtLmInfoLevel Value type: DWORD Value data: c0015003 |
+| Kerberos | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos Value name: LogToFile Value type: DWORD Value data: 00000001
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters Value name: KerbDebugLevel Value type: DWORD Value data: c0000043
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters Value name: LogToFile Value type: DWORD Value data: 00000001 |
+| KDC | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc Value name: KdcDebugLevel Value type: DWORD Value data: c0000803 |
+
+If you used Tracelog, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
+
+Otherwise, if you used the registry key settings shown in the previous table, look for the generated trace log files in the following locations:
+
+- NTLM: %systemroot%\\tracing\\msv1\_0
+
+- Kerberos: %systemroot%\\tracing\\kerberos
+
+- KDC: %systemroot%\\tracing\\kdcsvc
+
+To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [Tracefmt](https://msdn.microsoft.com/library/ff552974.aspx).
+
+## Smart Card service
+
+The smart card resource manager service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process.
+
+**To check if Smart Card service is running**
+
+1. Press CTRL+ALT+DEL, and then click **Start Task Manager**.
+
+2. In the **Windows Task Manager** dialog box, click the **Services** tab.
+
+3. Click the **Name** column to sort the list alphabetically, and then type **s**.
+
+4. In the **Name** column, look for **SCardSvr**, and then look under the **Status** column to see if the service is running or stopped.
+
+**To restart Smart Card service**
+
+1. Run as administrator at the command prompt.
+
+2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+
+3. At the command prompt, type **net stop SCardSvr**.
+
+4. At the command prompt, type **net start SCardSvr**.
+
+You can use the following command at the command prompt to check whether the service is running: **sc queryex scardsvr**.
+
+The following is example output from running this command:
+
+```
+SERVICE_NAME: scardsvr
+ TYPE : 20 WIN32_SHARE_PROCESS
+ STATE : 4 RUNNING
+ (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
+ WIN32_EXIT_CODE : 0 (0x0)
+ SERVICE_EXIT_CODE : 0 (0x0)
+ CHECKPOINT : 0x0
+ WAIT_HINT : 0x0
+ PID : 1320
+ FLAGS :
+C:\>
+```
+
+## Smart card readers
+
+As with any device connected to a computer, Device Manager can be used to view properties and begin the debug process.
+
+**To check if smart card reader is working**
+
+1. Navigate to **Computer**.
+
+2. Right-click **Computer**, and then click **Properties**.
+
+3. Under **Tasks**, click **Device Manager**.
+
+4. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then click **Properties**.
+
+> **Note** If the smart card reader is not listed in Device Manager, in the **Action** menu, click **Scan for hardware changes**.
+
+## CryptoAPI 2.0 Diagnostics
+
+CryptoAPI 2.0 Diagnostics is a feature that is available in Windows operating systems that supports CryptoAPI 2.0. This feature can help you troubleshoot public key infrastructure (PKI) issues.
+
+CryptoAPI 2.0 Diagnostics logs events in the Windows event log, which contain detailed information about certificate chain validation, certificate store operations, and signature verification. This information makes it easier to identify the causes of issues and reduces the time required for diagnosis.
+
+For more information about CryptoAPI 2.0 Diagnostics, see [Troubleshooting an Enterprise PKI](https://technet.microsoft.com/library/cc771463.aspx).
+
+## See also
+
+[Smart Card Technical Reference](smart-card-windows-smart-card-technical-reference.md)
diff --git a/windows/keep-secure/smart-card-events.md b/windows/keep-secure/smart-card-events.md
new file mode 100644
index 0000000000..7fcd797652
--- /dev/null
+++ b/windows/keep-secure/smart-card-events.md
@@ -0,0 +1,111 @@
+---
+title: Smart Card Events (Windows 10)
+description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Card Events
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
+
+A number of events can be used to monitor smart card activities on a computer, including installation, use, and errors. The following sections describe the events and information that can be used to manage smart cards in an organization.
+
+- [Smart card reader name](#smart-card-reader-name)
+
+- [Smart card warning events](#smart-card-warning-events)
+
+- [Smart card error events](#smart-card-error-events)
+
+- [Smart card Plug and Play events](#smart-card-plug-and-play-events)
+
+## Smart card reader name
+
+The Smart Card resource manager does not use the device name from Device Manager to describe a smart card reader. Instead, the name is constructed from three device attributes that are queried directly from the smart card reader driver.
+
+The following three attributes are used to construct the smart card reader name:
+
+- Vendor name
+
+- Interface device type
+
+- Device unit
+
+The smart card reader device name is constructed in the form <*VendorName*> <*Type*> <*DeviceUnit*>. For example 'Contoso Smart Card Reader 0' is constructed from the following information:
+
+- Vendor name: Contoso
+
+- Interface device type: Smart Card Reader
+
+- Device unit: 0
+
+## Smart card warning events
+
+> **Note** IOCTL in the following table refers to input and output control.
+
+| **Event ID** | **Warning Message** | **Description** |
+|--------------|---------|--------------------------------------------------------------------------------------------|
+| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the resource manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command could not to be canceled. This can leave the smart card reader in an unusable state until it is removed from the computer or the computer is restarted.
%1 = Windows error code %2 = Smart card reader name %3 = IOCTL being canceled %4 = First 4 bytes of the command that was sent to the smart card |
+| 619 | Smart Card Reader '%2' has not responded to IOCTL %3 in %1 seconds. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs when a reader has not responded to an IOCTL after an unusually long period of time. Currently, this error is sent after a reader does not respond for 150 seconds. This can leave the smart card reader in an unusable state until it is removed from the computer or the computer is restarted.
%1 = Number of seconds the IOCTL has been waiting %2 = Smart card reader name %3 = IOCTL sent %4 = First 4 bytes of the command that was sent to the smart card |
+
+## Smart card error events
+
+| **Event ID** | **Error Message** | **Description** |
+|--------------|--------------------------------------------|-------------------------------------------------------------------------------|
+| 202 | Failed to initialize Server Application | An error occurred, and the service cannot initialize properly. Restarting the computer may resolve the issue. |
+| 203 | Server Control has no memory for reader reference object. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 204 | Server Control failed to create shutdown event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 205 | Reader object has duplicate name: %1 | There are two smart card readers that have the same name. Remove the smart card reader that is causing this error message. %1 = Name of the smart card reader that is duplicated |
+| 206 | Failed to create global reader change event. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 401 | Reader shutdown exception from eject smart card command | A smart card reader could not eject a smart card while the smart card reader was shutting down. |
+| 406 | Reader object cannot Identify Device | A smart card reader did not properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader will not be recognized by the service until it is removed from the computer and reinserted or until the computer is restarted. |
+| 502 | Initialization of Service Status Critical Section failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 504 | Resource Manager cannot create shutdown event flag: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 506 | Smart Card Resource Manager failed to register service: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 506 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 507 | No memory available for Service Status Critical Section | There is not enough system memory available. This prevents the service from managing the status. Restarting the computer may resolve the issue. |
+| 508 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 509 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 510 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 511 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 512 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 513 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 514 | Smart Card Resource Manager failed to add reader %2: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code %2 = Smart card reader name |
+| 515 | Smart Card Resource Manager failed to declare state: %1 | This is an internal unrecoverable error that indicates a failure in the smart card service. The smart card service may not operate properly. Restarting the service or computer may resolve this issue. %1 = Windows error code |
+| 516 | Smart Card Resource Manager Failed to declare shutdown: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The smart card service may not be able to stop. Restarting the computer may resolve this issue. %1 = Windows error code |
+| 517 | Smart Card Resource Manager received unexpected exception attempting to add reader %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Smart card reader name |
+| 521 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 523 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 602 | WDM Reader driver initialization cannot open reader device: %1 | The service cannot open a communication channel with the smart card reader. You cannot use the smart card reader until the issue is resolved. %1 = Windows error code |
+| 603 | WDM Reader driver initialization has no memory available to control device %1 | There is not enough system memory available. This prevents the service from managing the smart card reader that was added. Restarting the computer may resolve the issue. %1 = Name of affected reader |
+| 604 | Server control cannot set reader removal event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 605 | Reader object failed to create overlapped event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 606 | Reader object failed to create removal event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 607 | Reader object failed to start monitor thread: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 608 | Reader monitor failed to create power down timer: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 609 | Reader monitor failed to create overlapped event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress. %1 = Windows error code %2 = Name of the smart card reader %3 = IOCTL that was sent %4 = First 4 bytes of the command sent to the smart card |
+| 611 | Smart Card Reader initialization failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. |
+| 612 | Reader insertion monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted. %1 = Windows error code |
+| 615 | Reader removal monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted. %1 = Windows error code |
+| 616 | Reader monitor '%2' received uncaught error code: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted. %1 = Windows error code %2 = Reader name |
+| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted. %1 = Smart card reader name |
+| 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 622 | Server Control failed to access stop event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+
+## Smart card Plug and Play events
+
+| **Event ID** | **Event type** | **Event Message** | **Description** |
+|--------------|----------------|-----------------------------------------------------------------------------------------|----------------|
+| 1000 | Error | Could not get device ID for smart card in reader %1. The return code is %2. | Smart card Plug and Play could not obtain the device ID for the smart card. This information is required to determine the correct driver. The smart card may be defective. %1 = Smart card reader name %2 = Windows error code |
+| 1001 | Information | Software successfully installed for smart card in reader %1. The smart card name is %2. | Smart card Plug and Play successfully installed a minidriver for the inserted card. %1 = Smart card reader name %2 = Name of new smart card device |
+
+## See also
+
+[Smart Card Technical Reference](smart-card-windows-smart-card-technical-reference.md)
diff --git a/windows/keep-secure/smart-card-group-policy-and-registry-settings.md b/windows/keep-secure/smart-card-group-policy-and-registry-settings.md
new file mode 100644
index 0000000000..7f3eb80f4e
--- /dev/null
+++ b/windows/keep-secure/smart-card-group-policy-and-registry-settings.md
@@ -0,0 +1,378 @@
+---
+title: Smart Card Group Policy and Registry Settings (Windows 10)
+description: This topic for the IT professional and smart card developer describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Card Group Policy and Registry Settings
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional and smart card developer describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
+
+The following sections and tables list the smart card-related Group Policy settings and registry keys that can be set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group Policy settings to local or domain computers.
+
+- [Primary Group Policy settings for smart cards](#primary-group-policy-settings-for-smart-cards)
+
+ - [Allow certificates with no extended key usage certificate attribute](#allow-certificates-with-no-extended-key-usage-certificate-attribute)
+
+ - [Allow ECC certificates to be used for logon and authentication](#allow-ecc-certificates-to-be-used-for-logon-and-authentication)
+
+ - [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon)
+
+ - [Allow signature keys valid for Logon](#allow-signature-keys-valid-for-logon)
+
+ - [Allow time invalid certificates](#allow-time-invalid-certificates)
+
+ - [Allow user name hint](#allow-user-name-hint)
+
+ - [Configure root certificate clean up](#configure-root-certificate-clean-up)
+
+ - [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked)
+
+ - [Filter duplicate logon certificates](#filter-duplicate-logon-certificates)
+
+ - [Force the reading of all certificates from the smart card](#force-the-reading-of-all-certificates-from-the-smart-card)
+
+ - [Notify user of successful smart card driver installation](#notify-user-of-successful-smart-card-driver-installation)
+
+ - [Prevent plaintext PINs from being returned by Credential Manager](#prevent-plaintext-pins-from-being-returned-by-credential-manager)
+
+ - [Reverse the subject name stored in a certificate when displaying](#reverse-the-subject-name-stored-in-a-certificate-when-displaying)
+
+ - [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card)
+
+ - [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card)
+
+ - [Turn on Smart Card Plug and Play service](#turn-on-smart-card-plug-and-play-service)
+
+- [Base CSP and Smart Card KSP registry keys](#base-csp-and-smart-card-ksp-registry-keys)
+
+- [CRL checking registry keys](#crl-checking-registry-keys)
+
+- [Additional smart card Group Policy settings and registry keys](#additional-smart-card-group-policy-settings-and-registry-keys)
+
+## Primary Group Policy settings for smart cards
+
+The following smart card Group Policy settings are located in Computer Configuration\\Administrative Templates\\Windows Components\\Smart Card.
+
+The registry keys are in the following locations:
+
+- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SmartCardCredentialProvider
+
+- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CertProp
+
+> **Note** Smart card reader registry information is located in HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\Readers. Smart card registry information is located in HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\SmartCards.
+
+The following table lists the default values for these GPO settings. Variations are documented under the policy descriptions in this topic.
+
+| **Server Type or GPO** | **Default Value** |
+|----------------------------------------------|-------------------|
+| Default Domain Policy | Not configured |
+| Default Domain Controller Policy | Not configured |
+| Stand-Alone Server Default Settings | Not configured |
+| Domain Controller Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
+
+### Allow certificates with no extended key usage certificate attribute
+
+This policy setting allows certificates without an enhanced key usage (EKU) set to be used for sign in.
+
+> **Note** Enhanced key usage certificate attribute is also known as extended key usage.
+
+In versions of Windows prior to Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
+
+When this policy setting is enabled, certificates with the following attributes can also be used to sign in with a smart card:
+
+- Certificates with no EKU
+
+- Certificates with an All Purpose EKU
+
+- Certificates with a Client Authentication EKU
+
+When this policy setting is disabled or not configured, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| Registry key | AllowCertificatesWithNoEKU |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | |
+
+### Allow ECC certificates to be used for logon and authentication
+
+This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain. When this setting is enabled, ECC certificates on a smart card can be used to sign in to a domain. When this setting is disabled or not configured, ECC certificates on a smart card cannot be used to sign in to a domain.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------------|
+| Registry key | EnumerateECCCerts |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting. If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign-in when you are not connected to the network. |
+
+### Allow Integrated Unblock screen to be displayed at the time of logon
+
+This policy setting lets you determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista.
+
+When this setting is enabled, the integrated unblock feature is available. When this setting is disabled or not configured, the feature is not available.
+
+| **Item** | **Description** |
+|--------------------------------------|---------------------------------------------------------------------------------------------------------------|
+| Registry key | AllowIntegratedUnblock |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature. You can create a custom message that is displayed when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). |
+
+### Allow signature keys valid for Logon
+
+This policy setting lets you allow signature key-based certificates to be enumerated and available for sign in. When this setting is enabled, any certificates available on the smart card with a signature-only key are listed on the sign-in screen. When this setting is disabled or not configured, certificates available on the smart card with a signature-only key are not listed on the sign-in screen.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| Registry key | AllowSignatureOnlyKeys |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | |
+
+### Allow time invalid certificates
+
+This policy setting permits those certificates that are expired or not yet valid to be displayed for sign-in.
+
+Prior to Windows Vista, certificates were required to contain a valid time and to not expire. To be used, the certificate must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer.
+
+When this setting is enabled, certificates are listed on the sign-in screen whether they have an invalid time or their time validity has expired. When this setting is disabled or not configured, certificates that are expired or not yet valid are not listed on the sign-in screen.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| Registry key | AllowTimeInvalidCertificates |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | |
+
+### Allow user name hint
+
+This policy setting lets you determine whether an optional field is displayed during sign-in and provides a subsequent elevation process that allows users to enter their user name or user name and domain, which associates a certificate with the user. If this setting is enabled, an optional field is displayed that allows users to enter their user name or user name and domain. If this setting is disabled or not configured, the field is not displayed.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| Registry key | X509HintsNeeded |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | |
+
+### Configure root certificate clean up
+
+This policy setting allows you to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate. When this setting is enabled, you can set the following cleanup options:
+
+- **No cleanup**. When the user signs out or removes the smart card, the root certificates used during their session persist on the computer.
+
+- **Clean up certificates on smart card removal**. When the smart card is removed, the root certificates are removed.
+
+- **Clean up certificates on log off**. When the user signs out of Windows, the root certificates are removed.
+
+When this policy setting is disabled or not configured, root certificates are automatically removed when the user signs out of Windows.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| Registry key | RootCertificateCleanupOption |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | |
+
+### Display string when smart card is blocked
+
+When this policy setting is enabled, you can create and manage the displayed message that the user sees when a smart card is blocked. When this setting is disabled or not configured (and the integrated unblock feature is also enabled), the system’s default message is displayed to the user when the smart card is blocked.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------|
+| Registry key | IntegratedUnblockPromptString |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: This policy setting is only effective when the [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon) policy is enabled. |
+| Notes and resources | |
+
+### Filter duplicate logon certificates
+
+This policy setting lets you use a filtering process to configure which valid sign-in certificates are displayed. During the certificate renewal period, a user’s smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
+
+Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (this is determined by their UPN). When this policy setting is enabled, filtering occurs so that the user will only see the most current valid certificates from which to select. If this setting is disabled or not configured, all the certificates are displayed to the user.
+
+This policy setting is applied to the computer after the [Allow time invalid certificates](#allow-time-invalid-certificates) policy setting is applied.
+
+| **Item** | **Description** |
+|--------------------------------------|--------------------------------------------------------------------------------------------------|
+| Registry key | FilterDuplicateCerts |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate that is used to sign in to computers running Windows 2000, Windows XP, or Windows Server 2003 will be displayed. Otherwise, the certificate with the most distant expiration time will be displayed. |
+
+### Force the reading of all certificates from the smart card
+
+This policy setting allows you to manage how Windows reads all certificates from the smart card for sign-in. During sign in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card.
+
+When this policy setting is enabled, Windows attempts to read all certificates from the smart card regardless of the CSP feature set. When disabled or not configured, Windows attempts to read only the default certificate from smart cards that do not support retrieval of all certificates in a single call. Certificates other than the default are not available for sign in.
+
+| **Item** | **Description** |
+|--------------------------------------|----------------------------------------------------------------------------|
+| Registry key | ForceReadingAllCertificates |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None
**Important** Enabling this policy setting can adversely impact performance during the sign in process in certain situations. |
+| Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. |
+
+### Notify user of successful smart card driver installation
+
+This policy setting allows you to control whether a confirmation message is displayed to the user when a smart card device driver is installed. When this policy setting is enabled, a confirmation message is displayed when a smart card device driver is installed. When this setting is disabled or not configured, a smart card device driver installation message is not displayed.
+
+| **Item** | **Description** |
+|--------------------------------------|------------------------------------------------|
+| Registry key | ScPnPNotification |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
+
+### Prevent plaintext PINs from being returned by Credential Manager
+
+This policy setting prevents Credential Manager from returning plaintext PINs. Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user’s profile. When this policy setting is enabled, Credential Manager does not return a plaintext PIN. When this setting is disabled or not configured, plaintext PINs can be returned by Credential Manager.
+
+| **Item** | **Description** |
+|--------------------------------------|-----------------------------------------------------------------------------------|
+| Registry key | DisallowPlaintextPin |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | If this policy setting is enabled, some smart cards may not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. |
+
+### Reverse the subject name stored in a certificate when displaying
+
+When this policy setting is enabled, it causes the display of the subject name to be reversed from the way it is stored in the certificate during the sign-in process.
+
+To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| Registry key | ReverseSubject |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | |
+
+### Turn on certificate propagation from smart card
+
+This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
+
+If you enable or do not configure this policy setting, certificate propagation occurs when the user inserts the smart card. When this setting is disabled, certificate propagation does not occur and the certificates will not be made available to applications such as Outlook.
+
+| **Item** | **Description** |
+|--------------------------------------|----------------|
+| Registry key | CertPropEnabled |
+| Default values | No changes per operating system versions Enabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: This policy setting must be enabled to allow the [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card) setting to work when it is enabled. |
+| Notes and resources | |
+
+### Turn on root certificate propagation from smart card
+
+This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. When this policy setting is enabled or not configured, root certificate propagation occurs when the user inserts the smart card.
+
+| **Item** | **Description** |
+|--------------------------------------|---------------------------------------------------------------------------------------------------------|
+| Registry key | EnableRootCertificate Propagation |
+| Default values | No changes per operating system versions Enabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: For this policy setting to work, the [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card) policy setting must also be enabled. |
+| Notes and resources | |
+
+### Turn on Smart Card Plug and Play service
+
+This policy setting allows you to control whether Smart Card Plug and Play is enabled. This means that your users can use smart cards from vendors who have published their drivers through Windows Update without needing special middleware. These drivers will be downloaded in the same way as drivers for other devices in Windows. If an appropriate driver is not available from Windows Update, a PIV-compliant minidriver that is included with any of the supported versions of Windows is used for these cards.
+
+When the Smart Card Plug and Play policy setting is enabled or not configured, and the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader. If this policy setting is disabled a device driver is not installed when a smart card is inserted in a smart card reader.
+
+| **Item** | **Description** |
+|--------------------------------------|------------------------------------------------|
+| Registry key | EnableScPnP |
+| Default values | No changes per operating system versions Enabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
+
+## Base CSP and Smart Card KSP registry keys
+
+The following registry keys can be configured for the base cryptography service provider (CSP) and the smart card key storage provider (KSP). The following tables list the keys. All keys use the DWORD type.
+
+The registry keys for the Base CSP are located in the registry in HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider.
+
+The registry keys for the smart card KSP are located in HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\Providers\\Microsoft Smart Card Key Storage Provider.
+
+**Registry keys for the base CSP and smart card KSP**
+
+| **Registry Key** | **Description** |
+|------------------------------------|---------------------------------------------------------------------------------|
+| **AllowPrivateExchangeKeyImport** | A non-zero value allows RSA exchange (for example, encryption) private keys to be imported for use in key archival scenarios. Default value: 00000000 |
+| **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios. Default value: 00000000 |
+| **DefaultPrivateKeyLenBits** | Defines the default length for private keys, if desired. Default value: 00000400 Default key generation parameter: 1024-bit keys |
+| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that do not support on-card key generation or where key escrow is required. Default value: 00000000 |
+| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail. Default value: 000005dc1500 The default timeout for holding transactions to the smart card is 1.5 seconds. |
+
+**Additional registry keys for the smart card KSP**
+
+| **Registry Key** | **Description** |
+|--------------------------------|-----------------------------------------------------|
+| **AllowPrivateECDHEKeyImport** | This value allows Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) private keys to be imported for use in key archival scenarios. Default value: 00000000 |
+| **AllowPrivateECDSAKeyImport** | This value allows Elliptic Curve Digital Signature Algorithm (ECDSA) private keys to be imported for use in key archival scenarios. Default value: 00000000 |
+
+## CRL checking registry keys
+
+The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you need to configure settings for both the KDC and the client.
+
+**CRL checking registry keys**
+
+| **Registry Key** | **Details** |
+|------------|-----------------------------|
+| HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Services\\Kdc\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors | Type = DWORD Value = 1 |
+| HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Control\\LSA\\Kerberos\\Parameters\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors | Type = DWORD Value = 1 |
+
+## Additional smart card Group Policy settings and registry keys
+
+In a smart card deployment, additional Group Policy settings can be used to enhance ease-of-use or security. Two of these policy settings that can complement a smart card deployment are:
+
+- Turning off delegation for computers
+
+- Interactive logon: Do not require CTRL+ALT+DEL (not recommended)
+
+The following smart card-related Group Policy settings are located in Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options.
+
+**Local security policy settings**
+
+| Group Policy Setting and Registry Key | Default | Description |
+|------------------------------------------|------------|---------------|
+| Interactive logon: Require smart card
scforceoption | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.
**Enabled** Users can only sign in to the computer by using a smart card. **Disabled** Users can sign in to the computer by using any method. |
+| Interactive logon: Smart card removal behavior
scremoveoption | This policy setting is not defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are: **No Action** **Lock Workstation**: The workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. **Force Logoff**: The user is automatically signed out when the smart card is removed. **Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. This allows the user to reinsert the smart card and resume the session later, or at another computer that is equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.
**Note** Remote Desktop Services was called Terminal Services in previous versions of Windows Server. |
+
+From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.
+
+The following smart card-related Group Policy settings are located in Computer Configuration\\Administrative Templates\\System\\Credentials Delegation.
+
+Registry keys are located in HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults.
+
+> **Note** In the following table, fresh credentials are those that you are prompted for when running an application.
+
+**Credential delegation policy settings**
+
+| Group Policy Setting and Registry Key | Default | Description |
+|----------------------------------------|-----------|-------------|
+| **Allow Delegating Fresh Credentials**
AllowFreshCredentials | Not Configured | This policy setting applies: When server authentication was achieved through a trusted X509 certificate or Kerberos protocol. To applications that use the CredSSP component (for example, Remote Desktop Services).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated. **Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer. **Disabled**: Delegation of fresh credentials to any computer is not permitted.
**Note** This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example: Use *TERMSRV/\** for Remote Desktop Session Host (RD Session Host) running on any computer. Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer. Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
+| **Allow Delegating Fresh Credentials with NTLM-only Server Authentication**
AllowFreshCredentialsWhenNTLMOnly | Not Configured | This policy setting applies: When server authentication was achieved by using NTLM. To applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated. **Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*). **Disabled**: Delegation of fresh credentials is not permitted to any computer.
**Note** This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN. See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
+| **Deny Delegating Fresh Credentials**
DenyFreshCredentials | Not Configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials cannot be delegated. **Disabled** or **Not Configured**: A server is not specified.
**Note** This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials cannot be delegated. A single wildcard character (\*) is permitted when specifying the SPN. See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
+
+If you are using Remote Desktop Services with smart card logon, you cannot delegate default and saved credentials. The registry keys in the following table, which are located at HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults, and the corresponding Group Policy settings are ignored.
+
+| **Registry key** | **Corresponding Group Policy setting** |
+|-------------------------------------|---------------------------------------------------------------------------|
+| AllowDefaultCredentials | Allow Delegating Default Credentials |
+| AllowDefaultCredentialsWhenNTLMOnly | Allow Delegating Default Credentials with NTLM-only Server Authentication |
+| AllowSavedCredentials | Allow Delegating Saved Credentials |
+| AllowSavedCredentialsWhenNTLMOnly | Allow Delegating Saved Credentials with NTLM-only Server Authentication |
+
+## See also
+
+[Smart Card Technical Reference](smart-card-windows-smart-card-technical-reference.md)
diff --git a/windows/keep-secure/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/keep-secure/smart-card-how-smart-card-sign-in-works-in-windows.md
new file mode 100644
index 0000000000..a8e96e226c
--- /dev/null
+++ b/windows/keep-secure/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -0,0 +1,27 @@
+---
+title: How Smart Card Sign-in Works in Windows (Windows 10)
+description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# How Smart Card Sign-in Works in Windows
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use:
+
+- [Smart Card Architecture](smart-card-architecture.md): Learn about enabling communications with smart cards and smart card readers, which can be different according to the vendor that supplies them.
+
+- [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md): Learn about requirements for smart card certificates based on the operating system, and about the operations that are performed by the operating system when a smart card is inserted into the computer.
+
+- [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md): Learn about using smart cards for remote desktop connections.
+
+- [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md): Learn about how the Smart Cards for Windows service is implemented.
+
+- [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer.
+
+- [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card.
diff --git a/windows/keep-secure/smart-card-removal-policy-service.md b/windows/keep-secure/smart-card-removal-policy-service.md
new file mode 100644
index 0000000000..dcd96bdf27
--- /dev/null
+++ b/windows/keep-secure/smart-card-removal-policy-service.md
@@ -0,0 +1,35 @@
+---
+title: Smart Card Removal Policy Service (Windows 10)
+description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Card Removal Policy Service
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
+
+The smart card removal policy service is applicable when a user has signed in with a smart card and subsequently removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+
+**Smart card removal policy service**
+
+
+
+The numbers in the previous figure represent the following actions:
+
+1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign in was initiated.
+
+2. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
+
+3. ScPolicySvc retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.
+
+4. ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, ScPolicySvc sends a message to Winlogon to lock the computer.
+
+## See also
+
+[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
diff --git a/windows/keep-secure/smart-card-smart-cards-for-windows-service.md b/windows/keep-secure/smart-card-smart-cards-for-windows-service.md
new file mode 100644
index 0000000000..a0c0edd3dc
--- /dev/null
+++ b/windows/keep-secure/smart-card-smart-cards-for-windows-service.md
@@ -0,0 +1,107 @@
+---
+title: Smart Cards for Windows Service (Windows 10)
+description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Cards for Windows Service
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions.
+
+The Smart Cards for Windows service provides the basic infrastructure for all other smart card components as it manages smart card readers and application interactions on the computer. It is fully compliant with the specifications set by the PC/SC Workgroup. For information about these specifications, see the [PC/SC Workgroup Specifications Overview](http://www.pcscworkgroup.com/specifications/overview.php).
+
+The Smart Cards for Windows service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process. The Smart Cards for Windows service, Scardsvr, has the following service description:
+
+```
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+> **Note** For winscard.dll to be invoked as the proper class installer, the INF file for a smart card reader must specify the following for **Class** and **ClassGUID**:
+`Class=SmartCardReader` `ClassGuid={50DD5230-BA8A-11D1-BF5D-0000F805F530}`
+
+By default, the service is configured for manual mode. Creators of smart card reader drivers must configure their INFs so that they start the service automatically and winscard.dll files call a predefined entry point to start the service during installation. The entry point is defined as part of the **SmartCardReader** class, and it is not called directly. If a device advertises itself as part of this class, the entry point is automatically invoked to start the service when the device is inserted. Using this method ensures that the service is enabled when it is needed, but it is also disabled for users who do not use smart cards.
+
+When the service is started, it performs several functions:
+
+1. It registers itself for service notifications.
+
+2. It registers itself for Plug and Play (PnP) notifications related to device removal and additions.
+
+3. It initializes its data cache and a global event that signals that the service has started.
+
+> **Note** For smart card implementations, consider sending all communications in Windows operating systems with smart card readers through the Smart Cards for Windows service. This provides an interface to track, select, and communicate with all drivers that declare themselves members of the smart card reader device group.
+
+The Smart Cards for Windows service categorizes each smart card reader slot as a unique reader, and each slot is also managed separately, regardless of the device's physical characteristics. The Smart Cards for Windows service handles the following high-level actions:
+
+- Device introduction
+
+- Reader initialization
+
+- Notifying clients of new readers
+
+- Serializing access to readers
+
+- Smart card access
+
+- Tunneling of reader-specific commands
+
+## See also
+
+[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
diff --git a/windows/keep-secure/smart-card-tools-and-settings.md b/windows/keep-secure/smart-card-tools-and-settings.md
new file mode 100644
index 0000000000..c84b997c09
--- /dev/null
+++ b/windows/keep-secure/smart-card-tools-and-settings.md
@@ -0,0 +1,27 @@
+---
+title: Smart Card Tools and Settings (Windows 10)
+description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Card Tools and Settings
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
+
+This section of the Smart Card Technical Reference contains information about the following:
+
+- [Smart Cards Debugging Information](smart-card-debugging-information.md): Learn about tools and services in supported versions of Windows to help identify certificate issues.
+
+- [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md): Learn about smart card-related Group Policy settings and registry keys that can be set on a per-computer basis, including how to edit and apply Group Policy settings to local or domain computers.
+
+- [Smart Card Events](smart-card-events.md): Learn about events that can be used to manage smart cards in an organization, including how to monitor installation, use, and errors.
+
+## See also
+
+[Smart Card Technical Reference](smart-card-windows-smart-card-technical-reference.md)
diff --git a/windows/keep-secure/smart-card-windows-smart-card-technical-reference.md b/windows/keep-secure/smart-card-windows-smart-card-technical-reference.md
new file mode 100644
index 0000000000..bb376178cb
--- /dev/null
+++ b/windows/keep-secure/smart-card-windows-smart-card-technical-reference.md
@@ -0,0 +1,65 @@
+---
+title: Smart Card Technical Reference (Windows 10)
+description: This technical reference for the IT professional and smart card developer describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Card Technical Reference
+
+Applies To: Windows 10, Windows Server 2016
+
+The Smart Card Technical Reference describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows. This document also contains information about tools that information technology (IT) developers and administrators can use to troubleshoot, debug, and deploy smart card-based strong authentication in the enterprise.
+
+## Audience
+
+This document explains how the Windows smart card infrastructure works. To understand this information, you should have basic knowledge of public key infrastructure (PKI) and smart card concepts. This document is intended for:
+
+- Enterprise IT developers, managers, and staff who are planning to deploy or are using smart cards in their organization.
+
+- Smart card vendors who write smart card minidrivers or credential providers.
+
+## What are smart cards?
+
+Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account.
+
+Smart cards provide:
+
+- Tamper-resistant storage for protecting private keys and other forms of personal information.
+
+- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card.
+
+- Portability of credentials and other private information between computers at work, home, or on the road.
+
+Smart cards can be used to sign in to domain accounts only, not local accounts. When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates.
+
+**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware. For information about virtual smart card technology, see [Virtual Smart Card Overview](virtual-smart-card-overview.md).
+
+## In this technical reference
+
+This reference contains the following topics.
+
+- [How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
+
+ - [Smart Card Architecture](smart-card-architecture.md)
+
+ - [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md)
+
+ - [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md)
+
+ - [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md)
+
+ - [Certificate Propagation Service](smart-card-certificate-propagation-service.md)
+
+ - [Smart Card Removal Policy Service](smart-card-removal-policy-service.md)
+
+- [Smart Card Tools and Settings](smart-card-tools-and-settings.md)
+
+ - [Smart Cards Debugging Information](smart-card-debugging-information.md)
+
+ - [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md)
+
+ - [Smart Card Events](smart-card-events.md)
diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md
index acf27319d7..277ad8c4ba 100644
--- a/windows/keep-secure/tpm-recommendations.md
+++ b/windows/keep-secure/tpm-recommendations.md
@@ -40,7 +40,8 @@ OEMs implement the TPM as a component in a trusted computing platform, such as a
The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not.
>**Note:** Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
+
## TPM 1.2 vs. 2.0 comparison
From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
@@ -59,48 +60,31 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
- TPM 2.0 offers a more **consistent experience** across different implementations.
- - TPM 1.2 implementations across both discrete and firmware vary in policy settings. This may result in support issues as lockout policies vary.
- - TPM 2.0 standardized policy requirement helps establish a consistent lockout experience across devices, as such, Windows can offer a better user experience end to end.
+ - TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
+ - TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
-- While TPM 1.2 parts were discrete silicon components typically soldered on the motherboard, TPM 2.0 is available both as a **discrete (dTPM)** silicon component and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on the system’s main SoC:
+- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a sinple semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
- - On Intel chips, it is the Intel Management Engine (ME) or Converged Security Engine (CSE).
- - For AMD chips, it is the AMD Security Processor
- - For ARM chips, it is a Trustzone Trusted Application (TA).
- - In the case of firmware TPM for desktop Windows systems, the chip vendor provides the firmware TPM implementation along with the other chip firmware to OEMs.
+## Discrete, Integrated or Firmware TPM?
-## Discrete or firmware TPM?
+There are three implementation options for TPMs:
-Windows uses discrete and firmware TPM in the same way. Windows gains no functional advantage or disadvantage from either option.
+- Discrete TPM chip as a separate component in its own semiconductor package
+- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
+- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
-From a security standpoint, discrete and firmware share the same characteristics;
-
-- Both use hardware based secure execution.
-- Both use firmware for portions of the TPM functionality.
-- Both are equipped with tamper resistance capabilities.
-- Both have unique security limitations/risks.
-
-For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236).
+Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs.
## Is there any importance for TPM for consumer?
-For end consumers, TPM is behind the scenes but still very relevant for Hello, Passport and in the future, many other key features in Windows 10. It offers the best Passport experience, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
+For end consumers, TPM is behind the scenes but is still very relevant. TPM is used for Windows Hello, Windows Hello for Business and in the future, will be a components of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
## TPM 2.0 Compliance for Windows 10
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
-- As of July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
+- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
-## Two implementation options:
-
-- Discrete TPM chip as a separate discrete component
-- Firmware TPM solution using Intel PTT (platform trust technology) or AMD
-
-### Windows 10 Mobile
-
-- All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM 2.0 enabled.
-
### IoT Core
- TPM is optional on IoT Core.
@@ -226,7 +210,7 @@ The following table defines which Windows features require TPM support. Some fea
## Chipset options for TPM 2.0
-There are a variety of TPM manufacturers for both discrete and firmware.
+There is a vibrant ecosystem of TPM manufacturers.
### Discrete TPM
@@ -250,6 +234,33 @@ There are a variety of TPM manufacturers for both discrete and firmware.
+### Integrated TPM
+
+
+
+
+
+
+
Supplier
+
Chipset
+
+
+
+
+
Intel
+
+
Atom (CloverTrail)
+
Baytrail
+
Braswell
+
4th generation Core (Haswell)
+
5th generation Core (Broadwell)
+
6th generation Core (Skylake)
+
7th generation Core (Kaby Lake)
+
+
+
+
+
### Firmware TPM
@@ -272,17 +283,6 @@ There are a variety of TPM manufacturers for both discrete and firmware.
-
Intel
-
-
Atom (CloverTrail)
-
Baytrail
-
4th generation(Haswell)
-
5th generation(Broadwell)
-
Braswell
-
Skylake
-
-
-
Qualcomm
MSM8994
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 9f73d970e0..e3c1d51f68 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -149,7 +149,7 @@ If the deployment tools used does not indicate an error in the onboarding proces
Event ID | Message | Resolution steps
:---|:---|:---
5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
-6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
+6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).
7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
index 150079eaff..fd485e8645 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -29,6 +29,9 @@ Configure your browser to allow cookies.
### No data is shown on the portal
If no data is displayed on the Dashboard portal even if no errors were encountered in the portal logs or in the browser console, you'll need to whitelist the threat intelligence, data access, and detonation endpoints that also use this protocol.
+> [!NOTE]
+> You must use the HTTPS protocol when adding the following endpoints.
+
Depending on your region, add the following endpoints to the whitelist:
U.S. region:
@@ -37,9 +40,6 @@ U.S. region:
- daasmon-eus-prd.cloudapp.net
- dataaccess-cus-prd.cloudapp.net
- dataaccess-eus-prd.cloudapp.net
-- onboardingservice-prd.trafficmanager.net
-- sevillefeedback-prd.trafficmanager.net
-- sevillesettings-prd.trafficmanager.net
- threatintel-cus-prd.cloudapp.net
- threatintel-eus-prd.cloudapp.net
- winatpauthorization.windows.com
@@ -51,9 +51,6 @@ EU region:
- dataaccess-neu-prd.cloudapp.net
- dataaccess-weu-prd.cloudapp.net
-- onboardingservice-prd.trafficmanager.net
-- sevillefeedback-prd.trafficmanager.net
-- sevillesettings-prd.trafficmanager.net
- threatintel-neu-prd.cloudapp.net
- threatintel-weu-prd.cloudapp.net
- winatpauthorization.windows.com
diff --git a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
index 5973f94f6f..d927f73825 100644
--- a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
@@ -30,8 +30,8 @@ The TPM Services Group Policy settings are located at:
| [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) | X| X| X| X| X| X|
| [Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)| | X| X| X|||
| [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X| X|||
-| [Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)| X| X| X| X|||
-| [Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)| X| X| X| X||||
+| [Standard User Individual Lockout Threshold](#bkmk-individual)| X| X| X| X|||
+| [Standard User Total Lockout Threshold](#bkmk-total)| X| X| X| X||||
### Turn on TPM backup to Active Directory Domain Services
diff --git a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
index 3aabc0a07e..2aa91da1a1 100644
--- a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
@@ -193,5 +193,5 @@ The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Wind
| ValidateAdminCodeSignatures | [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | 0 (Default) = Disabled 1 = Enabled |
| EnableSecureUIAPaths | [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | 0 = Disabled 1 (Default) = Enabled |
| EnableLUA | [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | 0 = Disabled 1 (Default) = Enabled |
-| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control:-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled 1 (Default) = Enabled |
+| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled 1 (Default) = Enabled |
| EnableVirtualization | [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | 0 = Disabled 1 (Default) = Enabled |
diff --git a/windows/keep-secure/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/keep-secure/virtual-smart-card-deploy-virtual-smart-cards.md
new file mode 100644
index 0000000000..3c4dbe36c7
--- /dev/null
+++ b/windows/keep-secure/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -0,0 +1,275 @@
+---
+title: Deploy Virtual Smart Cards (Windows 10)
+description: This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Deploy Virtual Smart Cards
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution.
+
+Traditional identity devices, such as physical smart cards, follow a predictable lifecycle in any deployment, as shown in the following diagram.
+
+
+
+Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally, you’ll retire devices when they exceed their intended lifetime or when employees leave the company.
+
+This topic contains information about the following phases in a virtual smart card lifecycle:
+
+- [Create and personalize virtual smart cards](#create-and-personalize-virtual-smart-cards)
+
+- [Provision virtual smart cards](#provision-virtual-smart-cards)
+
+- [Maintain virtual smart cards](#maintain-virtual-smart-cards)
+
+## Create and personalize virtual smart cards
+
+A corporation purchases the devices to deploy then. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. The security that is provided for a TPM virtual smart card is fully provisioned in the host TPM.
+
+### Trusted Platform Module readiness
+
+The TPM Provisioning Wizard, which is launched from the **TPM Management Console**, takes the user through all the steps to prepare the TPM for use.
+
+When you create virtual smart cards, consider the following actions in the TPM:
+
+- **Enable and Activate**: TPMs are built in to many industry ready computers, but they often are not enabled and activated by default. In some cases, the TPM must be enabled and activated through the BIOS. For more information, see Initialize and Configure Ownership of the TPM.
+
+- **Take ownership**: When you provision the TPM, you set an owner password for managing the TPM in the future, and you establish the storage root key. To provide anti-hammering protection for virtual smart cards, the user or a domain administrator must be able to reset the TPM owner password.
+ For corporate use of TPM virtual smart cards, we recommend that the corporate domain administrator restrict access to the TPM owner password by storing it in Active Directory, not in the local registry. When TPM ownership is set in Windows Vista, the TPM needs to be cleared and reinitialized. For more information, see Trusted Platform Module Technology Overview.
+
+- **Manage**: You can manage ownership of a virtual smart card by changing the owner password, and you can manage anti-hammering logic by resetting the lockout time. For more information, see Manage TPM Lockout.
+
+A TPM might operate in reduced functionality mode. This could occur, for example, if the operating system cannot determine if the owner password is available to the user. In those cases, the TPM can be used to create a virtual smart card, but it is strongly recommended to bring the TPM to a fully ready state so that any unexpected circumstances will not leave the user blocked from using the computer.
+
+Those smart card deployment management tools that require a status check of a TPM before attempting to create a TPM virtual smart card can do so using the TPM WMI interface.
+
+Depending on the setup of the computer that is designated for installing TPM virtual smart cards, it might be necessary to provision the TPM before continuing with the virtual smart card deployment. For more information about provisioning, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md).
+
+For more information about managing TPMs by using built-in tools, see Trusted Platform Module Services Group Policy Settings.
+
+### Creation
+
+A TPM virtual smart card simulates a physical smart card, and it uses the TPM to provide the same functionality as physical smart card hardware. A virtual smart card appears within the operating system as a physical smart card that is always inserted. Supported versions of the Windows operating system present a virtual smart card reader and virtual smart card to applications with the same interface as physical smart cards, but messages to and from the virtual smart card are translated to TPM commands. This process ensures the integrity of the virtual smart card through the three properties of smart card security:
+
+- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it cannot be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user cannot reverse engineer an identical TPM or install the same TPM on a different computer.
+ For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+
+- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
+
+- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
+ For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+
+There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using Tpmvscmgr.exe to create cards individually on users’ computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee’s possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer.
+
+For information about the TPM Virtual Smart Card command-line tool, see [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
+
+### Personalization
+
+During virtual smart card personalization, the values for the administrator key, PIN, and PUK are assigned. As with a physical card, knowing the administrator key is important for resetting the PIN or for deleting the card in the future. (If a PUK is set, the administrator key can no longer be used to reset the PIN.)
+
+Because the administrator key is critical to the security of the card, it is important to consider the deployment environment and decide on the proper administrator key setting strategy. Options for these strategies include:
+
+- **Uniform**: Administrator keys for all the virtual smart cards that are deployed in the organization are the same. Although this makes the maintenance infrastructure easy (only one key needs to be stored), it is highly insecure. This strategy might be sufficient for very small organizations, but if the administrator key is compromised, all virtual smart cards that use this key must be reissued.
+
+- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they are not recorded. This is a valid option if the deployment administrators do not require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This could also be a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary.
+
+- **Random, stored**: Administrator keys are assigned randomly and stored in a central location. Each card’s security is independent of the others. This is secure on a large scale unless the administrator key database is compromised.
+
+- **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it does not need to be stored. The security of this method relies on the security of the secret used.
+
+Although the PUK and the administrator key methodologies provide unlocking and resetting functionality, they do so in different ways. The PUK is a PIN that is simply entered on the computer to enable a user PIN reset.
+
+The administrator key methodology takes a challenge-response approach. The card provides a set of random data after users verify their identity to the deployment administrator. The administrator then encrypts the data with the administrator key and gives the encrypted data back to the user. If the encrypted data matches that produced by the card during verification, the card will allow PIN reset. Because the administrator key is never accessible by anyone other than the deployment administrator, it cannot be intercepted or recorded by any other party (including employees). This provides significant security benefits beyond using a PUK, an important consideration during the personalization process.
+
+TPM virtual smart cards can be personalized on an individual basis when they are created with the Tpmvscmgr command-line tool. Or organizations can purchase a management solution that can incorporate personalization into an automated routine. An additional advantage of such a solution is the automated creation of administrator keys. Tpmvscmgr.exe allows users to create their own administrator keys, which can be detrimental to the security of the virtual smart cards.
+
+## Provision virtual smart cards
+
+Provisioning is the process of loading specific credentials onto a TPM virtual smart card. These credentials consist of certificates that are created to give users access to a specific service, such as domain sign in. A maximum of 30 certificates is allowed on each virtual smart card. As with physical smart cards, several decisions must be made regarding the provisioning strategy, based on the environment of the deployment and the desired level of security.
+
+A high-assurance level of secure provisioning requires absolute certainty about the identity of the individual who is receiving the certificate. Therefore, one method of high-assurance provisioning is utilizing previously provisioned strong credentials, such as a physical smart card, to validate identity during provisioning. In-person proofing at enrollment stations is another option, because an individual can easily and securely prove his or her identity with a passport or driver’s license, although this can become infeasible on a larger scale. To achieve a similar level of assurance, a large organization can implement an “enroll-on-behalf-of” strategy, in which employees are enrolled with their credentials by a superior who can personally verify their identities. This creates a chain of trust that ensures individuals are checked in person against their proposed identities, but without the administrative strain of provisioning all virtual smart cards from a single central enrollment station.
+
+For deployments in which a high-assurance level is not a primary concern, you can use self-service solutions. These can include using an online portal to obtain credentials or simply enrolling for certificates by using Certificate Manager, depending on the deployment. Consider that virtual smart card authentication is only as strong as the method of provisioning. For example, if weak domain credentials (such as a password alone) are used to request the authentication certificate, virtual smart card authentication will be equivalent to using only the password, and the benefits of two-factor authentication are lost.
+
+For information about using Certificate Manager to configure virtual smart cards, see [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md).
+
+High-assurance and self-service solutions approach virtual smart card provisioning by assuming that the user’s computer has been issued prior to the virtual smart card deployment, but this is not always the case. If virtual smart cards are being deployed with new computers, they can be created, personalized, and provisioned on the computer before the user has contact with that computer.
+
+In this situation, provisioning becomes relatively simple, but identity checks must be put in place to ensure that the recipient of the computer is the individual who was expected during provisioning. This can be accomplished by requiring the employee to set the initial PIN under the supervision of the deployment administrator or manager.
+
+When you are provisioning your computers, you should also consider the longevity of credentials that are supplied for virtual smart cards. This choice must be based on the risk threshold of the organization. Although longer lived credentials are more convenient, they are also more likely to become compromised during their lifetime. To decide on the appropriate lifetime for credentials, the deployment strategy must take into account the vulnerability of their cryptography (how long it could take to crack the credentials), and the likelihood of attack.
+
+If a virtual smart card is compromised, administrators should be able to revoke the associated credentials, like they would with a lost or stolen laptop. This requires a record of which credentials match which user and computer, which is functionality that does not exist natively in Windows. Deployment administrators might want to consider add-on solutions to maintain such a record.
+
+### Virtual smart cards on consumer devices used for corporate access
+
+There are techniques that allow employees to provision virtual smart cards and enroll for certificates that can be used to authenticate the users. This is useful when employees attempt to access corporate resources from devices that are not joined to the corporate domain. Those devices can be further defined to not allow users to download and run applications from sources other than the Windows Store (for example, devices running Windows RT).
+
+You can use APIs that were introduced in Windows Server 2012 R2 and Windows 8.1 to build Windows Store apps that you can use to manage the full lifecycle of virtual smart cards. For more information, see [Create and delete virtual smart cards programmatically](virtual-smart-card-use-virtual-smart-cards.md#create-and-delete-virtual-smart-cards-programmatically).
+
+#### TPM ownerAuth in the registry
+
+When a device or computer is not joined to a domain, the TPM ownerAuth is stored in the registry under HKEY\_LOCAL\_MACHINE. This exposes some threats. Most of the threat vectors are protected by BitLocker, but threats that are not protected include:
+
+- A malicious user possesses a device that has an active local sign-in session before the device locks. The malicious user could attempt a brute-force attack on the virtual smart card PIN, and then access the corporate secrets.
+
+- A malicious user possesses a device that has an active virtual private network (VPN) session. The device is then compromised.
+
+The proposed mitigation for the previous scenarios is to use Exchange ActiveSync (EAS) policies to reduce the automatic lockout time from five minutes to 30 seconds of inactivity. Policies for automatic lockout can be set while provisioning virtual smart cards. If an organization wants more security, they can also configure a setting to remove the ownerAuth from the local device.
+
+For configuration information about the TPM ownerAuth registry key, see the Group Policy setting Configure the level of TPM owner authorization information available to the operating system.
+
+
+
+For information about EAS policies, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287(v=ws.11).aspx).
+
+#### Managed and unmanaged cards
+
+The following table describes the important differences between managed and unmanaged virtual smart cards that exist on consumer devices:
+
+
+
+| Operation | [Managed and unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#managed-and-unmanaged-cards) | [Unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#unmanaged-cards) |
+|-----------------------------------------|--------------|----|
+| Reset PIN when the user forgets the PIN | Yes | No, the card has to be deleted and created again. |
+| Allow user to change the PIN | Yes | No, the card has to be deleted and created again. |
+
+## Managed cards
+
+A managed virtual smart card can be serviced by the IT administrator or another person in that designated role. It allows the IT administrator to have influence or complete control over specific aspects of the virtual smart card from its creation to deletion. To manage these cards, a virtual smart card deployment management tool is often required.
+
+### Managed card creation
+
+A user can create blank virtual smart card by using the Tpmvscmgr command-line tool, which is a built-in tool that is run with administrative credentials through an elevated command prompt. This virtual smart card needs to be created with well-known parameters (such as default values), and it should be left unformatted (specifically, the **/generate** option should not be specified).
+
+The following command creates a virtual smart card that can later be managed by a smart card management tool launched from another computer (as explained in the next section):
+
+`tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey DEFAULT /PIN PROMPT`
+
+Alternatively, instead of using a default administrator key, a user can enter an administrator key at the command line:
+
+`tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey PROMPT /PIN PROMPT`
+
+In either case, the card management system needs to be aware of the initial administrator key that is used so that it can take ownership of the virtual smart card and change the administrator key to a value that is only accessible through the card management tool operated by the IT administrator. For example, when the default value is used, the administrator key is set to:
+
+`10203040506070801020304050607080102030405060708`
+
+For information about using this command-line tool, see [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
+
+### Managed card management
+
+After the virtual smart card is created, the user needs to open a remote desktop connection to an enrollment station, for example, in a computer that is joined to the domain. Virtual smart cards that are associated with a client computer are available for use in the remote desktop connection. The user can open a card management tool inside the remote session that can take ownership of the card and provision it for use by the user. This requires that a user is allowed to establish a remote desktop connection from a non-domain-joined computer to a domain-joined computer. This might require a specific network configuration, such as through IPsec policies.
+
+When users need to reset or change a PIN, they need to use the remote desktop connection to complete these operations. They can use the built-in tools for PIN unlock and PIN change or the smart card management tool.
+
+### Certificate management for managed cards
+
+Similar to physical smart cards, virtual smart cards require certificate enrollment.
+
+#### Certificate issuance
+
+Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card does not need to be installed on the client computer if it is installed on the remote computer. This is made possible by smart card redirection functionality that was introduced in Windows Server 2003, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
+
+Alternatively, without establishing a remote desktop connection, users can enroll for certificates from the Certificate Management console (certmgr.msc) on a client computer. Users can also create a request and submit it to a server from within a custom certificate enrollment application (for example, a registration authority) that has controlled access to the certification authority (CA). This requires specific enterprise configuration and deployments for Certificate Enrollment Policies (CEP) and Certificate Enrollment Services (CES).
+
+#### Certificate lifecycle management
+
+You can renew certificates through remote desktop connections, certificate enrollment policies, or certificate enrollment services. Renewal requirements could be different from the initial issuance requirements, based on the renewal policy.
+
+Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked is not easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate is not available.
+
+## Unmanaged cards
+
+Unmanaged virtual smart cards are not serviceable by an IT administrator. Unmanaged cards might be suitable if an organzation does not have an elaborate smart card deployment management tool and using remote desktop connections to manage the card is not desirable. Because unmanaged cards are not serviceable by the IT administrator, when a user needs help with a virtual smart card (for example, resetting or unlocking a PIN), the only option available to the user is to delete the card and create it again. This results in loss of the user’s credentials and he or she must re-enroll.
+
+### Unmanaged card creation
+
+A user can create a virtual smart card by using the Tpmvscmgr command-line tool, which is run with administrative credentials through an elevated command prompt. The following command creates an unmanaged card that can be used to enroll certificates:
+
+`tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey RANDOM /PIN PROMPT /generate`
+
+This command creates a card with a randomized administrator key. The key is automatically discarded after the creation of the card. If users forget or want to change their PIN, they need to delete the card and create it again. To delete the card, a user can run the following command:
+
+`tpmvscmgr.exe destroy /instance `
+
+where <instance ID> is the value that is printed on the screen when the user creates the card. Specifically, for the first card created, the instance ID is ROOT\\SMARTCARDREADER\\0000).
+
+### Certificate management for unmanaged cards
+
+Depending on the security requirements that are unique to an organization, users can initially enroll for certificates from the certificate management console (certmgr.msc) or from within custom certificate enrollment applications. The latter method can create a request and submit it to a server that has access to the Certification Authority. This requires specific organizational configurations and deployments for certificate enrollment policies and certificate enrollment services. Windows has built-in tools, specifically Certreq.exe and Certutil.exe, which can be used by scripts to perform the enrollment from the command line.
+
+#### Requesting the certificate by providing domain credentials only
+
+The simplest way for users to request certificates is to provide their domain credentials through a script that can perform the enrollment through built-in components you have in place for certificate requests.
+
+Alternatively, an application (such as a line-of-business app) can be installed on the computer to perform enrollment by generating a request on the client. The request is submitted to an HTTP server, which can forward it to a registration authority.
+
+Another option is to have the user access an enrollment portal that is available through Internet Explorer. The webpage can use the scripting APIs to perform certificate enrollment.
+
+#### Signing the request with another certificate
+
+You can provide users with a short-term certificate through a Personal Information Exchange (.pfx) file. You can generate the .pfx file by initiating a request from a domain-joined computer. Additional policy constraints can be enforced on the .pfx file to assert the identity of the user.
+
+The user can import the certificate into the **MY** store (which is the user’s certificate store). And your organization can present the user with a script that can be used to sign the request for the short-term certificate and to request a virtual smart card.
+
+For deployments that require users to use a physical smart card to sign the certificate request, you can use the procedure:
+
+1. Users initiate a request on a domain-joined computer.
+
+2. Users complete the request by using a physical smart card to sign the request.
+
+3. Users download the request to the virtual smart card on their client computer.
+
+#### Using one-time password for enrollment
+
+Another option to ensure that users are strongly authenticated before virtual smart card certificates are issued is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools.
+
+#### Certificate lifecycle management
+
+Certificate renewal can be done from the same tools that are used for the initial certificate enrollment. Certificate enrollment policies and certificate enrollment services can also be used to perform automatic renewal.
+
+Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked is not easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate is not available.
+
+## Maintain virtual smart cards
+
+Maintenance is a significant portion of the virtual smart card lifecycle and one of the most important considerations from a management perspective. After virtual smart cards are created, personalized, and provisioned, they can be used for convenient two-factor authentication. Deployment administrators must be aware of several common administrative scenarios, which can be approached by using a purchased virtual smart card solution or on a case-by-case basis with in-house methods.
+
+**Renewal**: Renewing virtual smart card credentials is a regular task that is necessary to preserve the security of a virtual smart card deployment. Renewal is the result of a signed request from a user who specifies the key pair desired for the new credentials. Depending on user’s choice or deployment specification, the user can request credentials with the same key pair as previously used, or choose a newly generated key pair.
+
+When renewing with a previously used key, no extra steps are required because a strong certificate with this key was issued during the initial provisioning. However, when the user requests a new key pair, you must take the same steps that were used during provisioning to assure the strength of the credentials. Renewal with new keys should occur periodically to counter sophisticated long-term attempts by malicious users to infiltrate the system. When new keys are assigned, you must ensure that the new keys are being used by the expected individuals on the same virtual smart cards.
+
+**Resetting PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user’s identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued.
+
+**Lockout reset**: A frequent precursor to resetting a PIN is the necessity of resetting the TPM lockout time because the TPM anti-hammering logic will be engaged with multiple PIN entry failures for a virtual smart card. This is currently device specific.
+
+**Retiring cards**: The final aspect of virtual smart card management is retiring cards when they are no longer needed. When an employee leaves the company, it is desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal.
+
+The card should be reissued if the same computer is used by other employees without reinstalling the operating system. Reusing the former card can allow the former employee to change the PIN after leaving the organization, and then hijack certificates that belong to the new user to obtain unauthorized domain access. However, if the employee takes the virtual smart card-enabled computer, it is only necessary to revoke the certificates that are stored on the virtual smart card.
+
+### Emergency preparedness
+
+#### Card reissuance
+
+The most common scenario in an organization is reissuing virtual smart cards, which can be necessary if the operating system is reinstalled or if the virtual smart card is compromised in some manner. Reissuance is essentially the recreation of the card, which involves establishing a new PIN and administrator key and provisioning a new set of associated certificates. This is an immediate necessity when a card is compromised, for example, if the virtual smart card-protected computer is exposed to an adversary who might have access to the correct PIN. Reissuance is the most secure response to an unknown exposure of a card’s privacy. Additionally, reissuance is necessary after an operating system is reinstalled because the virtual smart card device profile is removed with all other user data when the operating system is reinstalled.
+
+#### Blocked virtual smart card
+
+The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
+
+## See also
+
+[Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
+
+[Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
+
+[Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
+
+[Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
+
+[Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
diff --git a/windows/keep-secure/virtual-smart-card-evaluate-security.md b/windows/keep-secure/virtual-smart-card-evaluate-security.md
new file mode 100644
index 0000000000..ad80b759e0
--- /dev/null
+++ b/windows/keep-secure/virtual-smart-card-evaluate-security.md
@@ -0,0 +1,61 @@
+---
+title: Evaluate Virtual Smart Card Security (Windows 10)
+description: This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Evaluate Virtual Smart Card Security
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards.
+
+## Virtual smart card non-exportability details
+
+A crucial aspect of TPM virtual smart cards is their ability to securely store and use secret data, specifically that the secured data is non-exportable. Data can be accessed and used within the virtual smart card system, but it is meaningless outside of its intended environment. In TPM virtual smart cards, security is ensured with a secure key hierarchy, which includes several chains of encryption. This originates with the TPM storage root key, which is generated and stored within the TPM and never exposed outside the chip. The TPM key hierarchy is designed to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN in such a way that changing the PIN doesn’t require re-encryption of the data.
+
+The following diagram illustrates the secure key hierarchy and the process of accessing the user key.
+
+
+
+The following keys are stored on the hard disk:
+
+- User key
+
+- Smart card key, which is encrypted by the storage root key
+
+- Authorization key for the user key decryption, which is encrypted by the public portion of the smart card key
+
+When the user enters a PIN, the use of the decrypted smart card key is authorized with this PIN. If this authorization succeeds, the decrypted smart card key is used to decrypt the auth key. The auth key is then provided to the TPM to authorize the decryption and use of the user’s key that is stored on the virtual smart card.
+
+The auth key is the only sensitive data that is used as plaintext outside the TPM, but its presence in memory is protected by Microsoft Data Protection API (DPAPI), such that before being stored in any way, it is encrypted. All data other than the auth key is processed only as plaintext within the TPM, which is completely isolated from external access.
+
+## Virtual smart card anti-hammering details
+
+The anti-hammering functionality of virtual smart cards relies on the anti-hammering functionality of the TPM that is enabling the virtual smart card. However, the TPM version 1.2 and subsequent specifications (as designed by the Trusted Computing Group) provide very flexible guidelines for responding to hammering. The spec requires only that the TPM implement protection against trial-and-error attacks on the user PIN, PUK, and challenge/response mechanism.
+
+The Trusted Computing Group also specifies that if the response to attacks involves suspending proper function of the TPM for some period of time or until administrative action is taken, the TPM must prevent running the authorized TPM commands. The TPM can prevent running any TPM commands until the termination of the attack response. Beyond using a time delay or requiring administrative action, a TPM could also force a reboot when an attack is detected. The Trusted Computing Group allows manufacturers a level of creativity in their choice of implementation. Whatever methodology is chosen by TPM manufacturers determines the anti-hammering response of TPM virtual smart cards. Some typical aspects of protection from attacks include:
+
+1. Allow only a limited number of wrong PIN attempts before enabling a lockout that enforces a time delay before any further commands are accepted by the TPM.
+
+ > **Note** Introduced in Windows Server 2012 R2 and Windows 8.1, if the user enters the wrong PIN five consecutive times for a virtual smart card (which works in conjunction with the TPM), the card is blocked. When the card is blocked, it has to be unblocked by using the administrative key or the PUK.
+
+1. Increase the time delay exponentially as the user enters the wrong PIN so that an excessive number of wrong PIN attempts quickly trigger long delays in accepting commands.
+
+2. Have a failure leakage mechanism to allow the TPM to reset the timed delays over a period of time. This is useful in cases where a valid user has entered the wrong PIN occasionally, for example, due to complexity of the PIN.
+
+As an example, it will take 14 years to guess an 8-character PIN for a TPM that implements the following protection:
+
+1. Number of wrong PINs allowed before entering lockout (threshold): 9
+
+2. Time the TPM is in lockout after the threshold is reached: 10 seconds
+
+3. Timed delay doubles for each wrong PIN after the threshold is reached
+
+## See also
+
+[Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
diff --git a/windows/keep-secure/virtual-smart-card-get-started.md b/windows/keep-secure/virtual-smart-card-get-started.md
new file mode 100644
index 0000000000..c2d31f8b16
--- /dev/null
+++ b/windows/keep-secure/virtual-smart-card-get-started.md
@@ -0,0 +1,165 @@
+---
+title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10)
+description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Get Started with Virtual Smart Cards: Walkthrough Guide
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
+
+Virtual smart cards are a technology from Microsoft, which offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering.
+
+This step-by-step walkthrough shows you how to set up a basic test environment for using TPM virtual smart cards. After you complete this walkthrough, you will have a functional virtual smart card installed on the Windows computer.
+
+**Time requirements**
+
+You should be able to complete this walkthrough in less than one hour, excluding installing software and setting up the test domain.
+
+**Walkthrough steps**
+
+- [Prerequisites](#prerequisites)
+
+- [Step 1: Create the certificate template](#step-1-create-the-certificate-template)
+
+- [Step 2: Create the TPM virtual smart card](#step-2-create-the-tpm-virtual-smart-card)
+
+- [Step 3: Enroll for the certificate on the TPM Virtual Smart Card](#step-3-enroll-for-the-certificate-on-the-tpm-virtual-smart-card)
+
+> **Important** This basic configuration is for test purposes only. It is not intended for use in a production environment.
+
+## Prerequisites
+
+You will need:
+
+- A computer running Windows 10 with an installed and fully functional TPM (version 1.2 or version 2.0).
+
+- A test domain to which the computer listed above can be joined.
+
+- Access to a server in that domain with a fully installed and running certification authority (CA).
+
+## Step 1: Create the certificate template
+
+On your domain server, you need to create a template for the certificate that you will request for the virtual smart card.
+
+### To create the certificate template
+
+1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type **mmc.exe** from the **Start** menu, right-click **mmc.exe**, and click **Run as administrator**.
+
+2. Click **File**, and then click **Add/Remove Snap-in**.
+
+ 
+
+3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**.
+
+ 
+
+4. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
+
+5. Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
+
+ 
+
+6. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
+
+ 
+
+7. On the **General** tab:
+
+ 1. Specify a name, such as **TPM Virtual Smart Card Logon**.
+
+ 2. Set the validity period to the desired value.
+
+8. On the **Request Handling** tab:
+
+ 1. Set the **Purpose** to **Signature and smartcard logon**.
+
+ 2. Click **Prompt the user during enrollment**.
+
+9. On the **Cryptography** tab:
+
+ 1. Set the minimum key size to 2048.
+
+ 2. Click **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**.
+
+10. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated users** group, and then select **Enroll** permissions for them.
+
+11. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
+
+12. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
+
+ 
+
+13. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
+
+14. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
+
+ 
+
+15. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
+
+ > **Note** It can take some time for your template to replicate to all servers and become available in this list.
+
+ 
+
+16. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
+
+ 
+
+## Step 2: Create the TPM virtual smart card
+
+In this step, you will create the virtual smart card on the client computer by using the command-line tool, [Tpmvscmgr.exe](virtual-smart-card-tpmvscmgr.md).
+
+### To create the TPM virtual smart card
+
+1. On a domain-joined computer, open a Command Prompt window with Administrative credentials.
+
+ 
+
+2. At the command prompt, type the following, and then press ENTER:
+
+ `tpmvscmgr.exe create /name TestVSC /pin default /adminkey random /generate`
+
+ This will create a virtual smart card with the name **TestVSC**, omit the unlock key, and generate the file system on the card. The PIN will be set to the default, 12345678. To be prompted for a PIN, instead of **/pin default** you can type **/pin prompt**.
+
+ For more information about the Tpmvscmgr command-line tool, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) and [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
+
+4. Wait several seconds for the process to finish. Upon completion, Tpmvscmgr.exe will provide you with the device instance ID for the TPM Virtual Smart Card. Store this ID for later reference because you will need it to manage or remove the virtual smart card.
+
+## Step 3: Enroll for the certificate on the TPM Virtual Smart Card
+
+The virtual smart card must be provisioned with a sign-in certificate for it to be fully functional.
+
+### To enroll the certificate
+
+1. Open the Certificates console by typing **certmgr.msc** on the **Start** menu.
+
+2. Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**.
+
+ 
+
+3. Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1).
+
+ 
+
+4. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**.
+
+5. Enter the PIN that was established when you created the TPM virtual smart card, and then click **OK**.
+
+6. Wait for the enrollment to finish, and then click **Finish**.
+
+The virtual smart card can now be used as an alternative credential to sign in to your domain. To verify that your virtual smart card configuration and certificate enrollment were successful, sign out of your current session, and then sign in. When you sign in, you will see the icon for the new TPM virtual smart card on the Secure Desktop (sign in) screen or you will be automatically directed to the TPM smart card sign-in dialog box. Click the icon, enter your PIN (if necessary), and then click **OK**. You should be signed in to your domain account.
+
+## See also
+
+- [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
+
+- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
+
+- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
diff --git a/windows/keep-secure/virtual-smart-card-overview.md b/windows/keep-secure/virtual-smart-card-overview.md
new file mode 100644
index 0000000000..54e8c6f4d2
--- /dev/null
+++ b/windows/keep-secure/virtual-smart-card-overview.md
@@ -0,0 +1,123 @@
+---
+title: Virtual Smart Card Overview (Windows 10)
+description: This topic for IT professional provides an overview of the virtual smart card technology that was developed by Microsoft, and links to additional topics about virtual smart cards.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Virtual Smart Card Overview
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for IT professional provides an overview of the virtual smart card technology that was developed by Microsoft and includes [links to additional topics](#see-also) to help you evaluate, plan, provision, and administer virtual smart cards.
+
+**Did you mean…**
+
+- [Smart Cards](smart-card-windows-smart-card-technical-reference.md)
+
+## Feature description
+
+Virtual smart card technology from Microsoft offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. Virtual smart cards are created in the TPM, where the keys that are used for authentication are stored in cryptographically secured hardware.
+
+By utilizing TPM devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering.
+
+## Practical applications
+
+Virtual smart cards are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards can be used for authentication to external resources, protection of data by secure encryption, and integrity through reliable signing. They are easily deployed by using in-house methods or a purchased solution, and they can become a full replacement for other methods of strong authentication in a corporate setting of any scale.
+
+### Authentication use cases
+
+**Two-factor authentication‒based remote access**
+
+After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is used to gain strongly authenticated access to corporate resources. When the proper certificate is provisioned to the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card, to sign in to the domain.
+
+In practice, this is as easy as entering a password to access the system. Technically, it is far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request could not have possibly originated from a system other than the system certified by the domain for this user’s access, and the user could not have initiated the request without knowing the PIN, a strong two-factor authentication is established.
+
+**Client authentication**
+
+Virtual smart cards can also be used for client authentication by using Secure Socket Layer (SSL) or a similar technology. Similar to domain access with a virtual smart card, an authentication certificate can be provisioned for the virtual smart card, provided to a remote service, as requested in the client authentication process. This adheres to the principles of two-factor authentication because the certificate is only accessible from the computer that hosts the virtual smart card, and the user is required to enter the PIN for initial access to the card.
+
+**Virtual smart card redirection for remote desktop connections**
+
+The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the computers that they access domain resources through. Therefore, when a user remotely connects to a computer that is hosting virtual smart cards, the virtual smart cards that are located on the remote computer cannot be used during the remote session. However, the virtual smart cards that are stored on the connecting computer (which is under physical control of the user) are loaded onto the remote computer, and they can be used as if they were installed by using the remote computer’s TPM. This extends a user’s privileges to the remote computer, while maintaining the principles of two-factor authentication.
+
+**Windows To Go and virtual smart cards**
+
+Virtual smart cards work well with Windows To Go, where a user can boot into a supported version of Windows from a compatible removable storage device. A virtual smart card can be created for the user, and it is tied to the TPM on the physical host computer to which the removable storage device is connected. When the user boots the operating system from a different physical computer, the virtual smart card will not be available. This can be used for scenarios when a single physical computer is shared by many users. Each user can be given a removable storage device for Windows To Go, which has a virtual smart card provisioned for the user. This way, users are only able to access their personal virtual smart card.
+
+### Confidentiality use cases
+
+**S/MIME email encryption**
+
+Physical smart cards are designed to hold private keys that can be used for email encryption and decryption. This functionality also exists in virtual smart cards. By using S/MIME with a user’s public key to encrypt email, the sender of an email can be assured that only the person with the corresponding private key will be able to decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption.
+
+**BitLocker for data volumes**
+
+sBitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user’s hard drive. This ensures that if the physical ownership of a hard drive is compromised, an adversary will not be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive and possession of the computer that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be very difficult.
+
+BitLocker can also be used to encrypt portable drives, which involves storing keys in virtual smart cards. In this scenario (unlike using BitLocker with a physical smart card), the encrypted drive can be used only when it is connected to the host for the virtual smart card that is used to encrypt the drive, because the BitLocker key is only accessible from this computer. However, this method can be useful to ensure the security of backup drives and personal storage uses outside the main hard drive.
+
+### Data integrity use case
+
+**Signing data**
+
+To verify authorship of data, a user can sign it by using a private key that is stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data. If the key is stored in an operating system that is accessible, a malicious user could access it and use it to modify already signed data or to spoof the key owner’s identity. However, if this key is stored in a virtual smart card, it can be used only to sign data on the host computer. It cannot be exported to other systems (intentionally or unintentionally, such as with malware theft). This makes digital signatures far more secure than other methods for private key storage.
+
+## New and changed functionality as of Windows 8.1
+
+Enhancements in Windows 8.1 enabled developers to build Windows Store apps to create and manage virtual smart cards.
+
+The DCOM Interfaces for Trusted Platform Module (TPM) Virtual Smart Card device management protocol provides a Distributed Component Object Model (DCOM) Remote Protocol interface used for creating and destroying virtual smart cards. A virtual smart card is a device that presents a device interface complying with the PC/SC specification for PC-connected interface devices to its host operating system (OS) platform. This protocol does not assume anything about the underlying implementation of virtual smart card devices. In particular, while it is primarily intended for the management of virtual smart cards based on TPMs, it can also be used to manage other types of virtual smart cards.
+
+**What value does this change add?**
+
+Starting with Windows 8.1, application developers can build into their apps the following virtual smart card maintenance capabilities to relieve some of your administrative burdens.
+
+- Create a new virtual smart card or select a virtual smart card from the list of available virtual smart cards on the system. Identify the one that the application is supposed to work with.
+
+- Personalize the virtual smart card.
+
+- Change the admin key.
+
+- Diversify the admin key which allows the user to unblock the PIN in a PIN-blocked scenario.
+
+- Change the PIN.
+
+- Reset or Unblock the PIN.
+
+- Destroy the virtual smart card.
+
+**What works differently?**
+
+Starting with Windows 8.1, Windows Store app developers are able to build apps that have the capability to prompt the user to reset or unblock and change a virtual smart card PIN. This places more responsibility on the user to maintain their virtual smart card but it can also provide a more consistent user experience and administration experience in your organization.
+
+For more information about developing Windows Store apps with these capabilities, see [Trusted Platform Module Virtual Smart Card Management Protocol](https://msdn.microsoft.com/library/hh880895.aspx).
+
+For more information about managing these capabilities in virtual smart cards, see [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md).
+
+## Hardware requirements
+
+To use the virtual smart card technology, TPM 1.2 is the minimum required for computers running Windows 10 or Windows Server 2016.
+
+## Software requirements
+
+To use the virtual smart card technology, computers must be running one of the following operating systems:
+
+- Windows Server 2016
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows 10
+- Windows 8.1
+- Windows 8
+
+## See also
+
+- [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
+- [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
+- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
+- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
+- [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
+- [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
diff --git a/windows/keep-secure/virtual-smart-card-tpmvscmgr.md b/windows/keep-secure/virtual-smart-card-tpmvscmgr.md
new file mode 100644
index 0000000000..d66bd95806
--- /dev/null
+++ b/windows/keep-secure/virtual-smart-card-tpmvscmgr.md
@@ -0,0 +1,84 @@
+---
+title: Tpmvscmgr (Windows 10)
+description: This topic for the IT professional describes the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Tpmvscmgr
+
+Applies To: Windows 10, Windows Server 2016
+
+The Tpmvscmgr command-line tool allows users with Administrative credentials to create and delete TPM virtual smart cards on a computer. For examples of how this command can be used, see [Examples](#examples).
+
+## Syntax
+
+`Tpmvscmgr create [/quiet] /name /AdminKey {DEFAULT | PROMPT | RANDOM} [/PIN {DEFAULT | PROMPT}] [/PUK {DEFAULT | PROMPT}] [/generate] [/machine ] [/pinpolicy [policy options]] [/attestation {AIK_AND_CERT | AIK_ONLY}] [/?]`
+
+`Tpmvscmgr destroy [/quiet] [/instance ] [/machine ] [/?]`
+
+### Parameters for Create command
+
+The Create command sets up new virtual smart cards on the user’s system. It returns the instance ID of the newly created card for later reference if deletion is required. The instance ID is in the format ROOT\\SMARTCARDREADER\\000n where n starts from 0 and is increased by 1 each time you create a new virtual smart card.
+
+| Parameter | Description |
+|-----------|-------------|
+| /name | Required. Indicates the name of the new virtual smart card. |
+| /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN. **DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708. **PROMPT** Prompts the user to enter a value for the administrator key. **RANDOM** Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key must be entered as 48 hexadecimal characters. |
+| /PIN | Indicates desired user PIN value. **DEFAULT** Specifies the default PIN of 12345678. **PROMPT** Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. |
+| /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK. **DEFAULT** Specifies the default PUK of 12345678. **PROMPT** Prompts the user to enter a PUK at the command line. |
+| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft System Center Configuration Manager. |
+| /machine | Allows you to specify the name of a remote computer on which the virtual smart card can be created. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in creating a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. |
+| /pinpolicy | If **/pin prompt** is used, **/pinpolicy** allows you to specify the following PIN policy options: **minlen** <minimum PIN length> If not specificed, defaults to 8. The lower bound is 4. **maxlen** <maximum PIN length> If not specificed, defaults to 127. The upper bound is 127. **uppercase** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.** **lowercase** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.** **digits** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.** **specialchars** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
When using **/pinpolicy**, PIN characters must be printable ASCII characters. |
+| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](https://msdn.microsoft.com/library/mt766230.aspx#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are: **AIK_AND_CERT** Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](https://msdn.microsoft.com/library/cc249746.aspx#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there is no network connectivity, it is possible that creation of the virtual smart card will fail. **AIK_ONLY** Creates an AIK but does not obtain an AIK certificate. |
+| /? | Displays Help for this command. |
+
+### Parameters for Destroy command
+
+The Destroy command securely deletes a virtual smart card from a computer.
+
+> [!WARNING]
+> When a virtual smart card is deleted, it cannot be recovered.
+
+| **Parameter** | **Description** |
+|---------------|-------------------|
+| /instance | Specifies the instance ID of the virtual smart card to be removed. The instanceID was generated as output by Tpmvscmgr.exe when the card was created. The **/instance** parameter is a required field for the Destroy command. |
+| /machine | Allows you to specify the name of a remote computer on which the virtual smart card will be deleted. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in deleting a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. |
+| /? | Displays Help for this command. |
+
+## Remarks
+
+Membership in the Administrators group (or equivalent) on the target computer is the minimum required to run all the parameters of this command.
+
+For alphanumeric inputs, the full 127 character ASCII set is allowed.
+
+## Examples
+
+The following command shows how to create a virtual smart card that can be later managed by a smart card management tool launched from another computer.
+
+ tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey DEFAULT /PIN PROMPT
+
+Alternatively, instead of using a default administrator key, you can create an administrator key at the command line. The following command shows how to create an administrator key.
+
+ tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey PROMPT /PIN PROMPT
+
+The following command will create the unmanaged virtual smart card that can be used to enroll certificates.
+
+ tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey RANDOM /PIN PROMPT /generate
+
+The preceding command will create a virtual smart card with a randomized administrator key. The key is automatically discarded after the card is created. This means that if the user forgets the PIN or wants to the change the PIN, the user needs to delete the card and create it again. To delete the card, the user can run the following command.
+
+ tpmvscmgr.exe destroy /instance
+
+where <instance ID> is the value printed on the screen when the user created the card. Specifically, for the first card created, the instance ID is ROOT\\SMARTCARDREADER\\0000.
+
+The following command will create a TPM virtual smart card with the default value for the administrator key and a specified PIN policy and attestation method:
+
+ tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /PIN PROMPT /pinpolicy minlen 4 maxlen 8 /AdminKey DEFAULT /attestation AIK_AND_CERT /generate
+
+## Additional references
+
+- [Virtual Smart Card Overview](virtual-smart-card-overview.md)
diff --git a/windows/keep-secure/virtual-smart-card-understanding-and-evaluating.md b/windows/keep-secure/virtual-smart-card-understanding-and-evaluating.md
new file mode 100644
index 0000000000..f32fddbf0b
--- /dev/null
+++ b/windows/keep-secure/virtual-smart-card-understanding-and-evaluating.md
@@ -0,0 +1,136 @@
+---
+title: Understanding and Evaluating Virtual Smart Cards (Windows 10)
+description: This topic for IT professional provides information about how smart card technology can fit into your authentication design, and provides links to additional topics about virtual smart cards.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Understanding and Evaluating Virtual Smart Cards
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes the virtual smart card technology that was developed by Microsoft; suggests how it can fit into your authentication design; and provides links to additional resources that you can use to design, deploy, and troubleshoot virtual smart cards.
+
+Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering.
+
+Virtual smart cards are functionally similar to physical smart cards. They appear as always-inserted smart cards, and they can be used for authentication to external resources, protection of data by secure encryption, and integrity through reliable signing. Because TPM-enabled hardware is readily available and virtual smart cards can be easily deployed by using existing certificate enrollment methods, virtual smart cards can become a full replacement for other methods of strong authentication in a corporate setting of any scale.
+
+This topic contains the following sections:
+
+- [Comparing virtual smart cards with physical smart cards](#comparing-virtual-smart-cards-with-physical-smart-cards):
+ Compares properties, functional aspects, security, and cost.
+
+- [Authentication design options](#authentication-design-options):
+ Describes how passwords, smart cards, and virtual smart cards can be used to reach authentication goals in your organization.
+
+- [See also](#see-also):
+ Links to other topics that can help you design, deploy, and troubleshoot virtual smart cards.
+
+## Comparing virtual smart cards with physical smart cards
+
+Virtual smart cards function much like physical smart cards, but they differ in that they protect private keys by using the TPM of the computer instead of smart card media.
+
+A virtual smart card appears to applications as a conventional smart card. Private keys in the virtual smart card are protected, not by isolation of physical memory, but by the cryptographic capabilities of the TPM. All sensitive information is encrypted by using the TPM and then stored on the hard drive in its encrypted form.
+
+All cryptographic operations occur in the secure, isolated environment of the TPM, and the unencrypted private keys are never used outside this environment. So like physical smart cards, virtual smart cards remain secure from any malware on the host. Additionally, if the hard drive is compromised in some way, a malicious user will not be able to access keys that are stored in the virtual smart card because they are securely encrypted by using the TPM. Keys can also be protected by BitLocker Drive Encryption.
+
+Virtual smart cards maintain the three key properties of physical smart cards:
+
+- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it cannot be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user cannot reverse engineer an identical TPM or install the same TPM on a different computer.
+ For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+
+- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that are offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
+
+- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
+ For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+
+The following subsections compare the functionality, security, and cost of virtual smart cards and physical smart cards.
+
+**Functionality**
+
+The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There is no method to export the user’s virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users.
+
+The basic user experience for a virtual smart card is as simple as using a password to access a network. Because the smart card is loaded by default, the user must simply enter the PIN that is tied to the card to gain access. Users are no longer required to carry cards and readers or to take physical action to use the card.
+
+Additionally, although the anti-hammering functionality of the virtual smart card is equally secure to that of a physical smart card, virtual smart card users are never required to contact an administrator to unblock the card. Instead, they simply wait a period of time (depending on the TPM specifications) before they reattempt to enter the PIN. Alternatively, the administrator can reset the lockout by providing owner authentication data to the TPM on the host computer.
+
+**Security**
+
+Physical smart cards and virtual smart cards offer comparable levels of security. They both implement two-factor authentication for using network resources. However, they differ in certain aspects, including physical security and the practicality of an attack. Due to their compact and portable design, conventional smart cards are most frequently kept close to their intended user. They offer little opportunity for acquisition by a potential adversary, so any sort of interaction with the card is difficult without committing some variety of theft.
+
+TPM virtual smart cards, however, reside on a user’s computer that may frequently be left unattended, which provides an opportunity for a malicious user to hammer the TPM. Although virtual smart cards are fully protected from hammering (as are physical smart cards), this accessibility makes the logistics of an attack somewhat simpler. Additionally, the anti-hammering behavior of a TPM smart card differs in that it only presents a time delay in response to repeated PIN failures, as opposed to fully blocking the user.
+
+However, there are several advantages provided by virtual smart cards to mitigate these slight security deficits. Most importantly, a virtual smart card is much less likely to be lost. Virtual smart cards are integrated into computers and devices that the user already owns for other purposes and has incentive to keep safe. If the computer or device that hosts the virtual smart card is lost or stolen, a user will more immediately notice its loss than the loss of a physical smart card. When a computer or device is identified as lost, the user can notify the administrator of the system, who can revoke the certificate that is associated with the virtual smart card on that device. This precludes any future unauthorized access on that computer or device if the PIN for the virtual smart card is compromised.
+
+**Cost**
+
+If a company wants to deploy physical smart cards, they need to purchase smart cards and smart card readers for all employees. Although relatively inexpensive options can be found, options that ensure the three key properties of smart card security (most notably, non-exportability) are more expensive. If employees have computers with a built-in TPM, virtual smart cards can be deployed with no additional material costs. These computers and devices are relatively common in the market.
+
+Additionally, the maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently.
+
+**Comparison summary**
+
+| Physical Smart Cards | TPM virtual smart cards |
+|---------------------|-------------------|
+| Protects private keys by using the built-in cryptographic functionality of the card. | Protects private keys by using the cryptographic functionality of the TPM. |
+| Stores private keys in isolated non-volatile memory on the card, which means that access to private keys is only from the card, and access is never allowed to the operating system. | Stores encrypted private keys on the hard drive. The encryption ensures that these keys can only be decrypted and used in the TPM, not in the accessible memory of the operating system. |
+| Guarantees non-exportability through the card manufacturer, which includes isolating private information from operating system access. | Guarantees non-exportability through the TPM manufacturer, which includes the inability of an adversary to replicate or remove the TPM. |
+| Performs and isolates cryptographic operations within the built-in capabilities of the card. | Performs and isolates cryptographic operations in the TPM of the user’s computer or device. |
+| Provides anti-hammering through the card. After a certain number of failed PIN entry attempts, the card blocks further access until administrative action is taken. | Provides anti-hammering through the TPM. Successive failed attempts increase the device lockout time (the time the user has to wait before trying again). This can be reset by an administrator. |
+| Requires that users carry their smart card and smart card reader with them to access network resources. | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without additional equipment. |
+| Enables credential portability by inserting the smart card into smart card readers that are attached to other computers. | Prevents exporting credentials from a given computer or device. However, virtual smart cards can be issued for the same user on multiple computers or devices by using additional certificates. |
+| Enables multiple users to access network resources through the same computer by inserting their personal smart cards. | Enables multiple users to access network resources through the same computer or device by issuing a virtual smart card for each user on that computer or device. |
+| Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user’s computer, which may be left unattended and allow a greater risk window for hammering attempts. |
+| Provides a generally single-purpose device that is carried explicitly for the purpose of authentication. The smart card can be easily misplaced or forgotten. | Installs the virtual smart card on a device that has other purposes for the user, so the user has greater incentive to be responsible for the computer or device. |
+| Alerts users that their card is lost or stolen only when they need to sign in and notice it is missing. | Installs the virtual smart card on a device that the user likely needs for other purposes, so users will notice its loss much more quickly. This reduces the associated risk window. |
+| Requires companies to invest in smart cards and smart card readers for all employees. | Requires that companies ensure all employees have TPM-enabled computers, which are relatively common. |
+| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user’s sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and cannot be removed from the computer. |
+
+## Authentication design options
+
+The following section presents several commonly used options and their respective strengths and weaknesses, which organizations can consider for authentication.
+
+**Passwords**
+
+A password is a secret string of characters that is tied to the identification credentials for a user’s account. This establishes the user’s identity. Although passwords are the most commonly used form of authentication, they are also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users.
+
+Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they cannot be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user’s password and impersonate that person’s identity. A user often will not realize that the password is compromised, which makes it is easy for a malicious user to maintain access to a system if a valid password has been obtained.
+
+**One-time passwords**
+
+A one-time password (OTP) is similar to a traditional password, but it is more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. However, assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor cannot use it for any future transactions. Similarly, if a malicious user obtains a valid user’s OTP, the interceptor will have limited access to the system (only one session).
+
+**Smart cards**
+
+Smart cards are physical authentication devices, which improve on the concept of a password by requiring that users actually have their smart card device with them to access the system, in addition to knowing the PIN that provides access to the smart card. Smart cards have three key properties that help maintain their security:
+
+- **Non-exportability**: Information stored on the card, such as the user’s private keys, cannot be extracted from one device and used in another medium.
+
+- **Isolated cryptography**: Any cryptographic operations that are related to the card (such as secure encryption and decryption of data) occur in a cryptographic processor on the card, so malicious software on the host computer cannot observe the transactions.
+
+- **Anti-hammering**: To prevent access to the card by a brute-force attack, a set number of consecutive unsuccessful PIN entry attempts blocks the card until administrative action is taken.
+
+Smart cards provide greatly enhanced security over passwords alone, because it is much more difficult for a malicious user to gain and maintain access to a system. Most importantly, access to a smart card system requires that users have a valid card and that they know the PIN that provides access to that card. It is extremely difficult for a thief to acquire the card and the PIN.
+
+Additional security is achieved by the singular nature of the card because only one copy of the card exists, only one individual can use the sign-in credentials, and users will quickly notice if the card has been lost or stolen. This greatly reduces the risk window of credential theft when compared to using a password alone.
+
+Unfortunately, this additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and they also can be easily misplaced or stolen.
+
+**Virtual smart cards**
+
+To address these issues, virtual smart cards emulate the functionality of traditional smart cards, but instead of requiring the purchase of additional hardware, they utilize technology that users already own and are more likely to have with them at all times. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. However, the virtual smart card platform developed by Microsoft is currently limited to the use of the Trusted Platform Module (TPM) chip, which is installed on most modern computers.
+
+Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards (non-exportability, isolated cryptography, and anti-hammering). They are also less expensive to implement and more convenient for users. Because many corporate computers already have a built-in TPM, there is no cost associated with purchasing new hardware. The user’s possession of a computer or device is equivalent to the possession of a smart card, and a user’s identity cannot be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card.
+
+## See also
+
+- [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
+
+- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
+
+- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
+
+- [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
diff --git a/windows/keep-secure/virtual-smart-card-use-virtual-smart-cards.md b/windows/keep-secure/virtual-smart-card-use-virtual-smart-cards.md
new file mode 100644
index 0000000000..6dfa73df29
--- /dev/null
+++ b/windows/keep-secure/virtual-smart-card-use-virtual-smart-cards.md
@@ -0,0 +1,95 @@
+---
+title: Use Virtual Smart Cards (Windows 10)
+description: This topic for the IT professional describes requirements for virtual smart cards and provides information about how to use and manage them.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Use Virtual Smart Cards
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes requirements for virtual smart cards, how to use virtual smart cards, and tools that are available to help you create and manage them.
+
+## Requirements, restrictions, and limitations
+
+| Area | Requirements and details |
+|-------------|---------------------------|
+| Supported operating systems | Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows 10 Windows 8.1 Windows 8 |
+| Supported Trusted Platform Module (TPM) | Any TPM that adheres to the TPM main specifications for version 1.2 or version 2.0 (as set by the Trusted Computing Group) is supported for use as a virtual smart card. For more information, see the [TPM Main Specification](http://www.trustedcomputinggroup.org/resources/tpm_main_specification). |
+| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.
**Note** You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they are always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them. |
+| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key is not generated. |
+| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters. The Administrative key must be entered as 48 hexadecimal characters. It is a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. |
+
+## Using Tpmvscmgr.exe
+
+To create and delete TPM virtual smart cards for end users, the Tpmvscmgr command-line tool is included as a command-line tool with the operating system. You can use the **Create** and **Delete** parameters to manage virtual smart cards on local or remote computers. For information about using this tool, see [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
+
+## Create and delete virtual smart cards programmatically
+
+Virtual smart cards can also be created and deleted by using APIs. For more information, see the following classes and interfaces:
+
+- [TpmVirtualSmartCardManager](https://msdn.microsoft.com/library/windows/desktop/hh707171(v=vs.85).aspx)
+
+- [RemoteTpmVirtualSmartCardManager](https://msdn.microsoft.com/library/windows/desktop/hh707166(v=vs.85).aspx)
+
+- [ITpmVirtualSmartCardManager](https://msdn.microsoft.com/library/windows/desktop/hh707160(v=vs.85).aspx)
+
+- [ITPMVirtualSmartCardManagerStatusCallBack](https://msdn.microsoft.com/library/windows/desktop/hh707161(v=vs.85).aspx)
+
+You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Windows Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](http://channel9.msdn.com/events/build/2013/2-041).
+
+The following table describes the features that can be developed in a Windows Store app:
+
+| Feature | Physical Smart Card | Virtual Smart Card |
+|----------------------------------------------|---------------------|--------------------|
+| Query and monitor smart card readers | Yes | Yes |
+| List available smart cards in a reader, and retrieve the card name and card ID | Yes | Yes |
+| Verify if the administrative key of a card is correct | Yes | Yes |
+| Provision (or reformat) a card with a given card ID | Yes | Yes |
+| Change the PIN by entering the old PIN and specifying a new PIN | Yes | Yes |
+| Change the administrative key, reset the PIN, or unblock the smart card by using a challenge/response method | Yes | Yes |
+| Create a virtual smart card | Not applicable | Yes |
+| Delete a virtual smart card | Not applicable | Yes |
+| Set PIN policies | No | Yes |
+
+For more information about these Windows APIs, see:
+
+- [Windows.Devices.SmartCards namespace (Windows)](https://msdn.microsoft.com/library/windows/apps/windows.devices.smartcards.aspx)
+
+- [Windows.Security.Cryptography.Certificates namespace (Windows)](https://msdn.microsoft.com/library/windows/apps/windows.security.cryptography.certificates.aspx)
+
+## Distinguishing TPM-based virtual smart cards from physical smart cards
+
+To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign in, and on other screens that require the user to enter the PIN for a virtual smart card.
+
+
+
+A TPM-based virtual smart card is labeled **Security Device** in the user interface.
+
+## Changing the PIN
+
+The PIN for virtual smart card can be changed by pressing Ctrl+Alt+Del, and then selecting the TPM virtual smart card under **Sign in options**.
+
+## Resolving issues
+
+### TPM not provisioned
+
+For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer. If the TPM is disabled in the BIOS, or it is not provisioned with full ownership and the storage root key, the TPM virtual smart card creation will fail.
+
+If the TPM is initialized after creating a virtual smart card, the card will no longer function, and it will need to be re-created.
+
+If the TPM ownership was established on a Windows Vista installation, the TPM will not be ready to use virtual smart cards. The system administrator needs to clear and initialize the TPM for it to be suitable for creating TPM virtual smart cards.
+
+If the operating system is reinstalled, prior TPM virtual smart cards are no longer available and need to be re-created. If the operating system is upgraded, prior TPM virtual smart cards will be available to use in the upgraded operating system.
+
+### TPM in lockout state
+
+Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter the lockout state. To resume using the TPM virtual smart card, it is necessary to reset the lockout on the TPM by using the owner’s password or to wait for the lockout to expire. Unblocking the user PIN does not reset the lockout in the TPM. When the TPM is in lockout, the TPM virtual smart card appears as if it is blocked. When the TPM enters the lockout state because the user entered an incorrect PIN too many times, it may be necessary to reset the user PIN by using the virtual smart card management tools, such as Tpmvscmgr command-line tool.
+
+## See also
+
+For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md).
diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md
index 5ad7eddc7a..f2db32eb9d 100644
--- a/windows/keep-secure/windows-10-security-guide.md
+++ b/windows/keep-secure/windows-10-security-guide.md
@@ -21,7 +21,7 @@ This guide provides a detailed description of the most important security improv
#### Introduction
Windows 10 is designed to protect against known and emerging security threats across the spectrum of attack vectors. Three broad categories of security work went into Windows 10:
-- [**Identity and access control**](#identity) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials.
+- [**Identity and access control**](#identity-and-access-control) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials.
- [**Information protection**](#information) that guards information at rest, in use, and in transit. In addition to BitLocker and BitLocker To Go for protection of data at rest, Windows 10 includes file-level encryption with Enterprise Data Protection that performs data separation and containment and, when combined with Rights Management services, can keep data encrypted when it leaves the corporate network. Windows 10 can also help keep data secure by using virtual private networks (VPNs) and Internet Protocol Security.
- [**Malware resistance**](#malware) includes architectural changes that can isolate critical system and security components from threats. Several new features in Windows 10 help reduce the threat of malware, including VBS, Device Guard, Microsoft Edge, and an entirely new version of Windows Defender. In addition, the many antimalware features from the Windows 8.1 operating system— including AppContainers for application sandboxing and numerous boot-protection features, such as Trusted Boot—have been carried forward and improved in Windows 10.
@@ -436,7 +436,7 @@ The functionality a TPM provides includes:
Microsoft combined this small list of TPM benefits with Windows 10 and other hardware security technologies to provide practical security and privacy benefits.
-Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measure-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PC’s TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC.
+Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measured-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PC’s TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC.
Windows 10 supports TPM implementations that comply with either the 1.2 or 2.0 standards. Several improvements have been made in the TPM 2.0 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. At the time the TPM 1.2 standard was created in the early 2000s, these algorithms were considered cryptographically strong. Since that time, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection as well as the ability to plug in algorithms that may be preferred in certain geographies or industries. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself.
@@ -576,7 +576,7 @@ The core functionality and protection of Device Guard starts at the hardware lev
Device Guard leverages VBS to isolate its Hypervisor Code Integrity (HVCI) service, which enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s IOMMU functionality to force all software running in kernel mode to safely allocate memory. This means that after memory has been allocated, its state must be changed from writable to read only or execute only. By forcing memory into these states, it helps ensure that attacks are unable to inject malicious code into kernel mode processes and drivers through techniques such as buffer overruns or heap spraying. In the end, the VBS environment protects the Device Guard HVCI service from tampering even if the operating system’s kernel has been fully compromised, and HVCI protects kernel mode processes and drivers so that a compromise of this magnitude can't happen in the first place.
-Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the user’s derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the user’s derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach you’ve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#dgwithcg) section.
+Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the user’s derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the user’s derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach you’ve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#device-guard-with-credential-guard) section.
#### Device Guard with AppLocker
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index 9b54a7e5a7..e82ec6f3d5 100644
--- a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -36,7 +36,7 @@ This guide is intended for IT pros, system administrators, and IT managers, and
| Section | Description |
| - | - |
-| [Set profile global defaults](#set-profile-global-defaults) | Enable and control firewall behavior|
+| [Set profile global defaults](#bkmk-profileglobaldefaults) | Enable and control firewall behavior|
| [Deploy basic firewall rules](#deploy-basic-firewall-rules)| How to create, modify, and delete firewall rules|
| [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`|
| [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters|
diff --git a/windows/keep-secure/windows-security-baselines.md b/windows/keep-secure/windows-security-baselines.md
index ee48d1325c..f62ee298ba 100644
--- a/windows/keep-secure/windows-security-baselines.md
+++ b/windows/keep-secure/windows-security-baselines.md
@@ -11,6 +11,12 @@ author: brianlic-msft
# Windows security baselines
+**Applies to**
+
+- Windows 10
+- Windows Server 2016
+- Windows Server 2012 R2
+
Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
@@ -51,12 +57,13 @@ To help faster deployments and increase the ease of managing Windows, Microsoft
### Windows 10 security baselines
+ - [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- [Windows 10, Version 1511 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799381)
- [Windows 10, Version 1507 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799380)
-
### Windows Server security baselines
+ - [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- [Windows Server 2012 R2 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799382)
## How can I monitor security baseline deployments?
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index b3a2c2b025..54af0df920 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -9,7 +9,7 @@
### [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
#### [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
#### [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-### [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+### [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
### [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
#### [Configure Windows Update for Business](waas-configure-wufb.md)
#### [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
@@ -17,7 +17,9 @@
#### [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
### [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
### [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+### [Manage device restarts after updates](waas-restart.md)
## [Manage corporate devices](manage-corporate-devices.md)
+### [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
### [New policies for Windows 10](new-policies-for-windows-10.md)
diff --git a/windows/manage/acquire-apps-windows-store-for-business.md b/windows/manage/acquire-apps-windows-store-for-business.md
index f9a6004ba5..156d071c04 100644
--- a/windows/manage/acquire-apps-windows-store-for-business.md
+++ b/windows/manage/acquire-apps-windows-store-for-business.md
@@ -33,7 +33,7 @@ There are a couple of things we need to know when you pay for apps. You can add
You can add payment info on **Account information**. If you don’t have one saved with your account, you’ll be prompted to provide one when you buy an app.
## Acquire apps
-To acquire an app
+**To acquire an app**
1. Log in to http://businessstore.microsoft.com
2. Click Shop, or use Search to find an app.
3. Click the app you want to purchase.
@@ -42,7 +42,7 @@ To acquire an app
6. If you don’t have a payment method saved in Account settings, Store for Business will prompt you for one.
7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Account information**.
-You’ll also need to have your business address saved on **Account information**. The address is used to generate tax rates. For more information on taxes for apps, see organization tax information.
+You’ll also need to have your business address saved on **Account information**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information).
Store for Business adds the app to your inventory. From **Inventory**, you can:
- Distribute the app: add to private store, or assign licenses
diff --git a/windows/manage/app-inventory-management-windows-store-for-business.md b/windows/manage/app-inventory-management-windows-store-for-business.md
index ec263eede3..e228b7bbba 100644
--- a/windows/manage/app-inventory-management-windows-store-for-business.md
+++ b/windows/manage/app-inventory-management-windows-store-for-business.md
@@ -209,6 +209,19 @@ For each app in your inventory, you can view and manage license details. This gi
Store for Business updates the list of assigned licenses.
+### Purchase additional licenses
+You can purchase additional licenses for apps in your Inventory.
+
+**To purchase additional app licenses**
+
+1. Sign in to [Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845)
+2. Click **Manage**, and then choose **Inventory**.
+3. From **Inventory**, click an app.
+4. On the app page, click **View app details**.
+5. From this page, click **Buy more** for additional licenses, or click **Manage** to work with your current licenses.
+
+You'll have a summary of current license availability.
+
### Download offline-licensed app
Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store.
diff --git a/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
index 467da82dda..fac7e4b9ae 100644
--- a/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
+++ b/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
@@ -16,7 +16,7 @@ ms.prod: w10
You can create user-entitled connection groups that contain both user-published and globally published packages, using either of the following methods:
-- [How to use Windows PowerShell cmdlets to create user-entitled connection groups](#how-to-use-powershell-cmdlets-to-create-user-entitled-connection-groups)
+- [How to use Windows PowerShell cmdlets to create user-entitled connection groups](#how-to-use-windows-powershell-cmdlets-to-create-user-entitled-connection-groups)
- [How to use the App-V Server to create user-entitled connection groups](#how-to-use-the-app-v-server-to-create-user-entitled-connection-groups)
diff --git a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
index c492e3a97e..35d5d237ef 100644
--- a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
@@ -243,7 +243,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
**Note**
The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.
- The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-XML-file), later in this topic.
+ The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-xml-file), later in this topic.
After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
diff --git a/windows/manage/appv-deploying-the-appv-sequencer-and-client.md b/windows/manage/appv-deploying-the-appv-sequencer-and-client.md
index ca8397a1fe..21632ad793 100644
--- a/windows/manage/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/manage/appv-deploying-the-appv-sequencer-and-client.md
@@ -80,7 +80,7 @@ Set-AppvClientConfiguration -SharedContentStoreMode 1
The Sequencer is a tool that is used to convert standard applications into virtual packages for deployment to computers that run the App-V client. The Sequencer helps provide a simple and predictable conversion process with minimal changes to prior sequencing workflows. In addition, the Sequencer allows users to more easily configure applications to enable connections of virtualized applications.
-For a list of changes in the App-V Sequencer, see [What's new in App-V](appv-about-appv.md#bkmk-seqimprove).
+For a list of changes in the App-V Sequencer, see [What's new in App-V](appv-about-appv.md).
To deploy the sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md).
diff --git a/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
index 2c29e70fd9..e9021103ab 100644
--- a/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+++ b/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@@ -75,9 +75,9 @@ Review the following requirements for using the Windows PowerShell cmdlets:
To configure these cmdlets to require an elevated command prompt, use one of the following methods:
Run the Set-AppvClientConfiguration cmdlet with the -RequirePublishAsAdmin parameter.
-
For more information, see: [How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md#bkmk-admin-only-posh-topic-cg) [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs).
+
For more information, see: [How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md) [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs).
Enable the “Require publish as administrator” Group Policy setting for App-V Clients.
-
For more information, see [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md#bkmk-admin-pub-pkg-only-posh)
+
For more information, see [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md)
diff --git a/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 3d52191607..a17b12ea73 100644
--- a/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -20,15 +20,15 @@ A connection group XML file defines the connection group for the App-V client. F
This topic explains the following procedures:
-- [To add and publish the App-V packages in the connection group](#bkmk-add-pub-pkgs-in-cg)
+- [To add and publish the App-V packages in the connection group](#to-add-and-publish-the-app-v-packages-in-the-connection-group)
-- [To add and enable the connection group on the App-V client](#bkmk-add-enable-cg-on-clt)
+- [To add and enable the connection group on the App-V client](#to-add-and-enable-the-connection-group-on-the-app-v-client)
-- [To enable or disable a connection group for a specific user](#bkmk-enable-cg-for-user-poshtopic)
+- [To enable or disable a connection group for a specific user](#to-enable-or-disable-a-connection-group-for-a-specific-user)
-- [To allow only administrators to enable connection groups](#bkmk-admin-only-posh-topic-cg)
+- [To allow only administrators to enable connection groups](#to-allow-only-administrators-to-enable-connection-groups)
-**To add and publish the App-V packages in the connection group**
+## To add and publish the App-V packages in the connection group
1. To add and publish the App-V packages to the computer running the App-V client, type the following command:
@@ -36,7 +36,7 @@ This topic explains the following procedures:
2. Repeat **step 1** of this procedure for each package in the connection group.
-**To add and enable the connection group on the App-V client**
+## To add and enable the connection group on the App-V client
1. Add the connection group by typing the following command:
@@ -48,7 +48,7 @@ This topic explains the following procedures:
When any virtual applications that are in the member packages are run on the target computer, they will run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group.
-**To enable or disable a connection group for a specific user**
+## To enable or disable a connection group for a specific user
1. Review the parameter description and requirements:
@@ -89,9 +89,7 @@ This topic explains the following procedures:
-
-
-**To allow only administrators to enable connection groups**
+## To allow only administrators to enable connection groups
1. Review the description and requirement for using this cmdlet:
diff --git a/windows/manage/appv-modify-an-existing-virtual-application-package.md b/windows/manage/appv-modify-an-existing-virtual-application-package.md
index 5c84ac6d8d..38224bb8bb 100644
--- a/windows/manage/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/manage/appv-modify-an-existing-virtual-application-package.md
@@ -16,11 +16,11 @@ ms.prod: w10
This topic explains how to:
-- [Update an application in an existing virtual application package](#bkmk-update-app-in-pkg)
+- [Update an application in an existing virtual application package](#update-an-application-in-an-existing-virtual-application-package)
-- [Modify the properties associated with an existing virtual application package](#bkmk-chg-props-in-pkg)
+- [Modify the properties associated with an existing virtual application package](#modify-the-properties-associated-with-an-existing-virtual-application-package)
-- [Add a new application to an existing virtual application package](#bkmk-add-app-to-pkg)
+- [Add a new application to an existing virtual application package](#add-a-new-application-to-an-existing-virtual-application-package)
**Before you update a package:**
@@ -32,7 +32,7 @@ This topic explains how to:
- If you click **Modify an Existing Virtual Application Package** in the Sequencer in order to edit a package, but then make no changes and close the package, the streaming behavior of the package is changed. The primary feature block is removed from the StreamMap.xml file, and any files that were listed in the publishing feature block are removed. Users who receive the edited package experience that package as if it were stream-faulted, regardless of how the original package was configured.
-**Update an application in an existing virtual application package**
+## Update an application in an existing virtual application package
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -47,25 +47,17 @@ This topic explains how to:
**Important**
If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package.
-
-
6. On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update does not have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
- **Note**
- The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-
+ >**Note** The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
8. On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information. To proceed, click **Next**.
9. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all of the applications to run. After all applications have run, close each of the applications, and then click **Next**.
- **Note**
- You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
-
-
+ >**Note** You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it is saved. Click **Next**.
@@ -73,7 +65,8 @@ This topic explains how to:
11. On the **Completion** page, click **Close** to close the wizard. The package is now available in the sequencer.
-**Modify the properties associated with an existing virtual application package**
+
+## Modify the properties associated with an existing virtual application package
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -109,14 +102,11 @@ This topic explains how to:
- Add or edit shortcuts and file type associations.
- **Note**
- To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.
-
-
+ >**Note** To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.
6. When you finish changing the package properties, click **File** > **Save** to save the package.
-**Add a new application to an existing virtual application package**
+## Add a new application to an existing virtual application package
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -128,19 +118,13 @@ This topic explains how to:
5. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or cause the revised package to contain unnecessary data. Resolve all potential issues before you continue. After making any corrections and resolving all potential issues, click **Refresh** > **Next**.
- **Important**
- If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
-
-
+ >**Important** If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
6. On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and locate and run the additional installation files. When you finish the installation, select **I am finished installing** > **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this is a new location so that you don’t overwrite the existing version of the virtual application package.
- **Note**
- The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-
+ >**Note** The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
8. On the **Configure Software** page, optionally run the programs contained in the package. This step completes any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at the same time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**.
@@ -152,10 +136,7 @@ This topic explains how to:
11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
- **Note**
- You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.
-
-
+ >**Note** You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.
12. On the **Create Package** page, to modify the package without saving it, select the **Continue to modify package without saving using the package editor** check box. Selecting this option opens the package in the App-V Sequencer console, where you can modify the package before saving it. Click **Next**.
diff --git a/windows/manage/appv-planning-for-sequencer-and-client-deployment.md b/windows/manage/appv-planning-for-sequencer-and-client-deployment.md
index bd7f629151..07c1f7c438 100644
--- a/windows/manage/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/manage/appv-planning-for-sequencer-and-client-deployment.md
@@ -21,7 +21,7 @@ Before you can use App-V, you must install the App-V Sequencer, enable the App-V
App-V uses a process called sequencing to create virtualized applications and application packages. Sequencing requires the use of a computer that runs the App-V Sequencer.
> [!NOTE]
-> For information about the new functionality of App-V sequencer, see [What's new in App-V](appv-about-appv.md#bkmk-seqimprove).
+> For information about the new functionality of App-V sequencer, see [What's new in App-V](appv-about-appv.md).
The computer that runs the App-V sequencer must meet the minimum system requirements. For a list of these requirements, see [App-V Supported Configurations](appv-supported-configurations.md).
diff --git a/windows/manage/appv-planning-for-using-appv-with-office.md b/windows/manage/appv-planning-for-using-appv-with-office.md
index 46907201bd..bd79da1f4f 100644
--- a/windows/manage/appv-planning-for-using-appv-with-office.md
+++ b/windows/manage/appv-planning-for-using-appv-with-office.md
@@ -26,15 +26,14 @@ Use the following information to plan how to deploy Office by using Microsoft Ap
## App-V support for Language Packs
-You can use the App-V Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office 2013 package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group.
+You can use the App-V Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group.
**Note**
Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack.
-
-
## Supported versions of Microsoft Office
+
The following table lists the versions of Microsoft Office that App-V supports, methods of Office package creation, supported licensing, and supported deployments.
@@ -55,7 +54,7 @@ The following table lists the versions of Microsoft Office that App-V supports,
-
Office 365 ProPlus
+
Office 365 ProPlus (either the Office 2013 or the Office 2016 version)
Also supported:
Visio Pro for Office 365
@@ -71,6 +70,22 @@ The following table lists the versions of Microsoft Office that App-V supports,
+
+
Visio Professional 2016 (C2R-P)
+
Visio Standard 2016 (C2R-P)
+
Project Professional 2016 (C2R-P)
+
Project Standard 2016 (C2R-P)
+
+
Office Deployment Tool
+
Volume Licensing
+
+
Desktop
+
Personal VDI
+
Pooled VDI
+
RDS
+
+
+
Office Professional Plus 2013
Also supported:
@@ -89,12 +104,9 @@ The following table lists the versions of Microsoft Office that App-V supports,
-
-
## Planning for using App-V with coexisting versions of Office
-
-You can install more than one version of Microsoft Office side by side on the same computer by using “Microsoft Office coexistence.” You can implement Office coexistence with combinations of all major versions of Office and with installation methods, as applicable, by using the Windows Installer-based (MSi) version of Office, Click-to-Run, and App-V. However, using Office coexistence is not recommended by Microsoft.
+You can install more than one version of Microsoft Office side by side on the same computer by using “Microsoft Office coexistence.” You can implement Office coexistence with combinations of all major versions of Office and with installation methods, as applicable, by using the Windows Installer-based (MSI) version of Office, Click-to-Run, and App-V. However, using Office coexistence is not recommended by Microsoft.
Microsoft’s recommended best practice is to avoid Office coexistence completely to prevent compatibility issues. However, when you are migrating to a newer version of Office, issues occasionally arise that can’t be resolved immediately, so you can temporarily implement coexistence to help facilitate a faster migration to the latest product version. Using Office coexistence on a long-term basis is never recommended, and your organization should have a plan to fully transition in the immediate future.
@@ -115,19 +127,22 @@ Before implementing Office coexistence, review the following Office documentatio
+
Office 2016
+
[Information about how to use Outlook 2016 or 2013 and an earlier version of Outlook installed on the same computer](https://support.microsoft.com/kb/2782408)
+
+
Office 2013
[Information about how to use Office 2013 suites and programs (MSI deployment) on a computer that is running another version of Office](http://support.microsoft.com/kb/2784668)
-
+
Office 2010
[Information about how to use Office 2010 suites and programs on a computer that is running another version of Office](http://support.microsoft.com/kb/2121447)
-
-The Office documentation provides extensive guidance on coexistence for Windows Installer-based (MSi) and Click-to-Run installations of Office. This App-V topic on coexistence supplements the Office guidance with information that is more specific to App-V deployments.
+The Office documentation provides extensive guidance on coexistence for Windows Installer-based (MSI) and Click-to-Run installations of Office. This App-V topic on coexistence supplements the Office guidance with information that is more specific to App-V deployments.
### Supported Office coexistence scenarios
@@ -166,11 +181,13 @@ The Windows Installer-based and Click-to-Run Office installation methods integra
Office 2013
Always integrated. Windows operating system integrations cannot be disabled.
+
+
Office 2016
+
Always integrated. Windows operating system integrations cannot be disabled.
+
-
-
Microsoft recommends that you deploy Office coexistence with only one integrated Office instance. For example, if you’re using App-V to deploy Office 2010 and Office 2013, you should sequence Office 2010 in non-integrated mode. For more information about sequencing Office in non-integration (isolated) mode, see [How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://support.microsoft.com/kb/2830069).
### Known limitations of Office coexistence scenarios
@@ -183,9 +200,9 @@ The following limitations can occur when you install the following versions of O
- Office 2010 by using the Windows Installer-based version
-- Office 2013 by using App-V
+- Office 2013 or Office 2016 by using App-V
-After you publish Office 2013 by using App-V side by side with an earlier version of the Windows Installer-based Office 2010 might also cause the Windows Installer to start. This is because the Windows Installer-based or Click-to-Run version of Office 2010 is trying to automatically register itself to the computer.
+After you publish Office 2013 or Office 2016 by using App-V side by side with an earlier version of the Windows Installer-based Office 2010, it might also cause the Windows Installer to start. This is because the Windows Installer-based or Click-to-Run version of Office 2010 is trying to automatically register itself to the computer.
To bypass the auto-registration operation for native Word 2010, follow these steps:
@@ -215,12 +232,13 @@ To bypass the auto-registration operation for native Word 2010, follow these ste
8. On the File menu, click **Exit** to close Registry Editor.
+
+
## How Office integrates with Windows when you use App-V to deploy Office
+When you deploy Office 2013 or Office 2016 by using App-V, Office is fully integrated with the operating system, which provides end users with the same features and functionality as Office has when it is deployed without App-V.
-When you deploy Office 2013 by using App-V, Office is fully integrated with the operating system, which provides end users with the same features and functionality as Office has when it is deployed without App-V.
-
-The Office 2013 App-V package supports the following integration points with the Windows operating system:
+The Office 2013 or Office 2016 App-V package supports the following integration points with the Windows operating system:
@@ -235,8 +253,8 @@ The Office 2013 App-V package supports the following integration points with the
-
Lync meeting Join Plug-in for Firefox and Chrome
-
User can join Lync meetings from Firefox and Chrome
+
Skype for Business (formerly Lync) meeting Join Plug-in for Firefox and Chrome
+
User can join Skype meetings from Firefox and Chrome
Sent to OneNote Print Driver
@@ -251,8 +269,8 @@ The Office 2013 App-V package supports the following integration points with the
User can send to OneNote from IE
-
Firewall Exception for Lync and Outlook
-
Firewall Exception for Lync and Outlook
+
Firewall Exception for Skype for Business (formerly Lync) and Outlook
+
Firewall Exception for Skype for Business (formerly Lync) and Outlook
MAPI Client
@@ -307,6 +325,6 @@ Add or vote on suggestions on the [Application Virtualization feedback site](htt
## Related topics
+- [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
-
- [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
diff --git a/windows/manage/appv-release-notes-for-appv-for-windows.md b/windows/manage/appv-release-notes-for-appv-for-windows.md
index a80d391a45..0982031249 100644
--- a/windows/manage/appv-release-notes-for-appv-for-windows.md
+++ b/windows/manage/appv-release-notes-for-appv-for-windows.md
@@ -30,17 +30,19 @@ MSI packages that were generated using an App-V sequencer from previous versions
- For the standalone Windows 10 SDK without other tools, see [Standalone Windows 10 SDK](https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk).
-3. From an elevated Windows PowerShell prompt, navigate to the following folder:
+3. Copy msidb.exe from the default path of the Windows SDK installation (**C:\Program Files (x86)\Windows Kits\10**) to a different directory. For example: **C:\MyMsiTools\bin**
+
+4. From an elevated Windows PowerShell prompt, navigate to the following folder:
<Windows Kits 10 installation folder>**\Microsoft Application Virtualization\Sequencer\**
By default, this path will be: **C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\Sequencer**
-4. Run the following command:
+5. Run the following command:
- `Update-AppvPackageMsi -MsiPackage "" -MsSdkPath ""`
+ `Update-AppvPackageMsi -MsiPackage "" -MsSdkPath ""`
- By default, the path to the Windows SDK installation will be: **C:\Program Files (x86)\Windows Kits\10**
+ where the path is to the new directory (**C:\MyMsiTools\ for this example**).
## Error occurs during publishing refresh between App-V 5.0 SP3 Management Server and App-V Client on Windows 10
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index cb46f438f0..cf1b406e61 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -12,6 +12,24 @@ author: jdeckerMS
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## November 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Windows 10 IoT Mobile |
+
+## October 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [Manage device restarts after updates](waas-restart.md) | New |
+| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | New |
+| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |Added an important note about Cortana and Office 365 integration. |
+| [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. |
+| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. Added Teredo Group Policy. |
+| [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Current Branch for Business (CBB) support for Windows 10 IoT Mobile. |
+
+
## September 2016
| New or changed topic | Description |
diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md
index 87818ca231..3bb9df599b 100644
--- a/windows/manage/configure-windows-telemetry-in-your-organization.md
+++ b/windows/manage/configure-windows-telemetry-in-your-organization.md
@@ -201,7 +201,7 @@ The data gathered at this level includes:
- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
> [!NOTE]
- > This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
+ > This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
index d0d6b868e6..80e8f90299 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
@@ -67,7 +67,7 @@ The GPO applies the Start and taskbar layout at the next user sign-in. Each time
The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed.
-The .xml file with the Start and taskbar layout must be located on shared network storage that is available to the users’ computers when they sign in and the users must have Read-only access to the file. If the file is not available at sign-in, Start and the taskbar are not customized during the session, and the user can make changes to Start.
+The .xml file with the Start and taskbar layout must be located on shared network storage that is available to the users’ computers when they sign in and the users must have Read-only access to the file. If the file is not available when the first user signs in, Start and the taskbar are not customized during the session, but the user will be prevented from making changes to Start. On subsequent sign-ins, if the file is available at sign-in, the layout it contains will be applied to the user's Start and taskbar.
For information about deploying GPOs in a domain, see [Working with Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=620889).
diff --git a/windows/manage/images/waas-active-hours-policy.PNG b/windows/manage/images/waas-active-hours-policy.PNG
new file mode 100644
index 0000000000..af80ef6652
Binary files /dev/null and b/windows/manage/images/waas-active-hours-policy.PNG differ
diff --git a/windows/manage/images/waas-active-hours.PNG b/windows/manage/images/waas-active-hours.PNG
new file mode 100644
index 0000000000..c262c302ed
Binary files /dev/null and b/windows/manage/images/waas-active-hours.PNG differ
diff --git a/windows/manage/images/waas-auto-update-policy.PNG b/windows/manage/images/waas-auto-update-policy.PNG
new file mode 100644
index 0000000000..52a1629cbf
Binary files /dev/null and b/windows/manage/images/waas-auto-update-policy.PNG differ
diff --git a/windows/manage/images/waas-restart-policy.PNG b/windows/manage/images/waas-restart-policy.PNG
new file mode 100644
index 0000000000..936f9aeb08
Binary files /dev/null and b/windows/manage/images/waas-restart-policy.PNG differ
diff --git a/windows/manage/images/waas-rings.png b/windows/manage/images/waas-rings.png
index a5446f3dff..041a59ce87 100644
Binary files a/windows/manage/images/waas-rings.png and b/windows/manage/images/waas-rings.png differ
diff --git a/windows/manage/images/waas-wufb-gp-cb2-settings.png b/windows/manage/images/waas-wufb-gp-cb2-settings.png
index bba58927d9..ae6ed4d856 100644
Binary files a/windows/manage/images/waas-wufb-gp-cb2-settings.png and b/windows/manage/images/waas-wufb-gp-cb2-settings.png differ
diff --git a/windows/manage/images/waas-wufb-gp-cbb2-settings.png b/windows/manage/images/waas-wufb-gp-cbb2-settings.png
index 7d8358f20b..e5aff1cc89 100644
Binary files a/windows/manage/images/waas-wufb-gp-cbb2-settings.png and b/windows/manage/images/waas-wufb-gp-cbb2-settings.png differ
diff --git a/windows/manage/images/waas-wufb-gp-scope.png b/windows/manage/images/waas-wufb-gp-scope.png
index e6fe366c29..a04d8194df 100644
Binary files a/windows/manage/images/waas-wufb-gp-scope.png and b/windows/manage/images/waas-wufb-gp-scope.png differ
diff --git a/windows/manage/images/waas-wufb-intune-cbb2a.png b/windows/manage/images/waas-wufb-intune-cbb2a.png
index 23276c4659..a980e0e43a 100644
Binary files a/windows/manage/images/waas-wufb-intune-cbb2a.png and b/windows/manage/images/waas-wufb-intune-cbb2a.png differ
diff --git a/windows/manage/images/waas-wufb-intune-step11a.png b/windows/manage/images/waas-wufb-intune-step11a.png
index 48db2f63af..7291484c93 100644
Binary files a/windows/manage/images/waas-wufb-intune-step11a.png and b/windows/manage/images/waas-wufb-intune-step11a.png differ
diff --git a/windows/manage/images/windows-10-management-cyod-byod-flow.png b/windows/manage/images/windows-10-management-cyod-byod-flow.png
new file mode 100644
index 0000000000..6121e93832
Binary files /dev/null and b/windows/manage/images/windows-10-management-cyod-byod-flow.png differ
diff --git a/windows/manage/images/windows-10-management-gp-intune-flow.png b/windows/manage/images/windows-10-management-gp-intune-flow.png
new file mode 100644
index 0000000000..c9e3f2ea31
Binary files /dev/null and b/windows/manage/images/windows-10-management-gp-intune-flow.png differ
diff --git a/windows/manage/images/windows-10-management-range-of-options.png b/windows/manage/images/windows-10-management-range-of-options.png
new file mode 100644
index 0000000000..e4de546709
Binary files /dev/null and b/windows/manage/images/windows-10-management-range-of-options.png differ
diff --git a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
index 6c398d7d27..eae687dfc0 100644
--- a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
@@ -81,9 +81,9 @@ An added work account provides the same SSO experience in browser apps like Offi
An MDM service is required for managing Azure AD-joined devices. You can use MDM to push settings to devices, as well as application and certificates used by VPN, Wi-Fi, etc. Azure AD Premium or [Enterprise Mobility Suite (EMS)](https://go.microsoft.com/fwlink/p/?LinkID=723984) licenses are required to set up your Azure AD-joined devices to automatically enroll in MDM. [Learn more about setting up your Azure AD tenant for MDM auto-enrollment.](https://go.microsoft.com/fwlink/p/?LinkID=691615)
-- **Microsoft Passport**
+- **Windows Hello**
- Creating a Microsoft Passport (PIN) is required on Windows 10 Mobile by default and cannot be disabled. [You can control Microsoft Passport policies](https://go.microsoft.com/fwlink/p/?LinkId=735079) using controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Windows Hello (biometrics such as fingerprint or iris) can be used for Passport authentication. Creating a Microsoft Passport requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Microsoft Passport for Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=735004)
+ Creating a Windows Hello (PIN) is required on Windows 10 Mobile by default and cannot be disabled. You can control Windows Hello policiesusing controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Biometrics such as fingerprint or iris can be used for authentication. Creating a Windows Hello requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Windows Hello for Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=735004)
- **Conditional access**
diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md
index 282c9805d9..936ed8c310 100644
--- a/windows/manage/lockdown-xml.md
+++ b/windows/manage/lockdown-xml.md
@@ -385,7 +385,7 @@ For a list of the settings and quick actions that you can allow or block, see [S
You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied.
- [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin)
+ [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](https://msdn.microsoft.com/library/windows/apps/windows.embedded.devicelockdown).
In the XML file, you define each role with a GUID and name, as shown in the following example:
diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 42d9d21bc2..c6e5606348 100644
--- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -11,9 +11,7 @@ author: brianlic-msft
---
# Manage connections from Windows operating system components to Microsoft services
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
+
**Applies to**
- Windows 10
@@ -75,7 +73,7 @@ See the following table for a summary of the management settings for Windows 10
| [14. OneDrive](#bkmk-onedrive) | |  | |  | |
| [15. Preinstalled apps](#bkmk-preinstalledapps) |  | | | |  |
| [16. Settings > Privacy](#bkmk-settingssection) | | | | | |
-| [16.1 General](#bkmk-priv-general) |  |  |  |  | |
+| [16.1 General](#bkmk-general) |  |  |  |  | |
| [16.2 Location](#bkmk-priv-location) |  |  |  | | |
| [16.3 Camera](#bkmk-priv-camera) |  |  |  | | |
| [16.4 Microphone](#bkmk-priv-microphone) |  |  | | | |
@@ -94,7 +92,7 @@ See the following table for a summary of the management settings for Windows 10
| [16.17 Motion](#bkmk-priv-motion) |  |  | | | |
| [17. Software Protection Platform](#bkmk-spp) | |  |  | | |
| [18. Sync your settings](#bkmk-syncsettings) |  |  |  | | |
-| [19. Teredo](#bkmk-teredo) | | | | |  |
+| [19. Teredo](#bkmk-teredo) | |  | | |  |
| [20. Wi-Fi Sense](#bkmk-wifisense) |  |  | |  | |
| [21. Windows Defender](#bkmk-defender) | |  |  |  | |
| [22. Windows Media Player](#bkmk-wmp) |  | | | |  |
@@ -121,9 +119,9 @@ See the following table for a summary of the management settings for Windows Ser
| [12. Network Connection Status Indicator](#bkmk-ncsi) | |  | | |
| [14. OneDrive](#bkmk-onedrive) | |  | | |
| [16. Settings > Privacy](#bkmk-settingssection) | | | | |
-| [16.1 General](#bkmk-priv-general) |  |  |  | |
+| [16.1 General](#bkmk-general) |  |  |  | |
| [17. Software Protection Platform](#bkmk-spp) | |  | | |
-| [19. Teredo](#bkmk-teredo) | | | |  |
+| [19. Teredo](#bkmk-teredo) | |  | |  |
| [21. Windows Defender](#bkmk-defender) | |  |  | |
| [22. Windows Media Player](#bkmk-wmp) | | | |  |
| [24. Windows Store](#bkmk-windowsstore) | |  | | |
@@ -140,7 +138,7 @@ See the following table for a summary of the management settings for Windows Ser
| [5. Font streaming](#font-streaming) |  |  | |
| [12. Network Connection Status Indicator](#bkmk-ncsi) |  | | |
| [17. Software Protection Platform](#bkmk-spp) |  | | |
-| [19. Teredo](#bkmk-teredo) | | |  |
+| [19. Teredo](#bkmk-teredo) |  | |  |
| [21. Windows Defender](#bkmk-defender) |  |  | |
| [26. Windows Update](#bkmk-wu) |  |  | |
@@ -1117,7 +1115,14 @@ To turn off Messaging cloud sync:
### 19. Teredo
-You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
+You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
+
+>[!NOTE]
+>If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work.
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**.
+
+ -or-
- From an elevated command prompt, run **netsh interface teredo set state disabled**
@@ -1353,3 +1358,5 @@ You can turn off automatic updates by doing one of the following. This is not re
- **5**. Turn off automatic updates.
To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
+
+To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying.
\ No newline at end of file
diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md
index f96628d60a..c282a281cf 100644
--- a/windows/manage/manage-corporate-devices.md
+++ b/windows/manage/manage-corporate-devices.md
@@ -19,81 +19,22 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
-You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.
+You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10.
-There are several options for managing Windows 10 on corporate-owned devices in an enterprise.
+## In this section
-## Identity and management options
+| Topic | Description |
+| --- | --- |
+| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment |
+| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC |
+| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage user experiences to provide a consistent and predictable experience for employees |
+| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 |
+| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education |
+| [Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md) | Changes to the Group Policy settings that you use to manage Start |
+| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | How to plan for and deploy Windows 10 Mobile devices |
+| [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations |
-Your employees using devices that are owned by the organization can connect to Active Directory or Azure Active Directory (Azure AD). Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
-
-
-
-### Active Directory join
-
-You can join a device running Windows 10 to an on-premises Active Directory domain after the first-run experience (sometimes called out-of-box experience or OOBE). You can add devices running Windows 10 to your existing Active Directory infrastructure and manage them just as you've always been used to managing PCs running Windows.
-
-Desktop devices running Windows 10 that are joined to an Active Directory domain can be managed using Group Policy and System Center Configuration Manager (current branch). The following table shows the management support for Windows 10 in Configuration Manager.
-
-
-
-
-
-
-
-
-
Product version
-
Windows 10 support
-
-
-
-
-
[System Center Configuration Manager (current branch) ](https://technet.microsoft.com/en-us/library/mt346023.aspx)
-
Client deployment, upgrade, and management with new and existing features
-
-
-
Configuration Manager and Configuration Manager SP1
-
Deployment, upgrade, and management with existing features
-
-
-
Configuration Manager 2007
-
Management with existing features
-
-
-
-
-
-
-### Azure AD join
-
-Devices joined to Azure AD can be managed using Microsoft Intune or other mobile device management (MDM) solutions. MDM infrastructure for Windows 10 is consistent across device types. Configuration capabilities may vary based on device platform.
-
-
-
-For flexibility in identity and management, you can combine Active Directory and Azure AD. Learn about [integrating Active Directory and Azure Active Directory for a hybrid identity solution](https://go.microsoft.com/fwlink/p/?LinkId=613209).
-
-## How setting conflicts are resolved
-
-
-A device or user might receive policies from multiple sources, such as MDM, Exchange, or provisioning packages. In any policy conflict, the most secure policy value is applied. Policy settings take precedence over settings applied in a provisioning package.
-
-**Note**
-Provisioning packages can be applied either during device setup or after setup for runtime configuration. For more information about runtime provisioning packages, see [Configure devices without MDM](configure-devices-without-mdm.md).
-
-
-
-When setting values that do not have a security implication conflict, last write wins. When settings are configured from both a provisioning package and another configuration source, the non-provisioning package configuration source has higher priority.
-
-
-
-## MDM enrollment
-
-
-Devices running Windows 10 include a built-in agent that can be used by MDM servers to enroll and manage devices. MDM servers do not need to create a separate agent or client to install on devices running Windows 10.
-
-For more information about the MDM protocols, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkID=533172).
-
## Learn more
[How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx)
@@ -114,16 +55,8 @@ For more information about the MDM protocols, see [Mobile device management](htt
Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=613208)
-## Related topics
-[Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
-- [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
-- [New policies for Windows 10](new-policies-for-windows-10.md)
-- [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
-- [Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)
-- [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
-- [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md)
diff --git a/windows/manage/manage-cortana-in-enterprise.md b/windows/manage/manage-cortana-in-enterprise.md
index ff1aec9da2..5fb13a4fac 100644
--- a/windows/manage/manage-cortana-in-enterprise.md
+++ b/windows/manage/manage-cortana-in-enterprise.md
@@ -24,6 +24,10 @@ Cortana in Windows 10 is already great at letting your employees quickly see wh
But Cortana works even harder when she connects to Office 365, helping employees prepare for meetings, learn about co-workers, and receive reminders about where they need to be so they won’t be late.
+>**Important**
+>Before your employees can use Cortana with Office 365, they must sign into Cortana using a Microsoft account (such as, @outlook.com), and then they must go to the **Connected Accounts** section of Cortana’s notebook to turn on and connect to Office 365.
+
+
**More info:**
- For specific info about what you need to know as a company administrator, including how to turn off Cortana with Office 365, see the [Cortana integration with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=717378) support topic.
diff --git a/windows/manage/manage-tips-and-suggestions.md b/windows/manage/manage-tips-and-suggestions.md
index 2fbb2e3cda..547f77a1aa 100644
--- a/windows/manage/manage-tips-and-suggestions.md
+++ b/windows/manage/manage-tips-and-suggestions.md
@@ -1,6 +1,6 @@
---
title: Manage Windows 10 and Windows Store tips, tricks, and suggestions (Windows 10)
-description: Windows 10 provides organizations with various options to manage auser experiences to provide a consistent and predictable experience for employees.
+description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees.
keywords: ["device management"]
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/manage/manage-windows-10-in-your-organization-modern-management.md b/windows/manage/manage-windows-10-in-your-organization-modern-management.md
new file mode 100644
index 0000000000..0d3374fbca
--- /dev/null
+++ b/windows/manage/manage-windows-10-in-your-organization-modern-management.md
@@ -0,0 +1,120 @@
+---
+title: Manage Windows 10 in your organization - transitioning to modern management
+description: This topic offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
+keywords: ["MDM", "device management", "group policy", "Azure Active Directory"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: devices
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Manage Windows 10 in your organization - transitioning to modern management
+
+Use of personal devices for work, as well as employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.
+
+Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist.
+
+Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as System Center Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
+
+This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
+
+- [Deployment and Provisioning](#deployment-and-provisioning)
+
+- [Identity and Authentication](#identity-and-authentication)
+
+- [Configuration](#settings-and-configuration)
+
+- [Updating and Servicing](#updating-and-servicing)
+
+## Reviewing the management options with Windows 10
+
+Windows 10 offers a range of management options, as shown in the following diagram:
+
+
+
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Windows Store for Business.
+
+## Deployment and Provisioning
+
+With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can:
+
+
+
+- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune).
+
+- Create self-contained provisioning packages built with the [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113(v=vs.85).aspx).
+
+- Use traditional imaging techniques such as deploying custom images using [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction).
+
+You have multiple options for [upgrading to Windows 10](https://technet.microsoft.com/itpro/windows/deploy/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
+
+## Identity and Authentication
+
+You can use Windows 10 and services like [Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-whatis/) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
+
+You can envision user and device management as falling into these two categories:
+
+- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
+
+ - For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://blogs.technet.microsoft.com/ad/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/), all from the cloud. Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
+
+ - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/) to add their work account to Windows, then access work resources on the device.
+
+- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These may be traditional applications and resources that require authentication or accessing highly sensitive or classified resources on-premises.
+ With Windows 10, if you have an on-premises [Active Directory](https://technet.microsoft.com/windows-server-docs/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/), when employee devices are joined, they automatically register with Azure AD. This provides:
+
+ - Single sign-on to cloud and on-premises resources from everywhere
+
+ - [Enterprise roaming of settings](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/)
+
+ - [Conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/) to corporate resources based on the health or configuration of the device
+
+ - [Windows Hello for Business](https://technet.microsoft.com/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport)
+
+ - Windows Hello
+
+ Domain joined PCs and tablets can continue to be managed with the [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction) client or Group Policy.
+
+For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-windows10-devices/).
+
+As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
+
+
+
+## Settings and Configuration
+
+Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.
+
+**MDM**: [MDM](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. This makes MDM the best choice for devices that are constantly on the go.
+
+**Group Policy** and **System Center Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings, or very specific Windows Firewall rules. If so, Group Policy and System Center Configuration Manager continue to be excellent management choices:
+
+- Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.
+
+- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment.
+
+You can use the following generalized decision tree to review the management choices for devices in your organization:
+
+
+
+## Updating and Servicing
+
+With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple – often automatic – patching processes. For more information, see [Windows 10 deployment scenarios](https://technet.microsoft.com/itpro/windows/deploy/windows-10-deployment-scenarios).
+
+MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
+
+## Next steps
+
+There are a variety of steps you can take to begin the process of modernizing device management in your organization:
+
+- **Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate.
+
+- **Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs.
+
+- **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario.
+
+- **Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability.
+
+- **Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. As additional capabilities become available in the cloud-identity/MDM model, Microsoft is committed to providing a clear path from traditional to modern management.
diff --git a/windows/manage/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/manage/uev-changing-the-frequency-of-scheduled-tasks.md
index 888c3b7ee1..ea6d910cb6 100644
--- a/windows/manage/uev-changing-the-frequency-of-scheduled-tasks.md
+++ b/windows/manage/uev-changing-the-frequency-of-scheduled-tasks.md
@@ -246,4 +246,4 @@ Add or vote on suggestions on the [User Experience Virtualization feedback site]
[Administering UE-V](uev-administering-uev.md)
-[Deploy UE-V for Custom Applications](uev-deploy-uev-for-custom-applications.md#deploycatalogue)
+[Deploy UE-V for Custom Applications](uev-deploy-uev-for-custom-applications.md)
\ No newline at end of file
diff --git a/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md
index e18bff1e74..a0b3bf91d3 100644
--- a/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -18,7 +18,6 @@ After you deploy User Experience Virtualization (UE-V) and its required features
## UE-V Configuration Pack supported features
-
The UE-V Configuration Pack includes tools to:
- Create or update UE-V settings location template distribution baselines
@@ -103,10 +102,9 @@ It might be necessary to change the PowerShell execution policy to allow these s
1. Select **Administration > Client Settings > Properties**
2. In the **User Agent** tab, set the **PowerShell Execution Policy** to **Bypass**
-
-**Create the first UE-V policy configuration item**
+**Create the first UE-V policy configuration item**
1. Copy the default settings configuration file from the UE-V Config Pack installation directory to a location visible to your ConfigMgr Admin Console:
@@ -173,8 +171,7 @@ It might be necessary to change the PowerShell execution policy to allow these s
3. Reimport the CAB file. The version in ConfigMgr will be updated.
-## Generate a UE-V Template Baseline
-
+## Generate a UE-V Template Baseline
UE-V templates are distributed using a baseline containing multiple configuration items. Each configuration item contains the discovery and remediation scripts needed to install one UE-V template. The actual UE-V template is embedded within the remediation script for distribution using standard Configuration Item functionality.
diff --git a/windows/manage/uev-for-windows.md b/windows/manage/uev-for-windows.md
index 1f4eaab35c..8702b65318 100644
--- a/windows/manage/uev-for-windows.md
+++ b/windows/manage/uev-for-windows.md
@@ -54,7 +54,7 @@ Use these UE-V components to create and manage custom templates for your third-p
| Component | Description |
|-------------------------------|---------------|
| **UE-V template generator** | Use the **UE-V template generator** to create custom settings location templates that you can then distribute to user computers. The UE-V template generator also lets you edit an existing template or validate a template that was created with a different XML editor. With the Windows 10, version 1607 release, the UE-V template generator is installed with the [Windows Assessment and Deployment kit for Windows 10, version 1607](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) (Windows ADK). If you are upgrading from an existing UE-V installation, you’ll need to use the new generator to create new settings location templates. Application templates created with previous versions of the UE-V template generator are still supported, however. |
-| **Settings template catalog** | The **settings template catalog** is a folder path on UE-V computers or a Server Message Block (SMB) network share that stores the custom settings location templates. The UE-V service checks this location once a day, retrieves new or updated templates, and updates its synchronization behavior. If you use only the UE-V default settings location templates, then a settings template catalog is unnecessary. For more information about settings deployment catalogs, see [Deploy a UE-V settings template catalog](uev-deploy-uev-for-custom-applications.md#deploycatalogue). |
+| **Settings template catalog** | The **settings template catalog** is a folder path on UE-V computers or a Server Message Block (SMB) network share that stores the custom settings location templates. The UE-V service checks this location once a day, retrieves new or updated templates, and updates its synchronization behavior. If you use only the UE-V default settings location templates, then a settings template catalog is unnecessary. For more information about settings deployment catalogs, see [Deploy a UE-V settings template catalog](uev-deploy-uev-for-custom-applications.md).|
[Learn more about Windows Hello for Business.](../keep-secure/manage-identity-verification-using-microsoft-passport.md)
+
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Windows Store for Business.
+
+## Deployment and Provisioning
+
+With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can:
+
+
+
+- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune).
+
+- Create self-contained provisioning packages built with the [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113(v=vs.85).aspx).
+
+- Use traditional imaging techniques such as deploying custom images using [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction).
+
+You have multiple options for [upgrading to Windows 10](https://technet.microsoft.com/itpro/windows/deploy/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
+
+## Identity and Authentication
+
+You can use Windows 10 and services like [Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-whatis/) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
+
+You can envision user and device management as falling into these two categories:
+
+- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
+
+ - For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://blogs.technet.microsoft.com/ad/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/), all from the cloud.