Merge branch 'master' into vso-7992313a

browsers/edge/Index.md

@@ -21,7 +21,11 @@ localizationpriority: high
 Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge also introduces new features like Web Note, Reading View, and Cortana that you can use along with your normal web browsing abilities.
 
 Microsoft Edge lets you stay up-to-date through the Windows Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools.
-<p>**Note**<br>This content isn't meant to be a step-by-step guide, so not everything that's talked about in this guide will be necessary for you to manage and deploy Microsoft Edge in your company.
+
+> **Note**<br>This content isn't meant to be a step-by-step guide, so not everything that's talked about in this guide will be necessary for you to manage and deploy Microsoft Edge in your company.
+
+
+> **Note**<br>For more info about the potential impact of using Microsoft Edge in a large organization, you can download an infographic from here: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892).
 
 ## In this section
 
@@ -58,3 +62,4 @@ You'll need to keep running them using IE11. If you don't have IE11 installed an
 - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760644)
 - [Internet Explorer 11 - FAQ for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760645)
 - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646)
+

browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md

@@ -44,6 +44,7 @@ IE11 offers enterprises additional security, manageability, performance, backwar
 -   **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
 
 ## Related topics
+- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
 - [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
 - [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
 - [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)

browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md

@@ -19,6 +19,10 @@ ms.sitesec: library
 
 Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.
 
+>**Upgrade Analytics and Windows upgrades**<br>
+>You can use Upgrade Analytics to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Analytics to review several site discovery reports. Check out Upgrade Analytics from [here](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-analytics-get-started).
+
+
 ## Before you begin
 Before you start, you need to make sure you have the following:
 

browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md

@@ -20,8 +20,8 @@ Included examples:
 - [Example 4: Connect directly if the host is in specified subnet](#example-4-connect-directly-if-the-host-is-in-specified-subnet)
 - [Example 5: Determine the connection type based on the host domain](#example-5-determine-the-connection-type-based-on-the-host-domain)
 - [Example 6: Determine the connection type based on the protocol](#example-6-determine-the-connection-type-based-on-the-protocol)
-- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-IP-address)
-- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-IP-address-matches-the-specified-IP-address)
+- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-ip-address)
+- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-ip-address-matches-the-specified-ip-address)
 - [Example 9: Connect using a proxy server if there are periods in the host name](#example-9-connect-using-a-proxy-server-if-there-are-periods-in-the-host-name)
 - [Example 10: Connect using a proxy server based on specific days of the week](#example-10-connect-using-a-proxy-server-based-on-specific-days-of-the-week)
 

browsers/internet-explorer/index.md

@@ -6,6 +6,7 @@ ms.prod: IE11
 title: Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
 assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0
 ms.sitesec: library
+localizationpriority: low
 ---
 
 

devices/hololens/hololens-checklist.md

@@ -0,0 +1,30 @@
+---
+title: Checklist for HoloLens in the enterprise (HoloLens)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Checklist: HoloLens in the enterprise
+
+[Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers)
+
+
+Windows Store for Business 
+
+Requirements
+
+- IT Admins: Before you sign up for the Store for Business, at a minimum, you'll need an Azure Active Directory (AAD) account for your organization, and you'll need to be the global administrator for your organization. Once the Global Admin has signed in, they can give permissions to other employees.
+- End Users: Need Azure AD account when they access Store for Business content from Windows-based devices.
+
+[Getting started with Azure Active Directory Premium](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/)
+
+[Get started with Intune](https://docs.microsoft.com/en-us/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune)
+
+[Enroll devices for management in Intune](https://docs.microsoft.com/en-us/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms)
+
+[Azure AD editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/)
+

devices/surface-hub/TOC.md

@@ -1,8 +1,8 @@
 # [Microsoft Surface Hub](index.md)
 ## [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
 ### [Intro to Microsoft Surface Hub](intro-to-surface-hub.md)
-### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
 ### [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)
+#### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
 #### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
 ##### [Online deployment](online-deployment-surface-hub-device-accounts.md)
 ##### [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md)
@@ -17,20 +17,23 @@
 #### [Setup worksheet](setup-worksheet-surface-hub.md)
 #### [First-run program](first-run-program-surface-hub.md)
 ### [Manage Microsoft Surface Hub](manage-surface-hub.md)
-#### [Accessibility](accessibility-surface-hub.md)
-#### [Change the Surface Hub device account](change-surface-hub-device-account.md)
-#### [Device reset](device-reset-surface-hub.md)
-#### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your-surface-hub-meeting.md)
+#### [Remote Surface Hub management](remote-surface-hub-management.md)
+##### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)
+##### [Monitor your Surface Hub](monitor-surface-hub.md)
+##### [Windows updates](manage-windows-updates-for-surface-hub.md)
+#### [Manage Surface Hub settings](manage-surface-hub-settings.md)
+##### [Local management for Surface Hub settings](local-management-surface-hub-settings.md)
+##### [Accessibility](accessibility-surface-hub.md)
+##### [Change the Surface Hub device account](change-surface-hub-device-account.md)
+##### [Device reset](device-reset-surface-hub.md)
+##### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
+##### [Wireless network management](wireless-network-management-for-surface-hub.md)
 #### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
-#### [Manage settings with a local admin account](manage-settings-with-local-admin-account-surface-hub.md)
-#### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)
-#### [Monitor your Surface Hub](monitor-surface-hub.md)
+#### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your-surface-hub-meeting.md)
 #### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
 #### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
-#### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
 #### [Using a room control system](use-room-control-system-with-surface-hub.md)
-#### [Windows updates](manage-windows-updates-for-surface-hub.md)
-#### [Wireless network management](wireless-network-management-for-surface-hub.md)
 ### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
 ### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)
-
+## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
+## [Change history for Surface Hub](change-history-surface-hub.md)

devices/surface-hub/accessibility-surface-hub.md

@@ -13,66 +13,44 @@ localizationpriority: medium
 
 # Accessibility (Surface Hub)
 
+Microsoft Surface Hub has the same accessibility options as Windows 10.
 
-Accessibility settings for the Microsoft Surface Hub can be changed by using the Settings app. You'll find them under **Ease of Access**. Your Surface Hub has the same accessibility options as Windows 10.
 
-The default accessibility settings for Surface Hub include:
+## Default accessibility settings
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Accessibility feature</th>
-<th align="left">Default setting</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p><strong>Narrator</strong></p></td>
-<td align="left"><p>Off</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Magnifier</strong></p></td>
-<td align="left"><p>Off</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><strong>High contrast</strong></p></td>
-<td align="left"><p>No theme selected</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Closed captions</strong></p></td>
-<td align="left"><p>Defaults selected for <strong>Font</strong> and <strong>Background and window</strong>.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><strong>Keyboard</strong></p></td>
-<td align="left"><p>On-screen <strong>Keyboard</strong>, <strong>Sticky Keys</strong>, <strong>Toggle Keys</strong>, and <strong>Filter Keys</strong> are all off.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Mouse</strong></p></td>
-<td align="left"><p>Defaults selected for <strong>Pointer size</strong>, <strong>Pointer color</strong> and <strong>Mouse keys</strong>.</p></td>
-</tr>
-</tbody>
-</table>
+The full list of accessibility settings are available to IT admins in the **Settings** app. The default accessibility settings for Surface Hub include:
 
- 
+| Accessibility feature | Default settings  |
+| --------------------- | ----------------- |
+| Narrator              | Off               |
+| Magnifier             | Off               |
+| High contrast         | No theme selected |
+| Closed captions       | Defaults selected for Font and Background and window |
+| Keyboard              | **On-screen Keyboard**, **Sticky Keys**, **Toggle Keys**, and **Filter Keys** are all off. |
+| Mouse                 | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. |
+| Other options         | Defaults selected for **Visual options** and **Touch feedback**. |
+
+Additionally, these accessibility features and apps are returned to default settings when users press [**I'm Done**](i-am-done-finishing-your-surface-hub-meeting.md):
+- Narrator
+- Magnifier
+- High contrast
+- Filter keys
+- Sticky keys
+- Toggle keys
+- Mouse keys
+
+
+## Change accessibility settings during a meeting
+
+During a meeting, users can toggle accessibility features and apps in a couple ways:
+- [Keyboard shortcuts](https://support.microsoft.com/en-us/help/13813/windows-10-microsoft-surface-hub-keyboard-shortcuts)
+- **Quick Actions** > **Ease of Access** from the status bar
+
+> ![Image showing Quick Action center on Surface Hub](images/sh-quick-action.png)
 
-You'll find additional settings under **Ease of Access** &gt; **Other options**.
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
-
- 
-
- 
-
-
-
-
-

devices/surface-hub/admin-group-management-for-surface-hub.md

@@ -14,96 +14,67 @@ localizationpriority: medium
 # Admin group management (Surface Hub)
 
 
-Every Microsoft Surface Hub can be configured individually by opening the Settings app on the device. However, to prevent people who are not administrators from changing the settings, the Settings app requires administrator credentials to open the app and change settings.
+Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app.
+
 
-The Settings app requires local administrator credentials to open the app.
 ## Admin Group Management
 
+You can set up administrator accounts for the device in one of three ways:
 
-You can set up administrator accounts for the device in any of three ways:
+-   Create a local admin account
+-   Domain join the device to Active Directory (AD)
+-   Azure Active Directory (Azure AD) join the device
 
--   Create a local admin account.
--   Domain join the device to Active Directory (AD).
--   Azure Active Directory (Azure AD) join the device.
 
 ### Create a local admin account
 
-To create a local admin, choose to use a local admin during first run. This will create a single local admin account on the Surface Hub with the username and password of your choice. These same credentials will need to be provided to open the Settings app.
+To create a local admin, [choose to use a local admin during first run](first-run-program-surface-hub.md#use-a-local-admin). This will create a single local admin account on the Surface Hub with the username and password of your choice. Use these credentials to open the Settings app.
 
-Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory (AD) or Azure Active Directory (Azure AD). If you decide to change the local admin’s password, you can do so in Settings. However, if you want to change from using the local admin account to using a group from your domain or Azure AD organization, then you’ll need to reset the device and go through first-time setup again.
+Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory (AD) or Azure Active Directory (Azure AD). If you decide to change the local admin’s password, you can do so in Settings. However, if you want to change from using the local admin account to using a group from your domain or Azure AD tenant, then you’ll need to [reset the device](device-reset-surface-hub.md) and go through the first-time program again.
 
 ### Domain join the device to Active Directory (AD)
 
-You can set a security group from your domain as local administrators on the Surface Hub after you domain join the device to AD. You will need to provide credentials that are capable of joining the domain of your choice. After you domain join successfully, you will be asked to pick an existing security group to be set as the local admins. Anyone who is a member of that security group can enter their credentials and unlock Settings.
+You can domain join the Surface Hub to your AD domain to allow users from a specified security group to configure settings. During first run, choose to use [Active Directory Domain Services](first-run-program-surface-hub.md#a-href-iduse-active-directoryause-active-directory-domain-services). You'll need to provide credentials that are capable of joining the domain of your choice, and the name of an existing security group. Anyone who is a member of that security group can enter their credentials and unlock Settings.
 
->**Note**  Surface Hubs domain join for the single purpose of using a security group as local admins. Group policies are not applied after the device is domain joined.
+#### What happens when you domain join your Surface Hub?
+Surface Hubs use domain join to:
+- Grant admin rights to members of a specified security group in AD.
+- Backup the device's BitLocker recovery key by storing it under the computer object in AD. See [Save your BitLocker key](save-bitlocker-key-surface-hub.md) for details.
+- Synchronize the system clock with the domain controller for encrypted communication
 
- 
+Surface Hub does not support applying group policies or certificates from the domain controller.
 
->**Note**  If your Surface Hub loses trust with the domain (for example, if you remove the Surface Hub from the domain after it is domain joined), you won't be able to authenticate into the device and open up Settings. If you decide to remove the trust relationship of the Surface Hub with your domain, reset the device first.
+> [!NOTE]
+> If your Surface Hub loses trust with the domain (for example, if you remove the Surface Hub from the domain after it is domain joined), you won't be able to authenticate into the device and open up Settings. If you decide to remove the trust relationship of the Surface Hub with your domain, [reset the device](device-reset-surface-hub.md) first.
 
- 
 
 ### Azure Active Directory (Azure AD) join the device
 
-You can set up IT pros from your Azure AD organization as local administrators on the Surface Hub after you join the device. The people that are provisioned as local admins on your device depend on what Azure AD subscription you have. You will need to provide credentials that are capable of joining the Azure AD organization of your choice. After you successfully join Azure AD, the appropriate people will be set as local admins on the device. Any user who was set up as a local admin as a result of this process can enter their credentials and unlock the Settings app.
+You can Azure AD join the Surface Hub to allow IT pros from your Azure AD tenant to configure settings. During first run, choose to use [Microsoft Azure Active Directory](first-run-program-surface-hub.md#a-href-iduse-microsoft-azureause-microsoft-azure-active-directory). You will need to provide credentials that are capable of joining the Azure AD tenant of your choice. After you successfully Azure AD join, the appropriate people will be granted admin rights on the device.
 
->**Note**  If your Azure AD organization is configured with mobile device management (MDM) enrollment, Surface Hubs will be enrolled into MDM as a result of joining Azure AD. Surface Hubs that have joined Azure AD are subject to receiving MDM policies, and can be managed using the MDM solution that your organization uses.
+By default, all **global administrators** will be given admin rights on an Azure AD joined Surface Hub. With **Azure AD Premium** or **Enterprise Mobility Suite (EMS)**, you can add additional administrators:
+1.  In the [Azure classic portal](https://manage.windowsazure.com/), click **Active Directory**, and then click the name of your organization's directory.
+2.  On the **Configure** page, under **Devices** > **Additional administrators on Azure AD joined devices**, click **Selected**.
+3.  Click **Add**, and select the users you want to add as administrators on your Surface Hub and other Azure AD joined devices.
+4.  When you have finished, click the checkmark button to save your change.
 
- 
+#### What happens when you Azure AD join your Surface Hub?
+Surface Hubs use Azure AD join to:
+- Grant admin rights to the appropriate users in your Azure AD tenant.
+- Backup the device's BitLocker recovery key by storing it under the account that was used to Azure AD join the device. See [Save your BitLocker key](save-bitlocker-key-surface-hub.md) for details.
+
+> [!IMPORTANT]
+> Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
 
 ### Which should I choose?
 
-If your organization is using AD or Azure AD, we recommend you either domain join or join Azure AD, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with you domain or organization.
-
-We recommend that a local admin be set up only if you do not have Active Directory or Azure AD, or if you cannot connect to your Active Directory or Azure AD during first run.
-
-### Summary
-
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">How is the local administrator set up?</th>
-<th align="left">Requirements</th>
-<th align="left">Which credentials can be used for the Settings app?</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left">A local admin account is created.</td>
-<td align="left">None.</td>
-<td align="left">The credentials of the local admin that was created.</td>
-</tr>
-<tr class="even">
-<td align="left">The Surface Hub is joined to a domain.</td>
-<td align="left">Your organization is using Active Directory (AD).</td>
-<td align="left">Credentials of any AD user from a specified security group</td>
-</tr>
-<tr class="odd">
-<td align="left">The Surface Hub is joined to Azure Active Directory (Azure AD).</td>
-<td align="left">Your organization is using Azure AD Basic.</td>
-<td align="left">Tenant or device admins</td>
-</tr>
-<tr class="even">
-<td align="left">Your organization is using Azure AD Premium.</td>
-<td align="left">Tenant or device admins + additional specified people</td>
-<td align="left"></td>
-</tr>
-</tbody>
-</table>
-
- 
-
- 
-
- 
-
-
+If your organization is using AD or Azure AD, we recommend you either domain join or Azure AD join, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with your domain.
 
+| Option                                            | Requirements                            | Which credentials can be used to access the Settings app?  |
+|---------------------------------------------------|-----------------------------------------|-------|
+| Create a local admin account                      | None                                    | The user name and password specified during first run |
+| Domain join to Active Directory (AD)              | Your organization uses AD               | Any AD user from a specific security group in your domain |
+| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic   | Global administators only |
+| &nbsp;                                            | Your organization uses Azure AD Premium or Enterprise Mobility Suite (EMS) | Global administrators and additional administrators |
 
 

devices/surface-hub/change-history-surface-hub.md

@@ -0,0 +1,40 @@
+---
+title: Change history for Surface Hub
+description: This topic lists new and updated topics for Surface Hub.
+keywords: change history
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Change history for Surface Hub
+
+This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
+
+## November 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | New |
+
+## RELEASE: Windows Anniversary Update for Surface Hub (Windows 10, version 1607)
+The topics in this library have been updated for Windows 10, version 1607 (also known as Windows Anniversary Update for Surface Hub). These topics had significant updates for this release:
+- [Windows Updates (Surface Hub)](manage-windows-updates-for-surface-hub.md)
+- [Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md)
+- [Monitor your Microsoft Surface Hub](monitor-surface-hub.md)
+- [Create provisioning packages (Surface Hub)](provisioning-packages-for-certificates-surface-hub.md)
+- [Install apps on your Microsoft Surface Hub](install-apps-on-surface-hub.md)
+- [Device reset (Surface Hub)](device-reset-surface-hub.md)
+
+## October 2016
+| New or changed topic | Description |
+| --- | --- |
+| [Admin group management (Surface Hub)](admin-group-management-for-surface-hub.md) |Add note about automatic enrollment, and update table. |
+| [Password management (Surface Hub)](password-management-for-surface-hub-device-accounts.md) | Updates to content. |
+| [Create and test a device account (Surface Hub)](create-and-test-a-device-account-surface-hub.md) | Reorganize and streamline guidance on creating a device account.  |
+| [Introduction to Surface Hub](intro-to-surface-hub.md) | Move Surface Hub dependencies table to [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md). |
+| [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) | Add dependency table and reorganize topic. | 
+| [Local management for Surface Hub settings](local-management-surface-hub-settings.md) | New topic. |

devices/surface-hub/connect-and-display-with-surface-hub.md

@@ -233,7 +233,7 @@ Surface Hub is compatible with a range of hardware. Choose the processor and mem
 
 ### Graphics adapter
 
-In replacement PC mode, Surface Hub supports any graphics adapter that can produce a DisplayPort signal. You'll improve your experience with a graphics adapter that can match Surface Hub's resolution and refresh rate. For example, though the best and recommended replacement PC experience on the Surface Hub is with a 120Hz video signal, 60Hz video signals are also supported.
+In replacement PC mode, Surface Hub supports any graphics adapter that can produce a DisplayPort signal. You'll improve your experience with a graphics adapter that can match Surface Hub's resolution and refresh rate. For example, the best and recommended replacement PC experience on the Surface Hub is with a 120Hz video signal.
 
 **55" Surface Hubs** - For best experience, use a graphics card capable of 1080p resolution at 120Hz.
 
@@ -295,7 +295,7 @@ Replacement PC ports on 55" Surface Hub.
 <tr class="odd">
 <td><p>PC video</p></td>
 <td><p>Video input</p></td>
-<td><p>DisplayPort 1.2</p></td>
+<td><p>DP 1.2</p></td>
 <td><ul>
 <li><p>Full screen display of 1080p at 120 Hz, plus audio</p></li>
 <li><p>HDCP compliant</p></li>
@@ -352,7 +352,7 @@ Replacement PC ports on 84" Surface Hub.
 <tr class="odd">
 <td><p>PC video</p></td>
 <td><p>Video input</p></td>
-<td><p>DisplayPort 1.2 (2x)</p></td>
+<td><p>DP 1.2 (2x)</p></td>
 <td><ul>
 <li><p>Full screen display of 2160p at 120 Hz, plus audio</p></li>
 <li><p>HDCP compliant</p></li>

devices/surface-hub/create-a-device-account-using-office-365.md

@@ -133,7 +133,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
 5.  Finally, to connect to Exchange Online Services, run:
 
     ``` syntax
-    $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri"https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" –AllowRedirection
+    $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" –AllowRedirection
     ```
 
     ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-21.png)
@@ -202,7 +202,7 @@ Now that you're connected to the online services, you can finish setting up the
 
     ``` syntax
     Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts   $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
-    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
+    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
     ```
 
     ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-26.png)
@@ -350,7 +350,7 @@ Now that you're connected to the online services, you can finish setting up the
 
     ``` syntax
     Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts   $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
-    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
+    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
     ```
 
 5.  Now we have to set some properties in AD. To do that, you need the alias of the account (this is the part of the UPN that becomes before the “@”).

devices/surface-hub/create-and-test-a-device-account-surface-hub.md

@@ -16,166 +16,43 @@ localizationpriority: medium
 
 This topic introduces how to create and test the device account that Microsoft Surface Hub uses to communicate with Microsoft Exchange and Skype.
 
-A "device account" is an account that the Microsoft Surface Hub uses to:
+A **device account** is an Exchange resource account that Surface Hub uses to:
 
--   sync its meeting calendar,
--   send mail,
--   and enable Skype for Business compatibility.
+-   Display its meeting calendar
+-   Join Skype for Business calls
+-   Send email (for example, email whiteboard content from a meeting)
 
-People can book this account by scheduling a meeting with it. The Surface Hub will be able to join that meeting and provide various features to the meeting attendees.
+Once the device account is provisioned to a Surface Hub, people can add this account to a meeting invitation the same way that they would invite a meeting room. 
 
->**Important**  Without a device account, none of these features will work.
+## Configuration overview
 
- 
+This table explains the main steps and configuration decisions when you create a device account. 
  
-Every device account is unique to a single Surface Hub, and requires some setup:
+| Step | Description                     |  Purpose                             |
+|------|---------------------------------|--------------------------------------|
+| 1    | Created a logon-enabled Exchange resource mailbox (Exchange 2013 or later, or Exchange Online) | This resource mailbox allows the device to maintain a meeting calendar, receive meeting requests, and send mail. It must be logon-enabled to be provisioned to a Surface Hub. |
+| 2    | Configure mailbox properties | The mailbox must be configured with the correct properties to enable the best meeting experience on Surface Hub. For more information on mailbox properties, see [Mailbox properties](exchange-properties-for-surface-hub-device-accounts.md). |
+| 3    | Apply a compatible mobile device mailbox policy to the mailbox | Surface Hub is managed using mobile device management (MDM) rather than through mobile device mailbox policies. For compatibility, the device account must have a mobile device mailbox policy where the **PasswordEnabled** setting is set to False. Otherwise, Surface Hub can't sync mail and calendar info. |
+| 4    | Enable mailbox with Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business must be enabled to use conferencing features like video calls, IM, and screen sharing.  |
+| 5    | (Optional) Whitelist ActiveSync Device ID | Your organization may have a global policy that prevents device accounts from syncing mail and calendar info. If so, you need to whitelist the ActiveSync Device ID of your Surface Hub. |
+| 6    | (Optional) Disable password expiration | To simplify management, you can turn off password expiration for the device account and allow Surface Hub to automatically rotate the device account password. For more information about password management, see [Password management](password-management-for-surface-hub-device-accounts.md).  |
 
--   The device account must be configured correctly, as described in the folllowing sections.
--   Your infrastructure must be configured to allow the Surface Hub to validate the device account, and to reach the appropriate Microsoft services.
+## Detailed configuration steps 
 
-You can think of a device account as the resource account that people recognize as a conference room’s or meeting space’s account. When you want to schedule a meeting using that conference room, you invite the account to that meeting. In order to use the Surface Hub most effectively, you do the same with the device account that's assigned to each one.
+We recommend setting up your device accounts using remote PowerShell. There are PowerShell scripts available to help create and validate device accounts For more information on PowerShell scripts and instructions, see [Appendix A: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md). 
 
-If you already have a resource mailbox account set up for the meeting space where you’re putting a Surface Hub, you can change that resource account into a device account. Once that’s done, all you need to do is add the device account to a Surface Hub. See step 2 of either [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) or [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md).
+For detailed steps using PowerShell to provision a device account, choose an option from the table, based on your organization deployment. 
 
-The following sections will describe how to create and test a device account before configuring your Surface Hub.
+| Organization deployment             |  Description                  |
+|---------------------------------|--------------------------------------|
+| [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md) | Your organization's environment is deployed entirely on Office 365. |
+| [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync). |
+| [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. |
 
-### Basic configuration
-
-These properties represent the minimum configuration for a device account to work on a Surface Hub. Your device account may require further setup, which is covered in [Advanced configuration](#advanced-config).
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Property</th>
-<th align="left">Purpose</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Exchange mailbox (Exchange 2013 or later, or Exchange Online)</p></td>
-<td align="left"><p>Enabling the account with an Exchange mailbox gives the device account the capability to receive and send both mail and meeting requests, and to display a meetings calendar on the Surface Hub’s welcome screen. The Surface Hub mailbox must be a room mailbox.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Skype for Business-enabled (Lync/Skype for Business 2013 or later or Skype for Business Online)</p></td>
-<td align="left"><p>Skype for Business must be enabled in order to use various conferencing features, like video calls, IM, and screen-sharing.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Password-enabled</p></td>
-<td align="left"><p>The device account must be enabled with a password, or it cannot authenticate with either Exchange or Skype for Business.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Compatible EAS policies</p></td>
-<td align="left"><p>The device account must use a compatible EAS policy in order for it to sync its mail and calendar. In order to implement this policy, the PasswordEnabled property must be set to False. If an incompatible EAS policy is used, the Surface Hub will not be able to use any services provided by Exchange and ActiveSync.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-### <a href="" id="advanced-config"></a>Advanced configuration
-
-While the properties for the basic configuration will allow the device account to be set up in a simple environment, it is possible your environment has other restrictions on directory accounts that must be met in order for the Surface Hub to successfully use the device account.
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Property</th>
-<th align="left">Purpose</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Certificate-based authentication</p></td>
-<td align="left"><p>Certificates may be required for both ActiveSync and Skype for Business. To deploy certificates, you need to use provisioning packages or an MDM solution.</p>
-<p>See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Allowed device IDs (ActiveSync Device ID)</p></td>
-<td align="left"><p>Your Exchange ActiveSync setup may require that an account must whitelist device IDs so that ActiveSync can retrieve the device account’s mail and calendar. You must ensure that the Surface Hub’s device ID is added to this whitelist. This can either be configured using PowerShell (by setting the <code>ActiveSyncAllowedDeviceIDs</code> property) or the Exchange administrative portal.</p>
-<p>You can find out how to find and whitelist a device ID with PowerShell in [Allowing device IDs for ActiveSync](appendix-a-powershell-scripts-for-surface-hub.md#whitelisting-device-ids-cmdlet).</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-### How do I set up the account?
-
-The best way to set up device accounts is to configure them using remote PowerShell. We provide several PowerShell scripts that will help create new device accounts, or validate existing resource accounts you have in order to help you turn them into compatible Surface Hub device accounts. These PowerShell scripts, and instructions for their use, are in [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md).
-
-You can check online for updated versions at [Surface Hub device account scripts](http://aka.ms/surfacehubscripts).
-
-### Device account configuration
-
-Your infrastructure will likely fall into one of three configurations. Which configuration you have will affect how you prepare for device setup.
-
--   [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md): Your organization’s environment is deployed entirely on Office 365.
--   [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md): Your organization has servers that it controls, where Active Directory, Exchange, and Skype for Business (or Lync) are hosted.
--   [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md): Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365.
-
-If you prefer to use the Office 365 UI over PowerShell cmdlets, some steps can be performed manually. See [Creating a device account using Office 365](create-a-device-account-using-office-365.md).
-
-### Device account resources
-
-These sections describe resources used by the Surface Hub device account.
-
--   [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md): The Exchange properties of the device account must be set to particular values for the Surface Hub to work properly.
--   [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md): The Surface Hub uses ActiveSync to sync both mail and its meeting calendar.
--   [Password management](password-management-for-surface-hub-device-accounts.md): Every device account requires a password to authenticate. This section describes your options for managing this password.
-
-## In this section
+If you prefer to use a graphical user interface, some steps can be done using UI instead of PowerShell. 
+For more information, see [Creating a device account using UI](create-a-device-account-using-office-365.md).
 
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Online deployment](online-deployment-surface-hub-device-accounts.md)</p></td>
-<td align="left"><p>This topic has instructions for adding a device account for your Surface Hub when you have a pure, online deployment.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md)</p></td>
-<td align="left"><p>This topic explains how you add a device account for your Surface Hub when you have a single-forest, on-premises deployment.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)</p></td>
-<td align="left"><p>A hybrid deployment requires special processing in order to set up a device account for your Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#hybrid-exchange-on-prem), and [Exchange hosted online](#hybrid-exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided PowerShell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Create a device account using UI](create-a-device-account-using-office-365.md)</p></td>
-<td align="left"><p>If you prefer to use a graphical user interface, you can create a device account for your Surface Hub with either the [Office 365 UI](#create-device-acct-o365) or the [Exchange Admin Center](#create-device-acct-eac).</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)</p></td>
-<td align="left"><p>Some Exchange properties of the device account must be set to particular values to have the best meeting experience on Surface Hub. The following table lists various Exchange properties based on PowerShell cmdlet parameters, their purpose, and the values they should be set to.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md)</p></td>
-<td align="left"><p>The Surface Hub's device account uses ActiveSync to sync mail and calendar. This allows people to join and start scheduled meetings from the Surface Hub, and allows them to email any whiteboards they have made during their meeting.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Password management](password-management-for-surface-hub-device-accounts.md)</p></td>
-<td align="left"><p>Every Surface Hub device account requires a password to authenticate and enable features on the device.</p></td>
-</tr>
-</tbody>
-</table>
 
  
 

devices/surface-hub/device-reset-surface-hub.md

@@ -30,6 +30,14 @@ Initiating a reset will return the device to the last cumulative Windows update,
 -   Local admins on the device
 -   Configurations from MDM or the Settings app
 
+> [!IMPORTANT]
+> Performing a device reset may take up to 2 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
+
+After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again. 
+
+
+## Reset a Surface Hub from Settings
+
 **To reset a Surface Hub**
 1.	On your Surface Hub, open **Settings**. 
 
@@ -43,14 +51,20 @@ Initiating a reset will return the device to the last cumulative Windows update,
 
     ![Image showing Reset device option in Settings app for Surface Hub.](images/sh-settings-reset-device.png) 
 
-**Important Note**</br>
-Performing a device reset may take up to 6 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
+## Reset a Surface Hub from Windows Recovery Environment
+ 
+On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset the device from [Windows Recovery Environment](https://technet.microsoft.com/library/cc765966.aspx) (Windows RE). 
+
+**To reset a Surface Hub from Windows Recovery Environment**
+
+1.  From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch. 
+2. The device should automatically boot into Windows RE. Select **Advanced Repair**.
+3. Select **Reset**.
+4. If prompted, enter your device's BitLocker key. 
 
-After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again. 
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md

@@ -0,0 +1,169 @@
+---
+title: Differences between Surface Hub and Windows 10 Enterprise
+description: This topic explains the differences between Windows 10 Team and Windows 10 Enterprise.
+keywords: change history
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: isaiahng
+localizationpriority: medium
+---
+
+# Differences between Surface Hub and Windows 10 Enterprise
+
+The Surface Hub operating system, Windows 10 Team, is based on Windows 10 Enterprise, providing rich support for enterprise management, security, and other features. However, there are important differences between them. While the Enterprise edition is designed for PCs, Windows 10 Team is designed from the ground up for large screens and meeting rooms. When you evaluate security and management requirements for Surface Hub, it's best to consider it as a new operating system. This article is designed to help highlight the key differences between Windows 10 Team on Surface Hub and Windows 10 Enterprise, and what the differences mean for your organization.
+
+## User interface
+
+### Shell (OS user interface)
+
+The Surface Hub's shell is designed from the ground up to be large screen and touch optimized. It doesn't use the same shell as Windows 10 Enterprise.
+
+*Organization policies that this may affect:* <br> Settings related to controls in the Windows 10 Enterprise shell don't apply for Surface Hub.
+
+### Lock screen and screensaver
+
+Surface Hub doesn't have a lock screen or a screen saver, but it has a similar feature called the welcome screen. The welcome screen shows scheduled meetings from the device account's calendar, and easy entry points to the Surface Hub's top apps - Skype for Business, Whiteboard, and Connect.
+
+*Organization policies that this may affect:* <br> Settings for lock screen, screen timeout, and screen saver don't apply for Surface Hub.
+
+### User logon
+
+Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without logging on. The system always runs as a local, auto logged-in, low-privilege user. It doesn't support logging in any additional users - including admin users.
+
+> [!NOTE]
+> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **I'm done**. 
+
+*Organization policies that this may affect:* <br> Generally, Surface Hub uses lockdown features rather than user access control to enforce security. Policies related to password requirements, interactive logon, user accounts, and access control don't apply for Surface Hub.
+
+### Saving and browsing files
+
+Users have access to a limited set of directories on the Surface Hub:
+- Music
+- Videos
+- Documents
+- Pictures
+- Downloads
+
+Files saved locally in these directories are deleted when users press **I'm done**. To save content created during a meeting, users should save files to a USB drive or to OneDrive.
+
+*Organization policies that this may affect:* <br> Policies related to access permissions and ownership of files and folders don't apply for Surface Hub. Users can't browse and save files to system directories and network folders.
+
+## Applications
+
+### Default applications
+
+With few exceptions, the default Universal Windows Platform (UWP) apps on Surface Hub are also available on Windows 10 PCs.
+
+UWP apps pre-installed on Surface Hub:
+- Alarms & Clock
+- Calculator
+- Connect
+- Excel Mobile
+- Feedback Hub
+- File Explorer*
+- Get Started
+- Maps
+- Microsoft Edge
+- Microsoft Power BI
+- OneDrive
+- Photos
+- PowerPoint Mobile
+- Settings*
+- Skype for Business*
+- Store
+- Whiteboard*
+- Word Mobile
+
+*Apps with an asterisk (&ast;) are unique to Surface Hub*
+
+*Organization policies that this may affect:* <br> Use guidelines for Windows 10 Enterprise to determine the features and network requirements for default apps on the Surface Hub.
+
+### Installing apps, drivers, and services
+
+To help preserve the appliance-like nature of the device, Surface Hub only supports installing Universal Windows Platform (UWP) apps, and does not support installing classic Win32 apps, services and drivers. Furthermore, only admins have access to install UWP apps.
+
+*Organization policies that this may affect:* <br> Employees can only use the apps that have been installed by admins, helping mitigate against unintended use. Surface Hub doesn't support installing Win32 agents required by most traditional PC management and monitoring tools.
+
+## Security and lockdown
+
+For Surface Hub to be used in communal spaces, such as meeting rooms, its custom OS implements many of the security and lockdown features available in Windows 10.
+
+Surface Hub implements these Windows 10 security features:
+- [UEFI Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview)
+- [User Mode Code Integrity (UMCI) with Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies)
+- [Application restriction policies using AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview)
+- [BitLocker Drive Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview)
+- [Trusted Platform Module (TPM)](https://technet.microsoft.com/itpro/windows/keep-secure/trusted-platform-module-overview)
+- [Windows Defender](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10)
+- [User Account Control (UAC)](https://technet.microsoft.com/itpro/windows/keep-secure/user-account-control-overview) for access to the Settings app
+
+These Surface Hub features provide additional security:
+- Custom UEFI firmware
+- Custom shell and Start menu limits device to meeting functions
+- Custom File Explorer only grants access to files and folders under My Documents
+- Custom Settings app only allows admins to modify device settings
+- Downloading advanced Plug and Play drivers is disabled
+
+*Organization policies that this may affect:* <br> Consider these features when performing your security assessment for Surface Hub.
+
+## Management
+
+### Device settings
+
+Device settings can be configured through the Settings app. The Settings app is customized for Surface Hub, but also contains many familiar settings from Windows 10 Desktop. A User Accounts Control (UAC) prompt appears when opening up the Settings app to verify the admin's credentials, but this does not log in the admin.
+
+*Organization policies that this may affect:* <br> Employees can use the Surface Hub for meetings, but cannot modify any device settings. In addition to lockdown features, this ensures that employees only use the device for meeting functions.
+
+### Administrative features
+
+The administrative features in Windows 10 Enterprise, such as the Microsoft Management Console, Run, Command Prompt, PowerShell, registry editor, event viewer, and task manager are not supported on Surface Hub. The Settings app contains all of the administrative features locally available on Surface Hub.
+
+*Organization policies that this may affect:* <br> Surface Hubs are not managed like traditional PCs. Use MDM to configure settings and OMS to monitor your Surface Hub.
+
+### Remote management and monitoring
+
+Surface Hub supports remote management through mobile device management (MDM), and monitoring through Operations Management Suite (OMS).
+
+*Organization policies that this may affect:* <br> Surface Hub doesn't support installing Win32 agents required by most traditional PC management and monitoring tools, such as System Center Operations Manager.
+
+### Group policy
+
+Surface Hub does not support group policy, including auditing. Instead, use MDM to apply policies to your Surface Hub. For more information about MDM, see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md).
+
+*Organization policies that this may affect:* <br> Use MDM to manage Surface Hub rather than group policy.
+
+### Remote assistance
+
+Surface Hub does not support remote assistance.
+
+*Organization policies that this may affect:* <br> Policies related to remote assistance don't apply for Surface Hub.
+
+## Network
+
+### Domain join and Azure Active Directory (Azure AD) join 
+
+Surface Hub uses domain join and Azure AD join primarily to provide a directory-backed admin group. Users can't log in with a domain account. For more information, see [Admin group management](admin-group-management-for-surface-hub.md).
+
+*Organization policies that this may affect:* <br> Group policies are not applied when a Surface Hub is joined to your domain. Policies related to domain membership don't apply for Surface Hub.
+
+### Accessing domain resources
+
+Users can sign in to Microsoft Edge to access intranet sites and online resources (such as Office 365). If your Surface Hub is configured with a device account, the system uses it to access Exchange and Skype for Business. However, Surface Hub doesn't support accessing domain resources such as file shares and printers.
+
+*Organization policies that this may affect:* <br> Policies related to accessing domain objects don't apply for Surface Hub.
+
+<!--
+### Endpoints
+
+
+
+*Organization policies that this may affect:* <br> 
+-->
+
+### Telemetry
+
+The Surface Hub OS uses the Windows 10 Connected User Experience and Telemetry component to gather and transmit telemetry data. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization).
+
+*Organization policies that this may affect:* <br> Configure telemetry levels for Surface Hub in the same way as you do for Windows 10 Enterprise.

devices/surface-hub/first-run-program-surface-hub.md

@@ -169,17 +169,19 @@ On this page, the Surface Hub will ask for credentials for the device account th
 
 >**Note**  This section does not cover specific errors that can happen during first run. See [Troubleshoot Surface Hub](troubleshoot-surface-hub.md) for more information on errors.
 
- 
 
 ![Image showing Enter device account info page.](images/setupdeviceacct.png)
 
 ### Details
 
-Use either a **user principal name (UPN)** or a **domain\\user name** as the account identifier in the first entry field.
+Use either a **user principal name (UPN)** or a **domain\\user name** as the account identifier in the first entry field. Use the format that matches your environment, and enter the password.
+
+| Environment  | Required format for device account|
+| ------------ | ----------------------------------|
+| Device account is hosted only online.  | username@domain.com|
+| Device account is hosted only on-prem.  | DOMAIN\username|
+| Device account is hosted online and on-prem (hybrid).  |  DOMAIN\username|
 
--   **User principal name:** This is the UPN of the device account for this Surface Hub. If you’re using Azure Active Directory (Azure AD) or a hybrid deployment, then you must enter the UPN of the device account.
--   **Domain\\user name:** This is the identity of the device account for this Surface Hub, in domain\\user name format. If you’re using an Active Directory (AD) deployment, then you must enter the account in this format.
--   **Password:** Enter the device account password.
 
 Click **Skip setting up a device account** to skip setting up a device account. However, if you don't set up a device account, the device will not be fully integrated into your infrastructure. For example, people won't be able to:
 
@@ -423,7 +425,7 @@ This page will attempt to create a new admin account using the credentials that
 
 In order to get the latest features and fixes, you should update your Surface Hub as soon as you finish all of the preceding first-run steps.
 
-1.  Make sure the device has access to the Windows Update servers or to Windows Server Update Services (WSUS). To configure WSUS, see [Using WSUS](manage-windows-updates-for-surface-hub.md#using-wsus).
+1.  Make sure the device has access to the Windows Update servers or to Windows Server Update Services (WSUS). To configure WSUS, see [Using WSUS](manage-windows-updates-for-surface-hub.md#use-windows-server-update-services).
 2.  Open Settings, click **Update & security**, then **Windows Update**, and then click **Check for updates**.
 3.  If updates are available, they will be downloaded. Once downloading is complete, click the **Update now** button to install the updates.
 4.  Follow the onscreen prompts after the updates are installed. You may need to restart the device.

devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md

@@ -12,7 +12,7 @@ localizationpriority: medium
 ---
 
 # Hybrid deployment (Surface Hub)
-A hybrid deployment requires special processing in order to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#hybrid-exchange-on-prem), and [Exchange hosted online](#hybrid-exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)
+A hybrid deployment requires special processing in order to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#exchange-on-prem), and [Exchange hosted online](#exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)
 
 ## Exchange on-prem
 Use this procedure if you use Exchange on-prem.

devices/surface-hub/index.md

@@ -34,5 +34,7 @@ Documents related to the Microsoft Surface Hub.
 <td align="left"><p>[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)</p></td>
 <td align="left"><p>This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.</p></td>
 </tr>
+<tr><td>[Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)</td><td>This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise.</td></tr><tr>
+<td>[Change history for Surface Hub](change-history-surface-hub.md)</td><td>This topic lists new and updated topis in the Surface Hub documentation.</td></tr>
 </tbody>
 </table>

devices/surface-hub/install-apps-on-surface-hub.md

@@ -13,22 +13,158 @@ localizationpriority: medium
 
 # Install apps on your Microsoft Surface Hub
 
+You can install additional apps on your Surface Hub to fit your team or organization's needs. There are different methods for installing apps depending on whether you are developing and testing an app, or deploying a released app. This topic describes methods for installing apps for either scenario.
 
-Admins can install apps can from either the Windows Store or the Windows Store for Business.
-
-## Using the Windows Store
+A few things to know about apps on Surface Hub:
+- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp).
+- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631).
+- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.
+- When submitting an app to the Windows Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub.
+- You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Windows Store to download and install apps.
 
 
-Admins can install apps on the device using the Windows Store app available in **Settings** > **System** > **Microsoft Surface Hub**. They can start the store app, sign in using their Microsoft account credentials, browse, purchase, and install the apps as with any other Windows device.
+## Develop and test apps
+While you're developing your own app, there are a few options for testing apps on Surface Hub.
 
-## Using the Store for Business
+### Developer Mode
+By default, Surface Hub only runs UWP apps that have been published to and signed by the Windows Store. Apps submitted to the Windows Store go through security and compliance tests as part of the [app certification process](https://msdn.microsoft.com/en-us/windows/uwp/publish/the-app-certification-process), so this helps safeguard your Surface Hub against malicious apps.
+ 
+By enabling developer mode, you can also install developer-signed UWP apps.
+ 
+> [!IMPORTANT]
+> After developer mode has been enabled, you will need to reset the Surface Hub to disable it. Resetting the device removes all local user files and configurations and then reinstalls Windows.
+
+**To turn on developer mode** 
+1.	From your Surface Hub, start **Settings**.
+2.	Type the device admin credentials when prompted.
+3.	Navigate to **Update & security** > **For developers**.
+4.	Select **Developer mode** and accept the warning prompt.
+
+### Visual Studio
+During development, the easiest way to test your app on a Surface Hub is using Visual Studio. Visual Studio's remote debugging feature helps you discover issues in your app before deploying it broadly. For more information, see [Test Surface Hub apps using Visual Studio](https://msdn.microsoft.com/windows/uwp/debug-test-perf/test-surface-hub-apps-using-visual-studio).
+
+### Provisioning package
+Use Visual Studio to [create an app package](https://msdn.microsoft.com/library/windows/apps/hh454036.aspx) for your UWP app, signed using a test certificate. Then use Windows Imaging and Configuration Designer (ICD) to create a provisioning package containing the app package. For more information, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
 
 
-For apps purchased through the Store for Business, download the Appxbundle, offline license, and the dependencies for the App from the store to a separate PC. Create a provisioning package and copy it to a USB drive. (See [Create a provisioning package](provisioning-packages-for-certificates-surface-hub.md).) Move the USB drive to the Surface Hub, and install the app on the device using the Settings app.
+## Submit apps to the Windows Store
+Once an app is ready for release, developers need to submit and publish it to the Windows Store. For more information, see [Publish Windows apps](https://developer.microsoft.com/store/publish-apps).
+
+During app submission, developers need to set **Device family availability** and **Organizational licensing** options to make sure the app will be available to run on Surface Hub.
+
+**To set device family availability**  
+1. On the [Windows Dev Center](https://developer.microsoft.com), navigate to your app submission page.
+2. Select **Packages**.
+3. Under Device family availability, select these options:
+    - **Windows 10 Desktop** (other device families are optional)
+    - **Let Microsoft decide whether to make the app available to any future device families**
+  
+![Image showing Device family availability page - part of Windows Store app submission process.](images/sh-device-family-availability.png)  
+    
+For more information, see [Device family availability](https://msdn.microsoft.com/windows/uwp/publish/upload-app-packages#device-family-availability).
+
+**To set organizational licensing**
+1. On the [Windows Dev Center](https://developer.microsoft.com), navigate to your app submission page.
+2. Select **Pricing and availability**.
+3. Under Organizational licensing, select **Allow disconnected (offline) licensing for organizations**.
+
+![Image showing Organizational licensing page - part of Windows Store app submission process.](images/sh-org-licensing.png)
+
+> [!NOTE]
+> **Make my app available to organizations with Store-managed (online) licensing and distribution** is selected by default.
+
+> [!NOTE]
+> Developers can also publish line-of-business apps directly to enterprises without making them broadly available in the Store. For more information, see [Distribute LOB apps to enterprises](https://msdn.microsoft.com/windows/uwp/publish/distribute-lob-apps-to-enterprises).
+
+For more information, see [Organizational licensing options](https://msdn.microsoft.com/windows/uwp/publish/organizational-licensing).
+
+
+## Deploy released apps
+
+There are several options for installing apps that have been released to the Windows Store, depending on whether you want to evaluate them on a few devices, or deploy them broadly to your organization.
+
+To install released apps:
+- Download the app using the Windows Store app, or
+- Download the app package from the Windows Store for Business, and distribute it using a provisioning package or a supported MDM provider.
+
+### Windows Store app
+To evaluate apps released on the Windows Store, use the Windows Store app on the Surface Hub to browse and download apps.
+
+> [!NOTE]
+> Using the Windows Store app is not the recommended method of deploying apps at scale to your organization:
+> - To download apps, you must sign in to the Windows Store app with a Microsoft account or organizational account. However, you can only connect an account to a maximum of 10 devices at once. If you have more than 10 Surface Hubs, you will need to create multiple accounts or remove devices from your account between app installations.
+> - To install apps, you will need to manually sign in to the Windows Store app on each Surface Hub you own.
+
+**To browse the Windows Store on Surface Hub** 
+1.	From your Surface Hub, start **Settings**.
+2.	Type the device admin credentials when prompted.
+3.	Navigate to **This device** > **Apps & features**.
+4.	Select **Open Store**.
+
+### Download app packages from Windows Store for Business
+To download the app package you need to install apps on your Surface Hub, visit the [Windows Store for Business](https://www.microsoft.com/business-store). The Store for Business is where you can find, acquire, and manage apps for the Windows 10 devices in your organization, including Surface Hub.
+ 
+> [!NOTE]
+> Currently, Surface Hub only supports offline-licensed apps available through the Store for Business. App developers set offline-license availability when they submit apps.
+
+Find and acquire the app you want, then download:
+- The offline-licensed app package (either an .appx or an .appxbundle)
+- The *unencoded* license file (if you're using provisioning packages to install the app)
+- The *encoded* license file (if you're using MDM to distribute the app)
+- Any necessary dependency files
+
+For more information, see [Download an offline-licensed app](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app).
+
+### Provisioning package
+You can manually install the offline-licensed apps that you downloaded from the Store for Business on a few Surface Hubs using provisioning packages. Use Windows Imaging and Configuration Designer (ICD) to create a provisioning package containing the app package and *unencoded* license file that you downloaded from the Store for Business. For more information, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
+
+### Supported MDM provider
+To deploy apps to a large number of Surface Hubs in your organization, use a supported MDM provider. The table below shows which MDM providers support deploying offline-licensed app packages.
+
+| MDM provider                | Supports offline-licensed app packages |
+|-----------------------------|----------------------------------------|
+| On-premises MDM with System Center Configuration Manager (beginning in version 1602) | Yes |
+| Hybrid MDM with System Center Configuration Manager and Microsoft Intune | Yes |
+| Microsoft Intune standalone | No |
+| Third-party MDM provider    | Check to make sure your MDM provider supports deploying offline-licensed app packages. |
+
+**To deploy apps remotely using System Center Configuration Manager (either on-prem MDM or hybrid MDM)**
+
+> [!NOTE]
+> These instructions are based on the current branch of System Center Configuration Manager.
+
+1. Enroll your Surface Hubs to System Center Configuration Manager. For more information, see [Enroll a Surface Hub into MDM](manage-settings-with-mdm-for-surface-hub.md#enroll-into-mdm).
+2. Download the offline-licensed app package, the *encoded* license file, and any necessary dependency files from the Store for Business. For more information, see [Download an offline-licensed app](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app). Place the downloaded files in the same folder on a network share.
+3. In the **Software Library** workspace of the Configuration Manager console, click **Overview** > **Application Management** > **Applications**.
+4. On the **Home** tab, in the **Create** group, click **Create Application**.
+5. On the **General** page of the **Create Application Wizard**, select the **Automatically detect information about this application from installation files** check box.
+6. In the **Type** drop-down list, select **Windows app package (\*.appx, \*.appxbundle)**.
+7. In the **Location** field, specify the UNC path in the form \\server\share\\filename for the offline-licensed app package that you downloaded from the Store for Business. Alternatively, click **Browse** to browse to the app package.
+8. On the **Import Information** page, review the information that was imported, and then click **Next**. If necessary, you can click **Previous** to go back and correct any errors.
+9. On the **General Information** page, complete additional details about the app. Some of this information might already be populated if it was automatically obtained from the app package.
+10. Click **Next**, review the application information on the Summary page, and then complete the Create Application Wizard. 
+11. Create a deployment type for the application. For more information, see [Create deployment types for the application](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/create-applications#create-deployment-types-for-the-application).
+12. Deploy the application to your Surface Hubs. For more information, see [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/deploy-applications).
+13. As needed, update the app by downloading a new package from the Store for Business, and publishing an application revision in Configuration Manager. For more information, see [Update and retire applications with System Center Configuration Manager](https://technet.microsoft.com/library/mt595704.aspx). 
+
+> [!NOTE] 
+> If you are using System Center Configuration Manager (current branch), you can bypass the above steps by connecting the Store for Business to System Center Configuration Manager. By doing so, you can synchronize the list of apps you've purchased with System Center Configuration Manager, view these in the Configuration Manager console, and deploy them like you would any other app. For more information, see [Manage apps from the Windows Store for Business with System Center Configuration Manager](https://technet.microsoft.com/library/mt740630.aspx).
+
+
+## Summary
+
+There are a few different ways to install apps on your Surface Hub depending on whether you are developing apps, evaluating apps on a small number of devices, or deploying apps broadly to your oganization. This table summarizes the supported methods:
+
+| Install method             | Developing apps | Evaluating apps on <br> a few devices | Deploying apps broadly <br> to your organization |
+| -------------------------- | --------------- | ------------------------------------- | ---------------------- |
+| Visual Studio              | X |   |   |
+| Provisioning package       | X | X |   |
+| Windows Store app          |   | X |   |
+| Supported MDM provider     |   |   | X |
+
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/local-management-surface-hub-settings.md

@@ -0,0 +1,51 @@
+---
+title: Local management Surface Hub settings
+description: How to manage Surface Hub settings with Settings.
+keywords: manage Surface Hub, Surface Hub settings
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Local management for Surface Hub settings
+
+After initial setup of Microsoft Surface Hub, the device’s settings can be locally managed through **Settings**.
+
+## Surface Hub settings
+
+Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. This table lists settings only cofigurable on Surface Hubs. 
+
+| Setting | Location | Description |
+| ------- | -------- | ----------- |
+| Device account | This device > Accounts | Set or change the Surface Hub's device account. |
+| Device account sync status | This device > Accounts | Check the sync status of the device account’s mail and calendar on the Surface Hub. |
+| Password rotation | This device > Accounts | Choose whether to let the Surface Hub automatically rotate the device account's password. |
+| Change admin account password  | This device > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. |
+| Configure Operations Management Suite (OMS) | This device > Device management | Set up monitoring for your Surface Hub using OMS. |
+| Open the Windows Store app | This device > Apps & features | The Windows Store app is only available to admins through the Settings app. |
+| Skype for Business domain name | This device > Calling | Configure a domain name for your Skype for Business server. |
+| Default microphone and speaker settings | This device > Calling | Configure a default microphone and speaker for calls, and a default speaker for media playback. |
+| Turn off wireless projection using Miracast | This device > Wireless projection | Choose whether presenters can wirelessly project to the Surface Hub using Miracast. |
+| Require a PIN for wireless projection | This device > Wireless projection | Choose whether people are required to enter a PIN before they use wireless projection. |
+| Wireless projection (Miracast) channel | This device > Wireless projection | Set the channel for Miracast projection. |
+| Meeting info shown on the welcome screen | This device > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. |
+| Welcome screen background |  This device > Welcome screen | Choose a background image for the welcome screen. |
+| Turn on screen with motion sensors | This device > Session & clean up | Choose whether the screen turns on when motion is detected. |
+| Session time out | This device > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. |
+| Sleep time out | This device > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. |
+| Friendly name | This device > About | Set the Surface Hub name that people will see when connecting wirelessly. |
+| Maintenance hours | Update & security > Windows Update > Advanced options | Configure when updates can be installed. |
+| Configure Windows Server Update Services (WSUS) server | Update & security > Windows Update > Advanced options | Change whether Surface Hub receives updates from a WSUS server instead of Windows Update. |
+| Save BitLocker key | Update & security > Recovery | Backup your Surface Hub's BitLocker key to a USB drive. |
+| Collect logs | Update & security > Recovery | Save logs to a USB drive to send to Microsoft later. | 
+
+## Related topics
+
+[Manage Surface Hub settings](manage-surface-hub-settings.md)
+
+[Remote Surface Hub management](remote-surface-hub-management.md)
+
+[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md

@@ -2,6 +2,7 @@
 title: Manage settings with a local admin account (Surface Hub)
 description: A local admin account will be set up on every Microsoft Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device.
 ms.assetid: B4B3668B-985D-427E-8495-E30ABEECA679
+redirect_url: https://technet.microsoft.com/itpro/surface-hub/admin-group-management-for-surface-hub
 keywords: local admin account, Surface Hub, change local admin options
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -10,113 +11,3 @@ ms.pagetype: surfacehub
 author: TrudyHa
 localizationpriority: medium
 ---
-
-# Manage settings with a local admin account (Surface Hub)
-
-
-A local admin account will be set up on every Microsoft Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device.
-
-Every device can be configured individually by opening the Settings app on the device you want to configure. However, to prevent people who are not administrators from changing the devices’ settings, the Settings app requires local administrator credentials to open the app and change settings.
-
-You can set up a local administrator in one of three ways (see [Setting up admins for this device](first-run-program-surface-hub.md#setup-admins)):
-
-1.  Create a local admin
-2.  Domain join the device (AD)
-3.  Azure Active Directory (Azure AD) join the device.
-
-### Which method should I choose?
-
-If your organization is using Active Directory or Azure AD, we recommend you either domain join or join Azure AD, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with your domain or organization.
-
-Preferably, a local admin is set up only if you do not have Active Directory or Azure AD, or if you cannot connect to your Active Directory or Azure AD during first run.
-
-### Summary table
-
-<table>
-<tr>
-<th>How is the local admin set up?</th>
-<th>Requirements</th>
-<th>Which credentials will open Settings?</th>
-</tr>
-<tr>
-<td>A local admin was created<p></p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>The credentials of the local admin account.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>The device is joined to a domain (AD)</p>
-</td>
-<td>
-<p>Your organization is using Active Directory</p>
-</td>
-<td>
-<p>Credentials of any Active Directory account from the security group that was specified furing first run.</p>
-</td>
-</tr>
-<tr>
-<td rowspan="2">
-<p>The device is joined to Azure AD</p>
-</td>
-<td>
-<p>Your organization is using Azure AD Basic</p>
-</td>
-<td>
-<p>Tenant or device admins</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Your organization is using Azure AD Premium</p>
-</td>
-<td>
-<p>Tenant or device admins, plus additional specified employees</p>
-</td>
-</tr>
-</table>
-
-### Create a local admin
-
-To create a local admin, choose to use a local admin during first run. This will create a single local admin account on the Surface Hub with the username and password of your choice. These same credentials will unlock the Settings app (see [Setting up admins for this device](first-run-program-surface-hub.md#setup-admins)). Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory or Azure Active Directory. If you decide to change the local admin’s password, you can do so in Settings. However, if you want to change from a local admin you created to a group from your domain or Azure AD organization, then you’ll need to reset the device and go through first-time setup again.
-
-### Domain join the device
-
-After you domain join the device, you can set up a security group from your domain as local administrators on the Surface Hub. You will need to provide credentials that are capable of joining the domain of your choice. After you domain join successfully, you will be asked to pick an existing security group to be set as the local admins. When the Setting app is opened, any user who is a member of that security group can enter their credentials and unlock Settings.
-
->**Note**  Surface Hubs domain join for the sole purpose of using a security group as local admins. Group policies are not applied after the device is domain joined.
-
- 
-
-### Azure AD join the device
-
-You can set up people from your Azure Active Directory (Azure AD) organization as local administrators on the Surface Hub after you Azure AD join the device. The people that are provisioned as local admins on your device depend on what Azure AD subscription you have. You will need to provide credentials that are capable of joining the Azure AD organization of your choice. After you join Azure AD successfully, the appropriate people will be set as local admins on the device. When the Setting app is opened, any user who was set up as a local admin as a result of joining Azure AD can enter their credentials and unlock Settings. We recommend that you use the device account to join Azure AD.
-
-Otherwise, if you don’t want to use the device account to join Azure AD, you can use either of the following accounts:
-
--   The org account of an admin who will manage the device, or
--   A separate account that is part of your organization and used only for joining Surface Hubs.
-
->**Note**  If your Azure AD organization is also configured with MDM enrollment, Surface Hubs will also be enrolled into MDM as a result of joining Azure AD. Surface Hubs that have joined Azure AD are subject to receiving MDM policies, and can be widely managed using an MDM solution, which opts these devices into remote management. You may want to choose an account to join Azure AD that benefits how you manage devices—you find more info about this in the [Enroll a Surface Hub into MDM](manage-settings-with-mdm-for-surface-hub.md#enroll-into-mdm) section.
-
- 
-
-## Related topics
-
-
-[Manage Microsoft Surface Hub](manage-surface-hub.md)
-
-[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
-
- 
-
- 
-
-
-
-
-

devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md

@@ -13,116 +13,215 @@ localizationpriority: medium
 
 # Manage settings with an MDM provider (Surface Hub)
 
+Surface Hub and other Windows 10 devices allow IT administrators to manage settings and policies using a mobile device management (MDM) provider. A built-in management component communicates with the management server, so there is no need to install additional clients on the device. For more information, see [Windows 10 mobile device management](https://msdn.microsoft.com/library/windows/hardware/dn914769.aspx).
 
-Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.
+Surface Hub has been validated with Microsoft’s first-party MDM providers:
+- On-premises MDM with System Center Configuration Manager (beginning in version 1602)
+- Hybrid MDM with System Center Configuration Manager and Microsoft Intune
+- Microsoft Intune standalone
 
-The Surface Hub operating system has a built-in management component that's used to communicate with the device management server. There are two parts to the Surface Hub management component: the enrollment client, which enrolls and configures the device to communicate with the enterprise management server; and the management client, which periodically synchronizes with the management server to check for and apply updates. Third-party MDM servers can manage Surface Hub devices by using the Mobile Device Management protocol.
+You can also manage Surface Hubs using any third-party MDM provider that can communicate with Windows 10 using the MDM protocol.
 
-### Supported services
+## <a href="" id="enroll-into-mdm"></a>Enroll a Surface Hub into MDM
+You can enroll your Surface Hubs using bulk or manual enrollment.
 
-Surface Hub management has been validated for the following MDM providers:
+> [!NOTE]
+> You can join your Surface Hub to Azure Active Directory (Azure AD) to manage admin groups on the device. However, Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
+>
+> **To disable automatic enrollment for Microsoft Intune**
+> 1. In the [Azure classic portal](https://manage.windowsazure.com/), navigate to the **Active Directory** node and select your directory. 
+> 2. Click the **Applications** tab, then click **Microsoft Intune**.
+> 3. Under **Manage devices for these users**, click **Groups**. 
+> 4. Click **Select Groups**, then select the groups of users you want to automatically enroll into Intune. Do not include accounts that are used to enroll Surface Hubs into Intune. 
+> 5. Click the checkmark button, then click **Save**.
 
--   Microsoft Intune
--   System Center Configuration Manager
+### Bulk enrollment
+**To configure bulk enrollment**
+- Surface Hub supports the [Provisioning CSP](https://msdn.microsoft.com/library/windows/hardware/mt203665.aspx) for bulk enrollment into MDM. For more information, see [Windows 10 bulk enrollment](https://msdn.microsoft.com/library/windows/hardware/mt613115.aspx).<br>
+--OR--
+- If you have an on-premises System Center Configuration Manager infrastructure, see [How to bulk enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx).
 
-### <a href="" id="enroll-into-mdm"></a>Enroll a Surface Hub into MDM
+### Manual enrollment
+**To configure manual enrollment**
+1. From your Surface Hub, open **Settings**.
+2. Type the device admin credentials when prompted.
+3. Select **This device**, and navigate to **Device management**.
+4. Under **Device management**, select **+ Device management**.
+5. Follow the instructions in the dialog to connect to your MDM provider.
 
-If you joined your Surface Hub to an Azure Active Directory (Azure AD) subscription, the device can automatically enroll into MDM and will be ready for remote management.
+## Manage Surface Hub settings with MDM
 
-Alternatively, the device can be enrolled like any other Windows device by going to **Settings** &gt; **Accounts** &gt; **Work access**.
+You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings), and some [Windows 10 settings](#supported-windows-10-settings). Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML.
 
-![Image showing enroll in device maagement page.](images/managesettingsmdm-enroll.png)
+### Supported Surface Hub CSP settings
 
-### Manage a device through MDM
+You can configure the Surface Hub settings in the following table using MDM. The table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.
 
-The following table lists the device settings that can be managed remotely using MDM, including the OMA URI paths that 3rd party MDM providers need to create policies. Intune and System Center Configuration Manager have special templates to help create policies to manage these settings.
+For more information, see [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). 
 
-<table>
-<colgroup>
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left"></th>
-<th align="left">Setting</th>
-<th align="left">OMA URI</th>
-<th align="left">Type</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>1</p></td>
-<td align="left"><p>Auto Awake when someone is in the room</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/AutoWakeScreen</p></td>
-<td align="left"><p>Boolean</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>2</p></td>
-<td align="left"><p>Require that people must enter a PIN when pairing to the Surface Hub</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/PINRequired</p></td>
-<td align="left"><p>Boolean</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>3</p></td>
-<td align="left"><p>Set the maintenance window duration. This time is in minutes. As an example, to set a 3 hour duration, you set the value to 180.</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours/Duration</p></td>
-<td align="left"><p>Int</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>4</p></td>
-<td align="left"><p>Set the maintenance window start time. This time is in minutes past midnight. To set a 2:00 am start time, set a value of 120, meaning 120 minutes past midnight.</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours/StartTime</p></td>
-<td align="left"><p>Int</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>5</p></td>
-<td align="left"><p>The Microsoft Operations Management Suite (OMS) Workspace ID that this device will connect to.</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/MOMAgent/WorkspaceID</p></td>
-<td align="left"><p>String</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>6</p></td>
-<td align="left"><p>The key that must be used when connecting to the specified OMS workspace.</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/MOMAgent/WorkspaceKey</p></td>
-<td align="left"><p>String</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>7</p></td>
-<td align="left"><p>Choose the meeting information displayed on the welcome screen.</p>
-<p>Value : 0 - Show organizer and time only</p>
-<p>Value : 1 - Show organizer, time, and subject (subject is hidden for private meetings)</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/MeetingInfoOption</p></td>
-<td align="left"><p>Int</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>8</p></td>
-<td align="left"><p>Enable/Disable all Wireless Projection to the Surface Hub</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled</p></td>
-<td align="left"><p>Boolean</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>9</p></td>
-<td align="left"><p>Select a specific wireless channel on which Miracast Receive will operate</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Channel</p></td>
-<td align="left"><p>Int</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>10</p></td>
-<td align="left"><p>Change the background image for the welcome screen using a PNG image URL.</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/CurrentBackgroundPath (Note: must be accessed using https.)</p></td>
-<td align="left"><p>String</p></td>
-</tr>
-</tbody>
-</table>
+| Setting              | Node in the SurfaceHub CSP         | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| -------------------- | ---------------------------------- | ------------------------- | ---------------------------------------- | ------------------------- |
+| Maintenance hours | MaintenanceHoursSimple/Hours/StartTime <br> MaintenanceHoursSimple/Hours/Duration | Yes | Yes | Yes |
+| Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
+| Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
+| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.<br> Use a custom setting. | Yes |
+| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.<br> Use a custom setting. | Yes |
+| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID <br> MOMAgent/WorkspaceKey | Yes | Yes.<br> Use a custom setting. | Yes |
+| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.<br> Use a custom setting. | Yes |
+| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.<br> Use a custom setting. | Yes |
+| Friendly name for wireless projection | Properties/FriendlyName | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Device account, including password rotation | DeviceAccount/*`<name_of_policy>`* <br> See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |
 
- 
+### Supported Windows 10 settings
+
+In addition to Surface Hub-specific settings, there are numerous settings common to all Windows 10 devices. These settings are defined in the [Configuration service provider reference](https://msdn.microsoft.com/library/windows/hardware/dn920025.aspx). 
+
+The following tables include info on Windows 10 settings that have been validated with Surface Hub. There is a table with settings for these areas: security, browser, Windows Updates, Windows Defender, remote reboot, certificates, and logs. Each table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.
+
+#### Security settings
+| Setting  | Details  | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| -------- | -------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+
+#### Browser settings
+
+| Setting  | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| -------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages)  | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow developer tools  | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes. <br>  Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+
+#### Windows Update settings
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes|
+| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+
+#### Windows Defender settings
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br>  Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes |
+
+#### Remote reboot
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes |
+| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+
+#### Install certificates
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Install trusted CA certificates | Use to deploy trusted root and intermediate CA certificates. |  [RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) | Yes. <br> See [Configure Intune certificate profiles](https://docs.microsoft.com/en-us/intune/deploy-use/configure-intune-certificate-profiles). | Yes. <br> See [How to create certificate profiles in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-certificate-profiles). | Yes |
+<!--
+| Install client certificates  | Use to deploy Personal Information Exchange (.pfx, .p12) certificates. | [ClientCertificateInstall CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023.aspx) | Yes. <br> See [How to Create and Deploy PFX Certificate Profiles in Intune Standalone](https://blogs.technet.microsoft.com/karanrustagi/2016/03/16/want-to-push-a-certificate-to-device-but-cant-use-ndes-continue-reading/). | Yes. <br> See [How to create PFX certificate profiles in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-pfx-certificate-profiles). | Yes |
+-->
+
+#### Collect logs
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Collect ETW logs | Use to remotely collect ETW logs from Surface Hub. | [DiagnosticLog CSP](https://msdn.microsoft.com/library/windows/hardware/mt219118.aspx) | No | No | Yes |
+<!--
+| Collect security auditing logs | Use to remotely collect security auditing logs from Surface Hub. | SecurityAuditing node in [Reporting CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt608321.aspx) | No | No | Yes |-->
+
+### Generate OMA URIs for settings 
+You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager.
+
+**To generate the OMA URI for any setting in the CSP documentation**
+1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like `./Vendor/MSFT/<name of CSP>` <br>
+*For example, the root node of the [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) is `./Vendor/MSFT/SurfaceHub`.*
+2. Identify the node path for the setting you want to use. <br>
+*For example, the node path for the setting to enable wireless projection is `InBoxApps/WirelessProjection/Enabled`.*
+3. Append the node path to the root node to generate the OMA URI. <br>
+*For example, the OMA URI for the setting to enable wireless projection is `./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled`.*
+
+The data type is also stated in the CSP documentation. The most common data types are:
+- char (String)
+- int (Integer)
+- bool (Boolean)
+
+## Example: Manage Surface Hub settings with Micosoft Intune
+
+You can use Microsoft Intune to manage Surface Hub settings. 
+
+**To create a configuration policy from a template**
+
+You'll use the **Windows 10 Team general configuration policy** as the template.
+
+1. On the [Intune management portal](https://manage.microsoft.com), sign in with your Intune administrator account.
+2. On the left-hand navigation menu, click **Policy**.
+3. In the Overview page, click **Add Policy**.
+4. On **Select a template for the new policy**, expand **Windows**, select **General Configuration (Windows 10 Team and later)**, and then click **Create Policy**.
+5. Configure your policy, then click **Save Policy**
+6. When prompted, click **Yes** to deploy your new policy to a user or device group. For more information, see [Use groups to manage users and devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune).
+
+**To create a custom configuration policy**
+
+You’ll need to create a custom policy to manage settings that are not available in the template. 
+
+1. On the [Intune management portal](https://manage.microsoft.com), sign in with your Intune administrator account.
+2. On the left-hand navigation menu, click **Policy**.
+3. In the Overview page, click **Add Policy**.
+4. On **Select a template for the new policy**, expand **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+5. Type a name and optional description for the policy.
+6. Under OMA-URI Settings, click **Add**.
+7. Complete the form to create a new setting, and then click **OK**.
+8. Repeat Steps 6 and 7 for each setting you want to configure with this policy.
+9. Once you're done, click **Save Policy** and deploy it to a user or device group.
+
+## Example: Manage Surface Hub settings with System Center Configuration Manager
+System Center Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use System Center Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs.
+
+> [!NOTE]
+> These instructions are based on the current branch of System Center Configuration Manager.
+
+**To create a configuration item for Surface Hub settings**
+
+1. On the **Assets and Compliance** workspace of the Configuration Manager console, click **Overview** > **Compliance Settings** > **Configuration Items**.
+2. On the **Home** tab, in the **Create** group, click **Create Configuration Item**.
+3. On the **General** page of the Create Configuration Item Wizard, specify a name and optional description for the configuration item.
+4. Under **Specify the type of configuration item that you want to create**, select **Windows 8.1 and Windows 10**.
+5. Click **Categories** if you create and assign categories to help you search and filter configuration items in the Configuration Manager console.
+6. On the **Supported Platforms** page, select **Windows 10** > **All Windows 10 Team and higher**. Unselect the other Windows platforms. 
+7. On the **Device Settings** page, under **Device settings groups**, select **Windows 10 Team**.
+8. On the **Windows 10 Team** page, configure the settings you require.
+9. You'll need to create custom settings to manage settings that are not available in the Windows 10 Team page. On the **Device Settings** page, select the check box **Configure additional settings that are not in the default setting groups**.
+10. On the **Additional Settings** page, click **Add**.
+11. On the **Browse Settings** dialog, click **Create Setting**.
+12. On the **Create Setting** dialog, under the **General** tab, specify a name and optional description for the custom setting.
+13. Under **Setting type**, select **OMA URI**.
+14. Complete the form to create a new setting, and then click **OK**.
+15. On the **Browse Settings** dialog, under **Available settings**, select the new setting you created, and then click **Select**.
+16. On the **Create Rule** dialog, complete the form to specify a rule for the setting, and then click **OK**.
+17. Repeat Steps 10 to 16 for each custom setting you want to add to the configuration item.
+18. Once you're done, on the **Browse Settings** dialog, click **Close**.
+19. Complete the wizard. <br> You can view the new configuration item in the **Configuration Items** node of the **Assets and Compliance** workspace.
+
+For more information, see [Create configuration items for Windows 8.1 and Windows 10 devices managed without the System Center Configuration Manager client](https://docs.microsoft.com/sccm/compliance/deploy-use/create-configuration-items-for-windows-8.1-and-windows-10-devices-managed-without-the-client).
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/manage-surface-hub-settings.md

@@ -0,0 +1,24 @@
+---
+title: Manage Surface Hub settings
+description: This section lists topics for managing Surface Hub settings.
+keywords: Surface Hub accessibility settings, device account, device reset, windows updates, wireless network management
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Manage Surface Hub settings
+
+## In this section
+
+|Topic | Description|
+| ------ | --------------- |
+| [Local management for Surface Hub settings](local-management-surface-hub-settings.md) | Learn about Surface Hub settings.  |
+| [Accessibility](accessibility-surface-hub.md) | Accessibility settings for the Surface Hub can be changed by using the Settings app. You'll find them under Ease of Access. Your Surface Hub has the same accessibility options as Windows 10.|
+| [Change the Surface Hub device account](change-surface-hub-device-account.md) | You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned.|
+| [Device reset](device-reset-surface-hub.md) | You may need to reset your Surface Hub.|
+| [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md) | Options to configure domain name with Surface Hub.  |
+| [Wireless network management](wireless-network-management-for-surface-hub.md) | Surface Hub offers two options for network connectivity to your corporate network and Internet: wireless, and wired. While both provide network access, we recommend you use a wired connection. |

devices/surface-hub/manage-surface-hub.md

@@ -13,212 +13,25 @@ localizationpriority: medium
 
 # Manage Microsoft Surface Hub
 
+After initial setup of Microsoft Surface Hub, the device’s settings and configuration can be modified or changed in a couple ways:
 
-How to manage your Surface Hub after finishing the first-run program.
+- **Local management** - Every Surface Hub can be configured locally using the **Settings** app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. For more information, see [Local management for Surface Hub settings](local-management-surface-hub-settings.md).
+- **Remote management** - Surface Hub allow IT admins to manage settings and policies using a mobile device management (MDM) provider, such as Microsoft Intune, System Center Configuration Manager, and other third-party providers. Additionally, admins can monitor Surface Hubs using Microsoft Operations Management Suite (OMS). For more information, see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md), and [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). 
 
-## Introduction
-
-
-After initial setup of Microsoft Surface Hub, the device’s settings and configuration can be modified or changed in several ways:
-
--   Local management: using the Settings app on the device
--   Remote management: using a mobile device management (MDM) solution, like Microsoft Intune, AirWatch, or System Center 2012 R2 Configuration Manager.
-
-For locally-managed devices, administrator credentials are required to use the Settings app. These can be login credentials for Active Directory, Azure Active Directory (Azure AD), or a local admin account. One of these will have been selected during first run (see [Set up admins for this device](first-run-program-surface-hub.md#setup-admins)).
-
-For remotely-managed devices, the device must be enrolled into an MDM solution, either during first run or in the Settings app.
-
-Be aware that the two management methods are not mutually exclusive—every device will have the capability to be locally managed, and devices can be remotely managed if you choose.
-
->**Note**  If a device is remotely managed, then any changes to local settings that are also remotely managed will only persist until the next time your Surface Hub syncs with your MDM solution. Once a sync occurs, the settings and policies defined on your MDM solution will be pushed to the device, overwriting the local changes.
-
- 
-
-## Surface Hub-only settings
-
-
-Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs.
-
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Setting</th>
-<th align="left">Location</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Change friendly name</p></td>
-<td align="left"><p>System - About</p></td>
-<td align="left"><p>Set the Surface Hub name that people will see when connecting wirelessly.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Collect logs</p></td>
-<td align="left"><p>System - About</p></td>
-<td align="left"><p>Collect logs to give to Microsoft Support.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Change meeting info shown on the welcome screen</p></td>
-<td align="left"><p>System – Microsoft Surface Hub</p></td>
-<td align="left"><p>Choose whether meeting organizer, time, and subject show up on the welcome screen.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Session time out</p></td>
-<td align="left"><p>System – Microsoft Surface Hub</p></td>
-<td align="left"><p>Choose how long the device needs to be inactive before returning to the welcome screen.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Turn on screen with motion sensors</p></td>
-<td align="left"><p>System – Microsoft Surface Hub</p></td>
-<td align="left"><p>Choose whether the screen turns on when motion is detected.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Configure Microsoft Operational Management Suite (MOMS)</p></td>
-<td align="left"><p>System – Microsoft Surface Hub</p></td>
-<td align="left"><p>Add information to set up monitoring using MOMS.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Change Skype for Business fully qualified domain name (FQDN)</p></td>
-<td align="left"><p>System – Microsoft Surface Hub</p></td>
-<td align="left"><p>Add the FQDN for a Skype for Business certificate.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Save BitLocker key</p></td>
-<td align="left"><p>System – Microsoft Surface Hub</p></td>
-<td align="left"><p>Set the default destination for saving the BitLocker recovery key to a USB drive.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Turn off wireless projection using Miracast</p></td>
-<td align="left"><p>Devices - Connect</p></td>
-<td align="left"><p>Choose whether presenters can wirelessly project to the Surface Hub using Miracast.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Require a PIN for wireless projection</p></td>
-<td align="left"><p>Devices - Connect</p></td>
-<td align="left"><p>Choose whether people are required to enter a PIN before they use wireless projection.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Wireless projection (Miracast) channel</p></td>
-<td align="left"><p>Devices - Connect</p></td>
-<td align="left"><p>Change the channel for Miracast projection.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Change device account</p></td>
-<td align="left"><p>Accounts - All accounts</p></td>
-<td align="left"><p>Change the Surface Hub's device account.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Check sync status</p></td>
-<td align="left"><p>Accounts - All accounts</p></td>
-<td align="left"><p>Check the sync status of the device account’s mail and calendar on the Surface Hub.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Turn on password rotation</p></td>
-<td align="left"><p>Accounts - All accounts</p></td>
-<td align="left"><p>Choose whether the device account’s password will automatically change every day (Active Directory only).</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Edit admin account</p></td>
-<td align="left"><p>Accounts - All accounts</p></td>
-<td align="left"><p>Change the password for the local admin account.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Change maintenance hours</p></td>
-<td align="left"><p>Updates &amp; security – Windows Update – Advanced settings</p></td>
-<td align="left"><p>Set the hours when updates can be installed.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Configure Windows Server Update Services (WSUS) server</p></td>
-<td align="left"><p>Updates &amp; security – Windows Update – Advanced settings</p></td>
-<td align="left"><p>Change whether the device receives updates from the WSUS you choose.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Which should I choose?
-
-
-If you plan to deploy multiple Surface Hubs, we recommend that you manage your devices remotely. This requires that your organization use an MDM solution to deploy policies.
-
-Every Surface Hub can be managed locally by an admin who physically logs in to the device. Which method is used to log in is decided during first run (see [Set up admins for this device](first-run-program-surface-hub.md#setup-admins)).
+> [!NOTE]
+> These management methods are not mutually exclusive. Devices can be both locally and remotely managed if you choose. However, MDM policies and settings will overwrite any local changes when the Surface Hub syncs with the management server. 
 
 ## In this section
 
+Learn about managing and updating Surface Hub.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Accessibility](accessibility-surface-hub.md)</p></td>
-<td align="left"><p>Accessibility settings for the Surface Hub can be changed by using the Settings app. You'll find them under <strong>Ease of Access</strong>. Your Surface Hub has the same accessibility options as Windows 10.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Change the Surface Hub device account](change-surface-hub-device-account.md)</p></td>
-<td align="left"><p>You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Device reset](device-reset-suface-hub.md)</p></td>
-<td align="left"><p>You may wish to reset your Surface Hub.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Install apps on your Surface Hub](install-apps-on-surface-hub.md)</p></td>
-<td align="left"><p>Admins can install apps can from either the Windows Store or the Windows Store for Business.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Manage settings with a local admin account](manage-settings-with-local-admin-account-surface-hub.md)</p></td>
-<td align="left"><p>A local admin account will be set up on every Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)</p></td>
-<td align="left"><p>Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Monitor your Surface Hub](monitor-surface-hub.md)</p></td>
-<td align="left"><p>Monitoring for Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Save your BitLocker key](save-bitlocker-key-surface-hub.md)</p></td>
-<td align="left"><p>Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Using a room control system](use-room-control-system-with-surface-hub.md)</p></td>
-<td align="left"><p>Room control systems can be used with your Surface Hub.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Windows updates](manage-windows-updates-for-surface-hub.md)</p></td>
-<td align="left"><p>You can manage Windows updates on your Surface Hub by setting the maintenance window, deferring updates, or using WSUS.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Wireless network management](wireless-network-management-for-surface-hub.md)</p></td>
-<td align="left"><p>Surface Hub offers two options for network connectivity to your corporate network and Internet: wireless, and wired. While both provide network access, we recommend you use a wired connection.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
- 
-
- 
-
-
-
-
+| Topic | Description |
+| ----- | ----------- |
+| [Remote Surface Hub management](remote-surface-hub-management.md) |Topics related to managing your Surface Hub remotely. Include install apps, managing settings with MDM and monitoring with Operations Management Suite. |
+| [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network |
+| [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Windows Store or the Windows Store for Business.|
+| [End a meeting with I’m done](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap I'm Done to clean up any sensitive data and prepare the device for the next meeting.|
+| [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.|
+| [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.|
+| [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.|
 

devices/surface-hub/manage-windows-updates-for-surface-hub.md

@@ -13,61 +13,125 @@ localizationpriority: medium
 
 # Windows updates (Surface Hub)
 
+New releases of the Surface Hub operating system are published through Windows Update, just like releases of Windows 10. There are a couple of ways you can manage which updates are installed on your Surface Hubs, and the timing for when updates are applied.
+- **Windows Update for Business** - New in Windows 10, Windows Update for Business is a set of features designed to provide enterprises additional control over how and when Windows Update installs releases, while reducing device management costs. Using this method, Surface Hubs are directly connected to Microsoft’s Windows Update service.
+- **Windows Server Update Services (WSUS)** - Set of services that enable IT administrators to obtain the updates that Windows Update determines are applicable to the devices in their enterprise, perform additional testing and evaluation on the updates, and select the updates they want to install. Using this method, Surface Hubs will receive updates from WSUS rather than Windows Update.
 
-You can manage Windows updates on your Microsoft Surface Hub by setting the maintenance window, deferring updates, or using Windows Server Update Services (WSUS).
+You can also configure Surface Hub to receive updates from both Windows Update for Business and WSUS. See [Integrate Windows Update for Business with Windows Server Update Services](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-integrate-wufb#integrate-windows-update-for-business-with-windows-server-update-services) for details.
 
-### Maintenance window
+| Capabilities | Windows Update for Business | Windows server Update Services (WSUS) |
+| ------------ | --------------------------- | ------------------------------------- |
+| Receive updates directly from Microsoft's Windows Update service, with no additional infrastructure required.  | Yes  | No  |
+| Defer updates to provide additional time for testing and evaluation. | Yes  | Yes  |
+| Deploy updates to select groups of devices. | Yes | Yes |
+| Define maintenance windows for installing updates. | Yes  | Yes  |
+
+> [!TIP]
+> Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Optimize update delivery for Windows 10 updates](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-optimize-windows-10-updates) for details.
+
+> [!NOTE]
+> Surface Hub does not currently support rolling back updates.
+
+
+## Surface Hub servicing model
+
+Surface Hub uses the Windows 10 servicing model, referred to as Windows as a Service (WaaS). Traditionally, new features are added only in new versions of Windows that are released every few years. Each new version required lengthy and expensive processes to deploy in an organization. As a result, end users and organizations don't frequently enjoy the benefits of new innovation. The goal of Windows as a Service is to continually provide new capabilities while maintaining a high level of quality.
+
+Microsoft publishes two types of Surface Hub releases broadly on an ongoing basis:
+- **Feature updates** - Updates that install the latest new features, experiences, and capabilities. Microsoft expects to publish an average of two to three new feature upgrades per year.
+- **Quality updates** - Updates that focus on the installation of security fixes, drivers, and other servicing updates. Microsoft expects to publish one cumulative quality update per month.
+
+In order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10, including Surface Hub, will be cumulative. This means new feature updates and quality updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 quality update. For example, if a quality update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.
+
+The Surface Hub operating system is available on **Current Branch (CB)** and **Current Branch for Business (CBB)**. Like other editions of Windows 10, the servicing lifetime of CB or CBB is finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
+
+For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview).
+
+
+## Use Windows Update for Business
+Surface Hubs, like all Windows 10 devices, include **Windows Update for Business (WUfB)** to enable you to control how your devices are being updated. Windows Update for Business helps reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. For more information, see [Manage updates using Windows Update for Business](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb).
+
+**To set up Windows Update for Business:**
+1. [Group Surface Hub into deployment rings](#group-surface-hub-into-deployment-rings)
+2. [Configure Surface Hub to use Current Branch or Current Branch for Business](#configure-surface-hub-to-use-current-branch-or-current-branch-for-business).
+2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates).
+
+> [!NOTE]
+> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-wufb-intune)
+
+
+### Group Surface Hub into deployment rings
+Use deployment rings to control when updates roll out to your Surface Hubs, giving you time to validate them. For example, you can update a small pool of devices first to verify quality before a broader roll-out to your organization. Depending on who manages Surface Hub in your organization, consider incorporating Surface Hub into the deployment rings that you've built for your other Windows 10 devices. For more information about deployment rings, see [Build deployment rings for Windows 10 updates](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-deployment-rings-windows-10-updates).
+
+This table gives examples of deployment rings.
+
+| Deployment ring | Ring size | Servicing branch | Deferral for feature updates | Deferral for quality updates (security fixes, drivers, and other updates) | Validation step |
+| --------- | --------- | --------- | --------- | --------- | --------- |
+| Evaluation (e.g. non-critical or test devices) | Small | Current Branch (CB) | None. Devices receive feature updates immediately after CB is released. | None. Devices receive quality updates immediately after CB is released. | Manually test and evaluate new functionality. Pause updates if there are issues. |
+| Pilot (e.g. devices used by select teams) | Medium | Current Branch for Business (CBB) | None. Devices receive feature updates immediately once CBB is released. | None. Devices receive quality updates immediately after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Broad deployment (e.g. most of the devices in your organization) | Large | Current Branch for Business (CBB) |  60 days after CBB is released. | 14 days after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Mission critical (e.g. devices in executive boardrooms) | Small | Current Branch for Business (CBB) |  180 days after CBB is released (maximum deferral for feature updates). | 30 days after CBB is released (maximum deferral for quality updates). | Monitor device usage and user feedback. |
+
+
+### Configure Surface Hub to use Current Branch or Current Branch for Business
+By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches).
+
+**To manually configure Surface Hub to use CB or CBB:**
+1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**. 
+2. Select **Defer feature updates**.
+
+To configure Surface Hub to use CB or CBB remotely using MDM, set an appropriate [Update/BranchReadinessLevel](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) policy.
+
+
+### Configure when Surface Hub receives updates
+Once you've determined deployment rings for your Surface Hubs, configure update deferral policies for each ring:
+- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) policy for each ring.
+- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
+
+> [!NOTE]
+> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
+
+
+## Use Windows Server Update Services
+
+You can connect Surface Hub to your indows Server Update Services (WSUS) server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
+
+**To manually connect a Surface Hub to a WSUS server:**
+1. Open **Settings** on your Surface Hub.
+2. Enter the device admin credentials when prompted.
+3. Navigate to **Update & security** > **Windows Update** > **Advanced options** > **Configure Windows Server Update Services (WSUS) server**.
+4. Click **Use WSUS Server to download updates** and type the URL of your WSUS server.
+
+To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy.
+
+
+## Maintenance window
+
+To ensure the device is always available for use during business hours, Surface Hub performs its administrative functions during a specified maintenance window. During the maintenance window, the Surface Hub automatically installs updates through Windows Update or WSUS, and reboots the device if needed.
+
+Surface Hub follows these guidelines to apply updates:
+-   Install the update during the next maintenance window. If a meeting is scheduled to start during a maintenance window, or the Surface Hub sensors detect that the device is being used, the pending update will be postponed to the following maintenance window.
+-   If the next maintenance window is past the update’s prescribed grace period, the device will calculate the next available slot during business hours using the estimated install time from the update’s metadata. It will continue to postpone the update if a meeting is scheduled, or the Surface Hub sensors detect that the device is being used.
+-   If a pending update is past the update’s prescribed grace period, the update will be immediately installed. If a reboot is needed, the Surface Hub will automatically reboot during the next maintenance window.
+
+> [!NOTE]
+> Allow time for updates when you first setup your Surface Hub. For example, a backlog of virus definitions may be available, which should be immediately installed.
 
 A default maintenance window is set for all new Surface Hubs:
+-   **Start time:** 3:00 AM
+-   **Duration:** 1 hour
 
--   Start time: 3:00 AM
--   Duration: 1 hour
+**To manually change the maintenance window:**
+1.  Open **Settings** on your Surface Hub.
+2.  Navigate to **Update & security** > **Windows Update** > **Advanced options**.
+3.  Under **Maintenance hours**, select **Change**.
 
-Most Windows updates are downloaded and installed automatically by Surface Hub. You can change the maintenance window to limit when the device can be automatically rebooted after a Windows update installation. For those updates that require a reboot of the device, the update installation will be postponed until the maintenance window begins. If a meeting is scheduled to start during the maintenance window, or if the Surface Hub sensors detect that the device is being used, the pending installation will be postponed to the next maintenance window.
+To change the maintenance window using MDM, set the **MOMAgent** node in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt608323.aspx). See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for more details.
 
->**Note**: If an update installation has been pending for 28 days, on the 28th day the update will be forcibly installed. The device will ignore meetings or sensor status and reboot during the maintenance window.
-
- 
-
-To change the default maintenance window:
-
-1.  Open the Settings app.
-2.  Navigate to **Update and Security** > **Advanced Options**.
-3.  Under **Maintenance hours**, click **Change**.
-
-### Deferring Windows updates
-
-You can choose to defer downloading or installing updates that install new Windows features. When you do, new Windows features won’t be downloaded or installed for up to several months. Deferring updates doesn’t affect security updates, which will be downloaded and installed as usual.
-
-To defer Windows feature updates:
-
-1.  Open the Settings app.
-2.  Navigate to **Update and Security** > **Advanced Options**.
-3.  Click on the checkbox for **Defer upgrades**.
-
-### Using WSUS
-
-You can use WSUS to manage the download and installation of Windows updates on your Surface Hub.
-
-To connect a Surface Hub to a WSUS server:
-
-1.  Open the Settings app.
-2.  Navigate to **Update and Security** > **Advanced Options**.
-3.  Click on the checkbox for **Configure Windows Server Update Services (WSUS) server**.
-4.  Check the box for **Use WSUS Server to download updates** and enter the WSUS endpoint.
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
 
- 
-
- 
-
-
-
-
-

devices/surface-hub/monitor-surface-hub.md

@@ -13,72 +13,132 @@ localizationpriority: medium
 
 # Monitor your Microsoft Surface Hub
 
+Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS). The [Operations Management Suite](https://go.microsoft.com/fwlink/?LinkId=718138) is Microsoft's IT management solution that helps you manage and protect your entire IT infrastructure, including your Surface Hubs.
 
-Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).
 
-The [Operations Management Suite (OMS)](https://go.microsoft.com/fwlink/?LinkId=718138) is Microsoft's IT management solution that helps you manage and protect your entire IT infrastructure, including your Surface Hubs. You can use OMS to help you track the health of your Surface Hubs as well as understand how they are being used. Log files are read on the devices and sent to the OMS service. Issues like servers being offline, the calendar not syncing, or the device account being unable to log into Skype are shown in OMS in the Surface Hub dashboard. By using the data in the dashboard, you can identify devices that are not running, or that are having other problems, and potentially apply fixes for the detected issues.
+Surface Hub is offered as a Log Analytics solution in OMS, allowing you to collect and view usage and reliability data across all your Surface Hubs. Use the Surface Hub solution to:
+- Inventory your Surface Hubs.
+- View a snapshot of usage and reliability data for Skype meetings, wired and wireless projection, and apps on your Surface Hubs.
+- Create custom alerts to respond quickly if your Surface Hubs report software or hardware issues.
 
-### OMS requirements
+## Add Surface Hub to Operations Management Suite
 
-In order to manage your Surface Hubs from the Microsoft Operations Management Suite (OMS), you'll need the following:
+1. **Sign in to Operations Management Suite (OMS)**. You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+2. **Create a new OMS workspace**. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
+3. **Link Azure subscription to your workspace**. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
 
--   A valid [subscription to OMS](http://www.microsoft.com/server-cloud/operations-management-suite/overview.aspx).
--   [Subscription level](https://go.microsoft.com/fwlink/?LinkId=718139) in line with the number of devices. OMS pricing varies depending on how many devices are enrolled, and how much data it processes. You'll want to take this into consideration when planning your Surface Hub rollout.
+    > [!NOTE] 
+    > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
 
-Next, you will either add an OMS subscription to your existing Microsoft Azure subscription or create a new workspace directly through the OMS portal. Detailed instructions for setting up the account can be found at: [Onboard in minutes](https://go.microsoft.com/fwlink/?LinkId=718141). Once the OMS subscription is set up, there are two ways to enroll your Surface Hub devices:
+4. **Add Surface Hub solution**. In the Solutions Gallery, select the **Surface Hub** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace.
 
-1.  Automatically through [InTune](https://go.microsoft.com/fwlink/?LinkId=718150), or
-2.  Manually through Settings.
+## Use the Surface Hub dashboard
+From the **Overview** page in your OMS workspace, click the Surface Hub tile to see the Surface Hub dashboard. Use the dashboard to get a snapshot of usage and reliability data across your Surface Hubs. Click into each view on the dashboard to see detailed data, modify the query as desired, and create alerts.
 
-### Setting up monitoring
+> [!NOTE]
+> Most of these views show data for the past 30 days, but this is subject to your subscription's data retention policy.
 
-You can monitor health and activity of your Surface Hub using Microsoft Operations Management Suite (OMS). The device can be enrolled in OMS remotely, using InTune, or locally, by using Settings.
+**Active Surface Hubs**
 
-### Enrolling devices through InTune
+Use this view to get an inventory of all your Surface Hubs. Once connected to OMS, each Surface Hub periodically sends a "heartbeat" event to the server. This view shows Surface Hubs that have reported a heartbeat in the past 24 hours.
 
-You'll need the workspace ID and primary key for your Surface Hub. You can get those from the OMS portal.
+<!--
+**Skype meetings**
 
-InTune is a Microsoft product that allows you to centrally manage the OMS configuration settings that will be applied to one or more of your devices. Follow these steps to configure your devices through InTune:
+Use this view to get usage data for Skype over the past 30 days. The graph shows the total number of Skype Meetings started across your Surface Hubs, and a breakdown between scheduled meetings, ad hoc meetings, and PSTN calls.
+-->
  
-1.  Sign in to InTune.
-2.  Navigate to **Settings** &gt; **Connected Sources**.
-3.  Create or edit a policy based on the Surface Hub template.
-4.  Navigate to the OMS section of the policy, and add the **workspace ID** and **primary key** to the policy.
-5.  Save the policy.
-6.  Associate the policy with the appropriate group of devices.
+**Wireless projection**
 
-InTune will now sync the OMS settings with the devices in the target group, enrolling them in your OMS workspace.
+Use this view to get usage and reliability data for wireless projection over the past 30 days. The graph shows the total number of wireless connections across all your Surface Hubs, which provides an indication whether people in your organization are using this feature. If it's a low number, it may suggest a need to provide training to help people in your organization learn how to wirelessly connect to a Surface Hub.
  
-### Enrolling devices using the Settings app
+Also, the graph shows a breakdown of successful and unsuccessful connections. If you see a high number of unsuccessful connections, devices may not properly support wireless projection using Miracast. For best performance, Microsoft suggests that devices run a WDI Wi-Fi driver and a WDDM 2.0 graphics driver. Use the details view to learn if wireless projection problems are common with particular devices.
  
-You'll need the workspace ID and primary key for your Surface Hub. You can get those from the OMS portal.
+When a connection fails, users can also do the following if they are using a Windows laptop or phone:
+- Remove the paired device from **Settings** > **Devices** > **Connected devices**, then try to connect again.
+- Reboot the device.
  
-If you don't use InTune to manage your environment, you can enroll devices manually through **Settings**:
+**Wired projection**
+
+Use this view to get usage and reliability data for wired projection over the past 30 days. If the graph shows a high number of unsuccessful connections, it may indicate a connectivity issue in your audio-visual pipeline. For example, if you use a HDMI repeater or a center-of-room control panel, they may need to be restarted.
+ 
+**Application usage**
+
+Use this view to get usage data for apps on your Surface Hubs over the past 30 days. The data comes from app launches on your Surface Hubs, not including Skype for Business. This view helps you understand which Surface Hub apps are the most valuable in your organization. If you are deploying new line-of-business apps in your environment, this can also help you understand how often they are being used.
+ 
+**Application Crashes**
+
+Use this view to get reliability data for apps on your Surface Hubs over the past 30 days. The data comes from app crashes on your Surface Hubs. This view helps you detect and notify app developers of poorly behaving in-box and line-of-business apps.
+ 
+**Sample Queries**
+
+Use this to create custom alerts based on a recommended set of queries. Alerts help you respond quickly if your Surface Hubs report software or hardware issues. For more inforamtion, see [Set up alerts using sample queries](#set-up-alerts-with-sample-queries).
+
+## Set up alerts with sample queries
+
+Use alerts to respond quickly if your Surface Hubs report software or hardware issues. Alert rules automatically run log searches according to a schedule, and runs one or more actions if the results match specific criteria. For more information, see [Alerts in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-alerts/).
+ 
+The Surface Hub Log Analytics solution comes with a set of sample queries to help you set up the appropriate alerts and understand how to resolve issues you may encounter. Use them as a starting point to plan your monitoring and support strategy.
+
+This table describes the sample queries in the Surface Hub solution:
+
+| Alert type | Impact | Recommended remediation | Details |
+| ---------- | ------ | ----------------------- | ------- |
+| Software   | Error  | **Reboot the device**. <br> Reboot manually, or using the [Reboot configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt720802(v=vs.85).aspx). <br> Suggest doing this between meetings to minimize impact to your people in your organization. | Trigger conditions: <br> - A critical process in the Surface Hub operating system, such as the shell, projection, or Skype, crashes or becomes non-responsive. <br> - The device hasn't reported a heartbeat in the past 24 hours. This may be due to network connectivity issue or network-related hardware failure, or an error with the telemetry reporting system. |
+| Software   | Error  | **Check your Exchange service**. <br> Verify: <br> - The service is available. <br> - The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details.| Triggers when there's an error syncing the device calendar with Exchange. |
+| Software   | Error  | **Check your Skype for Business service**. <br> Verify: <br> - The service is available. <br> - The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details. <br> - The domain name for Skype for Business is properly configured - see [Configure a domain name](use-fully-qualified-domain-name-surface-hub.md). | Triggers when Skype fails to sign in. |
+| Software   | Error  | **Reset the device**. <br> This takes some time, so you should take the device offline. <br> For more information, see [Device reset](device-reset-surface-hub.md).| Triggers when there is an error cleaning up user and app data at the end of a session. When this operation repeatedly fails, the device is locked to protect user data. You must reset the device to continue. |
+| Hardware   | Warning | **None**. Indicates negligible impact to functionality.| Triggers when there is an error with any of the following hardware components: <br> - Virtual pen slots <br> - NFC driver <br> - USB hub driver <br> - Bluetooth driver <br> - Proximity sensor <br> - Graphical performance (video card driver) <br> - Mismatched hard drive <br> - No keyboard/mouse detected |
+| Hardware   | Error | **Contact Microsoft support**. <br> Indicates impact to core functionality (such as Skype, projection, touch, and internet connectivity). <br> **Note** Some events, including heartbeat, include the device’s serial number that you can use when contacting support.| Triggers when there is an error with any of the following hardware components. <br> **Components that affect Skype**: <br> - Speaker driver <br> - Microphone driver <br> - Camera driver <br> **Components that affect wired and wireless projection**: <br> - Wired touchback driver <br> - Wired ingest driver <br> - Wireless adapter driver <br> - Wi-Fi Direct error <br> **Other components**: <br> - Touch digitizer driver <br> - Network adapter error (not reported to OMS)|
+
+**To set up an alert**
+1.	From the Surface Hub solution, select one of the sample queries.
+2.	Modify the query as desired. See Log Analytics search reference to learn more.
+3.	Click **Alert** at the top of the page to open the **Add Alert Rule** screen. See [Alerts in Log Analytics](https://azure.microsoft.com/en-us/documentation/articles/log-analytics-alerts/) for details on the options to configure the alert.
+4.	Click **Save** to complete the alert rule. It will start running immediately.
+
+## Enroll your Surface Hub
+
+For Surface Hub to connect to and register with the OMS service, it must have access to the port number of your domains and the URLs. This table list the ports that OMS needs. For more information, see [Configure proxy and firewall settings in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-proxy-firewall/).
+
+| Agent resource              | Ports | Bypass HTTPS inspection? |
+| --------------------------- | ----- | ------------------------ |
+| *.ods.opinsights.azure.com  | 443   | Yes |
+| *.oms.opinsights.azure.com  | 443   | Yes |
+| *.blob.core.windows.net     | 443   | Yes |
+| ods.systemcenteradvisor.com | 443   | No  |
+
+The Microsoft Monitoring Agent, used to connect devices to OMS, is integrated with the Surface Hub operating system, so there is no need to install additional clients to connect Surface Hub to OMS.
+ 
+Once your OMS workspace is set up, there are several ways to enroll your Surface Hub devices:
+- [Settings app](#enroll-using-the-settings-app)
+- [Provisioning package](#enroll-using-a-provisioning-package)
+- [MDM provider](#enroll-using-a-mdm-provider), such as Microsoft Intune and Configuration Manager
+ 
+You'll need the workspace ID and primary key of your OMS workspace. You can get these from the OMS portal.
+ 
+### Enroll using the Settings app
+
+**To Enroll using the settings app**
 
 1. From your Surface Hub, start **Settings**.
 2. Enter the device admin credentials when prompted.
-3.  Click **System**, and navigate to Microsoft Operations Management Suite.
-4.  Click **Configure**.
-5.  Select **Enable monitoring**.
-6.  In the OMS settings dialog, type the **workspace ID**.
-7.  Repeat steps 5 and 6 for the **primary key**.
-8.  Click **OK** to complete the configuration.
+3. Select **This device**, and navigate to **Device management**.
+4. Under **Monitoring**, select **Configure OMS settings**.
+5. In the OMS settings dialog, select **Enable monitoring**.
+6. Type the workspace ID and primary key of your OMS workspace. You can get these from the OMS portal.
+7. Click **OK** to complete the configuration.
  
 A confirmation dialog will appear telling you whether or not the OMS configuration was successfully applied to the device. If it was, the device will start sending data to OMS.
 
-### Monitoring devices
+### Enroll using a provisioning package
+You can use a provisioning package to enroll your Surface Hub. For more infomation, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
  
-Monitoring your Surface Hubs using OMS is much like monitoring any other enrolled devices.
-
-1.  Sign in to the OMS portal.
-2.  Navigate to the Surface Hub solution pack dashboard.
-3.  Your device's health will be displayed here.
-
-You can create OMS alerts based on existing or custom queries that use the data collected through OMS.
+### Enroll using a MDM provider
+You can enroll Surface Hub into OMS using the SurfaceHub CSP. Intune and Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. For more information, see [Manage Surface Hub settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md).
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md

@@ -71,7 +71,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013
 
     ```PowerShell
     Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
-    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
+    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
     ```
 
 5.  If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.

devices/surface-hub/online-deployment-surface-hub-device-accounts.md

@@ -57,17 +57,17 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
     Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
 
     ```PowerShell
-    Set-Mailbox $acctUpn -Type Regular
-    Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy.Id
-    Set-Mailbox $acctUpn -Type Room
-    Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
+    Set-Mailbox 'HUB01@contoso.com' -Type Regular
+    Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.Id
+    Set-Mailbox 'HUB01@contoso.com' -Type Room
+    Set-Mailbox 'HUB01@contoso.com' -RoomMailboxPassword (ConvertTo-SecureString -String <password> -AsPlainText -Force) -EnableRoomMailboxAccount $true
     ```
 
 4.  Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
 
     ```PowerShell
-    Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
-    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
+    Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
+    Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
     ```
 
 5.  Connect to Azure AD.
@@ -81,7 +81,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
 6.  If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
 
     ```PowerShell
-    Set-MsolUser -UserPrincipalName $acctUpn -PasswordNeverExpires $true
+    Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true
     ```
 
 7.  The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
@@ -91,9 +91,9 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
     Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).
 
     ```PowerShell
-    Set-MsolUser -UserPrincipalName $acctUpn -UsageLocation "US"
+    Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation "US"
     Get-MsolAccountSku
-    Set-MsolUserLicense -UserPrincipalName $acctUpn -AddLicenses $strLicense
+    Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense
     ```
 
 8.  Enable the device account with Skype for Business.
@@ -118,14 +118,14 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
     -   To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
 
         ```PowerShell
-        Enable-CsMeetingRoom -Identity $rm -RegistrarPool  
+        Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool  
         "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
         ```
 
         If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
 
         ```PowerShell
-        Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool*
+        Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool*
         ```
 
 9.  Assign Skype for Business license to your Surface Hub account.

devices/surface-hub/password-management-for-surface-hub-device-accounts.md

@@ -13,62 +13,24 @@ localizationpriority: medium
 
 # Password management (Surface Hub)
 
+Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. For security reasons, you may want to change (or "rotate") this password regularly. However, if the device account’s password changes, the password that was previously stored on the Surface Hub will be invalid, and all features that depend on the device account will be disabled. You will need to update the device account’s password on the Surface Hub from the Settings app to re-enable these features.
 
-Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. For security reasons, you may want to change ( or "rotate") this password. However, if the device account’s password changes, the device account on the Surface Hub will be expired, and all features that depend on the device account will be disabled. You can update the device account’s password on the Surface Hub from the Settings app to re-enable these features.
+To simplify password management for your Surface Hub device accounts, there are two options:
 
-To prevent the device account from expiring, there are two options:
-
-1.  Set the password on the device account so it doesn't expire.
+1.  Turn off password expiration for the device account.
 2.  Allow the Surface Hub to automatically rotate the device account’s password.
 
-## Setting the password so it doesn't expire
 
+## Turn off password rotation for the device account
 
 Set the device account’s **PasswordNeverExpires** property to True. You should verify whether this meets your organization’s security requirements.
 
-## Allow the Surface Hub to manage the password
-
-
-The Surface Hub can manage a device account’s password by changing it frequently without requiring you to manually update the device account’s information from the Surface Hub. You can enable this feature in **Settings**. Once enabled, the device account's password will change daily.
-
-Note that when the device account’s password is changed, you will not be shown the new password. If you need to sign in to the account, or to provide the password again (for example, if you want to change the device account settings on the Surface Hub), then you'll need use Active Directory to reset the password.
-
-For your device account to use password rotation, you must meet enter the device account’s information when you set up your Surface Hub (during First-run experience), or in **Settings**. The format you'll use depends on where your device account it hosted:
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Environment</th>
-<th align="left">Required format for device account</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Device account is hosted only online</p></td>
-<td align="left"><p>username@contoso.com</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Device account is hosted only on-prem</p></td>
-<td align="left"><p>DOMAIN\username</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Device account is hosted online and on-prem (hybrid)</p></td>
-<td align="left"><p>DOMAIN\username</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
- 
-
- 
-
 
+## Allow the Surface Hub to automatically rotate the device account’s password
 
+The Surface Hub can manage a device account’s password by changing it frequently without requiring you to manually update the device account’s information. You can enable this feature in **Settings**. Once enabled, the device account's password will change weekly during maintenance hours.
 
+Note that when the device account’s password is changed, you will not be shown the new password. If you need to sign in to the account, or to provide the password again (for example, if you want to change the device account settings on the Surface Hub), then you'll need use Active Directory or the Office 365 admin portal to reset the password.
 
+> [!IMPORTANT]
+> If your organization uses a hybrid topology (some services are hosted on-premises and some are hosted online through Office 365), you must setup the device account in **domain\username** format. Otherwise, password rotation will not work.

devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md

@@ -13,248 +13,209 @@ localizationpriority: medium
 
 # Create provisioning packages (Surface Hub)
 
+This topic explains how to create a provisioning package using the Windows Imaging and Configuration Designer (ICD), and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings.
 
-For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning.
+You can apply a provisioning package using a USB during first run, or through the **Settings** app. 
 
-In this topic, you'll find the following information:
 
--   [Introduction to provisioning packages](#intro-prov-pkg)
--   [What can provisioning packages configure for Microsoft Surface Hubs?](#what-can-prov-pkg)
--   [How do I create and deploy a provisioning package?](#how-do-i-prov-pkg)
--   [Requirements](#requirements-prov-pkg)
--   [Install the Windows Imaging and Configuration Designer](#installing-wicd-prov-pkg)
--   [Create a provisioning package for certificates](#creating-prov-pkg-certs)
--   [Create a provisioning package for apps](#creating-prov-pkg-apps)
--   [Deploy a provisioning package to a Surface Hub](#deploy-to-hub-prov-pkg)
-    -   [Deploy a provisioning package using first run](#deploy-via-oobe-prov-pkg)
-    -   [Deploy a provisioning package using Settings](#deploy-via-settings-prov-pkg)
+## Advantages
+-   Quickly configure devices without using a MDM provider.
 
-### <a href="" id="intro-prov-pkg"></a>Introduction to provisioning packages
+-   No network connectivity required.
 
-Provisioning packages are created using Windows Imaging and Configuration Designer (WICD), which is a part of the Windows Assessment and Deployment Kit (ADK). For Surface Hub, the provisioning packages can be placed on a USB drive.
+-   Simple to apply.
 
-### <a href="" id="what-can-prov-pkg"></a>What can provisioning packages configure for Surface Hubs?
+[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/whats-new/new-provisioning-packages)
 
-Currently, you can use provisioning packages to install certificates and to install Universal Windows Platform (UWP) apps on your Surface Hub. These are the only two supported scenarios.
 
-You may use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange or Skype for Business, or to sideload apps that don't come from the Windows Store (for example, your own in-house apps).
+## Requirements 
 
->**Note**  Provisioning can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, you must use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
+To create and apply a provisioning package to a Surface Hub, you'll need the following:
 
- 
-
-### <a href="" id="how-do-i-prov-pkg"></a>How do I create and deploy a provisioning package?
-
-Provisioning packages must be created using the Windows Imaging and Configuration Designer (ICD).
-
-### <a href="" id="requirements-prov-pkg"></a>Requirements
-
-In order to create and deploy provisioning packages, all of the following are required:
-
--   Access to the Settings app on Surface Hub (using admin credentials which were configured at initial setup of the Surface Hub).
--   Windows Imaging and Configuration Designer (ICD), which is installed as a part of the windows 10 Assessment and Deployment Kit (ADK).
+-   Windows Imaging and Configuration Designer (ICD), which is installed as a part of the [Windows 10 Assessment and Deployment Kit (ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526740).
 -   A PC running Windows 10.
--   USB flash drive.
+-   A USB flash drive.
+-   If you apply the package using the **Settings** app, you'll need device admin credentials.
 
-### <a href="" id="installing-wicd-prov-pkg"></a>Install the Windows Imaging and Configuration Designer
+You'll create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub.
 
-1.  The Windows Imaging and Configuration Designer (ICD) is installed as part of the Windows 10 ADK. The installer for the ADK can be downloaded from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?LinkId=718147).
-    >**Note**  The ADK must be installed on a separate PC, not on the Surface Hub.  
 
-2.  Run the installer, and set your preferences for installation. When asked what features you want to install, you will see a checklist like the one in the following figure. Note that **Windows Performance Toolkit** and **Windows Assessment Toolkit** should be unchecked, as they are not needed to run the ICD.
+## Supported items for Surface Hub provisioning packages
 
-    Before going to the next step, make sure you have the following checked:
+Currently, you can add these items to provisioning packages for Surface Hub:
+- **Certificates** - You can add certificates, if needed, to authenticate to Microsoft Exchange.
+- **Universal Windows Platform (UWP) apps** - You can install UWP apps. This can be an offline-licensed app from the Windows Store for Business, or an app created by an in-house dev.
+- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
+- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx).
 
-    -   **Deployment Tools**
-    -   **Windows Preinstallation Environment**
-    -   **Imaging and Configuration Designer**
-    -   **User State Migration Tool**
 
-    All four of these features are required to run the ICD and create a package for the Surfact Hub.
+## Create the provisioning package
 
-    ![Image showing Windows ADK install page - select features to install.](images/idcfeatureschecklist.png)
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. When you install the ADK, you can choose to install only the Imaging and Configuration Designer (ICD).  [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
 
-3.  Continue with the installer until the ADK is installed. This may take a while, because the installer downloads remote content.
+1. Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`).
 
-### <a href="" id="creating-prov-pkg-certs"></a>Create a provisioning package for certificates
+2. Click **Advanced provisioning**.
 
-This example will demonstrate how to create a provisioning package to install a certificate.
+    ![ICD start options](images/ICDstart-option.PNG)  
   
-1.  On the PC that had the Windows 10 ADK installed, open ICD and choose the **New provisioning package** tile from the main menu.
+3. Name your project and click **Next**.
 
-    ![Image showing Start page in Windows Imaging and Configuration Designer.](images/wicd-screen01a.png)
+4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**.
 
-2.  When the **New project** dialog box opens, type whatever name you like in the **Name** box. The **Location** and **Description** boxes can also be filled at your discretion, though we recommend using the **Description** box to help you distinguish among multiple packages. Click **Next**.
+    ![ICD new project](images/icd-new-project.png)
 
-    ![Image showing New project screen for Windows Imaging and Configuration Designer.](images/wicd-screen02a.png)
+5. In the project, under **Available customizations**, select **Common Team edition settings**.
 
-    Select the settings that are **Common to all Windows editions**, and click **Next**.
+    ![ICD common settings](images/icd-common-settings.png)
 
-    ![Image showing project settings in Windows Imaging and Configuration Designer.](images/wicd-screen02b.png)
 
-    When asked to import a provisioning package, just click **Finish.**
+### Add a certificate to your package
+You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange.
 
-    ![Image showing option for importing a provisioning package.](images/wicd-screen02c.png)
+> [!NOTE]
+> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
 
-3.  ICD's main screen will be displayed. This is where you create the provisioning package. In the **Available customizations** pane, expand **Runtime settings** and then expand **Certificates**. Click **Root certificates**.
+1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. 
 
-    ![Image showing Windows Imaging and Configuration Designer's man page.](images/wicd-screen03a.png)
+2. Enter a **CertificateName** and then click **Add**. 
 
-    In the center pane, you’ll be asked to specify a **CertificateName** for the Root certificate. You can set this to whatever you want. For the example, we've used the same name as the project. Click **Add**, and an entry will be added in the left pane.
+2. Enter the **CertificatePassword**. 
 
-4.  In the **Available customizations** pane on the left, a new category has appeared for **CertificatePath** underneath the **CertificateName** you provided. There’s also a red exclamation icon indicating that there is a required field that needs to be set. Click **CeritficatePath**.
+3. For **CertificatePath**, browse and select the certificate. 
 
-    ![Image showing available customizations in Windows Imaging and Configuration Designer.](images/wicd-screen04a.png)
+4. Set **ExportCertificate** to **False**.
 
-5.  In the center pane, you’ll be asked to specify the path for the certificate. Enter the name of the .cer file that you want to deploy, either by typing or clicking **Browse**. It must be a root certificate. The provisioning package created will copy the .cer file into the package it creates.
+5. For **KeyLocation**, select **Software only**.
 
-    ![icd tiles](images/wicd-screen06a.png)
 
-6.  Verify that the path is set, then click **Export** in the top menu and choose **Provisioning package**.
+### Add a Universal Windows Platform (UWP) app to your package
+Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Windows Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Windows Store for Business.
 
-    ![icd tiles](images/wicd-screen07a.png)
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**.
 
-7.  You'll see a series of dialog boxes next. In the first one, either accept the defaults, or enter new values as needed, and click **Next**. You'll most likely want to accept the defaults.
+2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Windows Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \<PFM\>...\</PFM\> tags.
 
-    ![icd tiles](images/wicd-screen08a.png)
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
 
-    Click **Next** again in the security options dialog box, because this package doesn't need to be encrypted or signed.
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies.
 
-    ![icd tiles](images/wicd-screen09a.png)
+If you acquired the app from the Windows Store for Business, you will also need to add the app license to your provisioning package.
 
-    Choose where to save the provisioning package, and click **Next**.
+1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license".
 
-    ![icd tiles](images/wicd-screen10a.png)
+2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**.
 
-    Review the information shown, and if it looks good, click **Build**.
+3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \<License\> tag, use the value in the **LicenseID** attribute.
 
-    ![icd tiles](images/wicd-screen11a.png)
+4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1.
 
-    You will see a confirmation dialog box similar to the one following. Click the link under **Output location** to open the directory containing the provisioning package.
 
-    ![icd tiles](images/wicd-screen12a.png)
+### Add a policy to your package
+Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
 
-8.  Copy the .ppkg from the output directory into the root directory of a USB drive. If it’s not at the root, it won’t be recognized by the device. You’ve finished making the provisioning package—now you just need to deploy it to the Surface Hub.
+1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**.
 
-### <a href="" id="creating-prov-pkg-apps"></a>Create a provisioning package for apps
+2. Select one of the available policy areas.
 
-This example will demonstrate how to create a provisioning package to install offline-licensed apps purchased from the Windows Store for Business. For information on offline-licensed apps and what you need to download in order to install them, see [Distribute offline apps](https://go.microsoft.com/fwlink/?LinkId=718148).
+3. Select and set the policy you want to add to your provisioning package.
 
-For each app you want to install on Surface Hubs, you'll need to download:
 
--   App metadata
--   App package
--   App license
+### Add Surface Hub settings to your package 
 
-Depending on the app, you may or may not need to download a new app framework.
+You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package. 
 
-1.  On the PC that had the Windows 10 ADK installed, open ICD and choose the **New provisioning package** tile from the main menu.
+1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**.
 
-    ![icd tiles](images/wicd-screen01a.png)
+2. Select one of the available setting areas.
 
-2.  When the **New project** dialog box opens, type whatever name you like in the **Name** box. The **Location** and **Description** boxes can also be filled at your discretion, though we recommend using the **Description** box to help you distinguish among multiple packages. Click **Next**.
+3. Select and set the setting you want to add to your provisioning package. 
 
-    ![icd tiles](images/wicd-screen-apps-02a.png)
 
-    Select the settings that are **Common to all Windows desktop editions**, and click **Next**.
+## Build your package
 
-    ![icd tiles](images/wicd-screen02b.png)
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
 
-    When asked to import a provisioning package, just click **Finish.**
+2. Read the warning that project files may contain sensitive information, and click **OK**.
 
-    ![icd tiles](images/wicd-screen02c.png)
+    > [!IMPORTANT]
+    > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
-3.  ICD's main screen will be displayed. This is where you create the provisioning package. In the **Available customizations** pane, expand **UniversalAppInstall** and click **DeviceContextApp**.
+3. On the **Export** menu, click **Provisioning package**.
 
-    ![icd tiles](images/wicd-screen-apps-03a.png)
+4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources.
 
-    In the center pane, you’ll be asked to specify a **PackageFamilyName** for the app. This is one of the things you downloaded from the Store for Business. Click **Add**, and an entry will be added in the left pane.
+5. Set a value for **Package Version**, and then select **Next.**
 
-4.  In the **Available customizations** pane on the left, new categories will be displayed for **ApplicationFile** and **LaunchAppAtLogin** underneath the **PackageFamilyName** you just entered. Enter the appx filename in the **ApplicationFile** box in the center pane.
+    > [!TIP]
+    > You can make changes to existing packages and change the version number to update previously applied packages.
 
-    ![icd tiles](images/wicd-screen-apps-04a.png)
+6. Optional: You can choose to encrypt the package and enable package signing.
 
-    Generally, **LaunchAppAtLogin** should be set to **Do not launch app** or **NOT CONFIGURED**.
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
 
-5.  Next, click **DeviceContextAppLicense** in the left pane. In the center pane, you’ll be asked to specify the **LicenseProductId**. Click **Add**. Back in the left pane, click on the **LicenseProductId** that you just added. In the center pane, you'll need to specify **LicenseInstall**. Enter the name of the license file that you previously downloaded from the Store for Business, either by typing or clicking **Browse**. The file will have a extension of "ms-windows-store-license".
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package.
 
-    ![icd tiles](images/wicd-screen-apps-06a.png)
+        > [!IMPORTANT]
+        > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
 
-6.  Verify that the path is set, then click **Export** in the top menu and choose **Provisioning package**.
+7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
+Optionally, you can click **Browse** to change the default output location.
 
-    ![icd tiles](images/wicd-screen07a.png)
+8. Click **Next**.
 
-7.  You'll see a series of dialog boxes next. In the first one, either accept the defaults, or enter new values as needed, and click **Next**. You'll most likely want to accept the defaults.
+9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
 
-    ![icd tiles](images/wicd-screen-apps-08a.png)
+10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
 
-    Click **Next** again in the security options dialog box, because this package doesn't need to be encrypted or signed.
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
     
-    ![icd tiles](images/wicd-screen09a.png)
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
 
-    Choose where to save the provisioning package, and click **Next**.
+11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive.
 
-    ![icd tiles](images/wicd-screen-apps-10a.png)
 
-    Review the information shown, and if it looks good, click **Build**.
+## Apply a provisioning package to Surface Hub
 
-    ![icd tiles](images/wicd-screen-apps-11a.png)
+There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings). 
 
-    You will see a confirmation dialog box similar to the one following. Click the link under **Output location** to open the directory containing the provisioning package.
 
-    ![icd tiles](images/wicd-screen-apps-12a.png)
+### Apply a provisioning package during first run
 
-8.  Copy the .ppkg from the output directory into the root directory of a USB drive. If it’s not at the root, it won’t be recognized by the device. You’ve finished making the provisioning package—now you just need to deploy it to the Surface Hub.
+> [!IMPORTANT]
+> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings.
 
-### <a href="" id="deploy-to-hub-prov-pkg"></a>Deploy a provisioning package to a Surface Hub
+1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding.
 
-The following two methods for deploying provisioning packages apply to any kind of provisioning package that is being deployed to a Surface Hub. There is no difference in the way cert provisioning packages and app provisioning packages are installed. You may see different description text in the UI depending on what the package is for, but the process is still the same.
+2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**.
 
-### <a href="" id="deploy-via-oobe-prov-pkg"></a>Deploy a provisioning package using first run
+    ![Set up device?](images/provisioningpackageoobe-01.png)
 
-1.  When you turn on the Surface Hub for the first time, the first run process will display the page titled **Hi there**. Make sure the settings on this page are correct before you proceed. (See [Hi there page](first-run-program-surface-hub.md#first-page) for details.) Once you've deployed your provisioning package, the first run process will not return here. It will continue to the next screen.
-2.  Insert the USB drive into the Surface Hub.
-3.  Press the Windows key on the separate keyboard five times. You’ll see a dialog box asking whether you want to set up your device. Click **Set Up**.
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
 
-    ![image with set up device message for surface hub.](images/provisioningpackageoobe-01.png)IMage
+    ![Provision this device](images/provisioningpackageoobe-02.png)
     
-4.  Click on **Removable Media** in the **Provision From** dropdown list, then click **Next**.
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run.
 
-    ![image with provision this device page for surface hub. ](images/provisioningpackageoobe-02.png)
+    ![Choose a package](images/provisioningpackageoobe-03.png)
 
-5.  The available packages in the root directory of the USB drive will be listed. Note that you can only install one package during first run. Select the package you want to install and then click **Next**.
+5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**. The package will be applied, and you'll be taken to the next page in the first-run program.
 
-    ![image with choose a package page for surface hub. ](images/provisioningpackageoobe-03.png)
+    ![Do you trust this package?](images/provisioningpackageoobe-04.png)
 
-6.  You’ll then see a dialog asking if it’s from a source you trust. Click **Yes, add it**. The certificate will be installed, and you’ll be taken to the next page of first run.
 
-    ![image with ](images/provisioningpackageoobe-04.png)
+### Apply a package using Settings
 
-### <a href="" id="deploy-via-settings-prov-pkg"></a>Deploy a provisioning package using Settings
-
-1.  Insert the USB drive into the Surface Hub you want to deploy to.
-2.  On the Surface Hub, open **Settings** and enter in the admin credentials.
-3.  Navigate to **System &gt; Work Access**. Under the header **Related settings**, click on **Add or remove a management package**.
-4.  Here, click the button for **Add a package**.
-
-    ![Image showing provisioining packages page in Settings.](images/provisioningpackagesettings-01.png)
-
-5.  Click **Removable media** from the dropdown list. You will see a list of available provisioning packages on the **Settings** page.
-
-    ![Image showing add a package page in Settings.](images/provisioningpackagesettings-02.png)
-
-6.  Choose your package and click **Add**.
-
-    ![Image showing select a package box.](images/provisioningpackagesettings-03.png)
-
-7.  You may have to re-enter the admin credentials if User Access Control (UAC) asks for them.
-8.  You’ll see a confirmation dialog box. Click **Yes, add it**. The certificate will be installed.
-
- 
-
- 
+1. Insert the USB flash drive containing the .ppkg file into the Surface Hub.
 
+2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted.
 
+3. Navigate to **This device** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**.
 
+4. Select **Add a package**.
 
+5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted.
 
+6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**.

devices/surface-hub/remote-surface-hub-management.md

@@ -0,0 +1,21 @@
+---
+title: Remote Surface Hub management
+description: This section lists topics for managing Surface Hub.
+keywords: remote management, MDM, install apps, monitor Surface Hub, Operations Management Suite, OMS
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Remote Surface Hub management
+
+## In this section
+
+|Topic | Description|
+| ------ | --------------- |
+| [Manage settings with an MDM provider]( https://technet.microsoft.com/itpro/surface-hub/manage-settings-with-mdm-for-surface-hub) | Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.|
+| [Monitor your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/monitor-surface-hub) | Monitoring for Surface Hub devices is enabled through Microsoft Operations Management Suite.|
+| [Windows updates](https://technet.microsoft.com/itpro/surface-hub/manage-windows-updates-for-surface-hub) | You can manage Windows updates on your Surface Hub by setting the maintenance window, deferring updates, or using WSUS.|

devices/surface-hub/save-bitlocker-key-surface-hub.md

@@ -24,11 +24,11 @@ There are several ways to manage your BitLocker key on the Surface Hub.
 
 2.  If you’ve joined the Surface Hub to Azure Active Directory (Azure AD), the BitLocker key will be stored under the account that was used to join the device.
 
-3.  If you’re using a local admin account to manage the device, you can save the BitLocker key by going to Settings and navigating to **System** > **Microsoft Surface Hub**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive.
+3.  If you’re using a local admin account to manage the device, you can save the BitLocker key by going to the **Settings** app and navigating to **Update & security** > **Recovery**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive.
+
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/surface-hub-administrators-guide.md

@@ -16,7 +16,7 @@ localizationpriority: medium
 
 This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.
 
-Before you power on Microsoft Surface Hub for the first time, make sure you've [completed the checklist](prepare-your-environment-for-surface-hub.md#prepare-checklist) at the end of the [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) section, and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct.
+Before you power on Microsoft Surface Hub for the first time, make sure you've [completed preparation items](prepare-your-environment-for-surface-hub.md), and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct.
 
 ## In this section
 

devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md

@@ -7,21 +7,19 @@ author: TrudyHa
 localizationpriority: medium
 ---
 
-# When to use a fully qualified domain name with Surface Hub
+# Configure domain name for Skype for Business
 
-A fully qualified domain name (FQDN) is a domain name that explicitly states the location in the Domain Name System (DNS) hierarchy. All levels of a domain are specified. In the case of Skype for Business on the Surface Hub, there are a few scenarios where you need to use a FQDN.
+There are a few scenarios where you need to specify the domain name of your Skype for Business server:
 - **Multiple DNS suffixes** - When your Skype for Business infrastructure has disjointed namespaces such that one or more servers have a DNS suffix that doesn't match the suffix of the sign-in address (SIP) for Skype for Business.  
 - **Skype for Business and Exchange suffixes are different** - When the suffix of the sign-in address for Skype for Business differs from the suffix of the Exchange address used for the device account.
-- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails.  The Skype app needs to know the FQDN of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
+- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails.  Skype needs to know the domain name of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
 
-## Add FQDN to Surface Hub 
-
-You use the Settings app on Surface Hub to add FQDN information. You can add multiple entries, if needed. 
-
-**To add Skype for Business Server FQDN**</br>
-1. On Surface Hub open the **Settings** app.
-2. Navigate to **System**, **Microsoft Surface Hub**. 
-3. Under **Skype for Business**, click **Add FQDN**. 
-4. Type the FQDN for the Skype for Business certificate. You can type multiple FQDNs separated by a comma. For example: lync.com, outlook.com, lync.glbdns.microsoft.com. 
+**To configure the domain name for your Skype for Business server**</br>
+1. On Surface Hub, open **Settings**.
+2. Click **This device**, and then click **Calling**. 
+3. Under **Skype for Business configuration**, click **Configure domain name**. 
+4. Type the domain name for your Skype for Business server, and then click **Ok**. 
+> [!TIP]
+> You can type multiple domain names, separated by commas. <br> For example: lync.com, outlook.com, lync.glbdns.microsoft.com
 
     ![Add Skype for Business FQDN to Settings](images/system-settings-add-fqdn.png)

devices/surface-hub/wireless-network-management-for-surface-hub.md

@@ -36,10 +36,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele
 
 1.  On the Surface Hub, open **Settings** and enter your admin credentials.
 2.  Click **System**, click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**.
-
-    ![Image showing where to find Advanced options for Network & Internect, Wi-Fi settings.](images/networkmgtwireless-03.png)
-
-3.  The system will show you the properties for the wireless network connection.
+3.  Surface Hub shows you the properties for the wireless network connection.
 
     ![Image showing properties for connected Wi-Fi.](images/networkmgtwireless-04.png)
 

devices/surface/TOC.md

@@ -1,5 +1,6 @@
 # [Surface](index.md)
 ## [Deploy Surface devices](deploy.md)
+### [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md)
 ### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
 ### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)
 ### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
@@ -12,6 +13,7 @@
 ### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
 ### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
 ### [Surface Dock Updater](surface-dock-updater.md)
+## [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md)
 ## [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)
 ## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)
 ## [Manage Surface UEFI settings](manage-surface-uefi-settings.md)
@@ -21,5 +23,6 @@
 ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
 ## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
 ## [Surface Data Eraser](microsoft-surface-data-eraser.md)
+## [Change history for Surface documentation](change-history-for-surface.md)
 
 

devices/surface/advanced-uefi-security-features-for-surface-pro-3.md

@@ -28,7 +28,8 @@ To update the UEFI on Surface Pro 3, you can download and install the Surface UE
 ## Manually configure additional security settings
 
 
->**Note:**  To enter firmware setup on a Surface device, begin with the device powered off, press and hold the **Volume Up** button, then press and release the **Power** button, then release the **Volume Up** button after the device has begun to boot.
+>[!NOTE]
+>To enter firmware setup on a Surface device, begin with the device powered off, press and hold the **Volume Up** button, then press and release the **Power** button, then release the **Volume Up** button after the device has begun to boot.
 
 After the v3.11.760.0 UEFI update is installed on a Surface device, an additional UEFI menu named **Advanced Device Security** becomes available. If you click this menu, the following options are displayed:
 

devices/surface/change-history-for-surface.md

@@ -0,0 +1,24 @@
+---
+title: Change history for Surface documentation (Windows 10)
+description: This topic lists new and updated topics in the Surface documentation library.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Change history for Surface documentation
+
+This topic lists new and updated topics in the Surface documentation library.
+
+## October 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) | New |
+| [Long-term servicing branch for Surface devices](ltsb-for-surface.md) | New |
+
+
+
+
+ 

devices/surface/considerations-for-surface-and-system-center-configuration-manager.md

@@ -0,0 +1,76 @@
+---
+title: Considerations for Surface and System Center Configuration Manager (Surface)
+description: The management and deployment of Surface devices with Configuration Manager is fundamentally the same as any other PC; this article describes scenarios that may require additional considerations.
+keywords: manage, deployment, updates, driver, firmware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: Scottmca
+---
+
+# Considerations for Surface and System Center Configuration Manager
+
+Fundamentally, management and deployment of Surface devices with System Center Configuration Manager is the same as the management and deployment of any other PC. Like any other PC, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client – to publish apps, settings, and policies, you use the same process that you would use for any other device.
+
+You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for System Center Configuration Manager](https://docs.microsoft.com/sccm/index) article in the TechNet Library.
+
+Although the deployment and management of Surface devices is fundamentally the same as any other PC, there are some scenarios that may require additional considerations or steps. This article provides descriptions and guidance for these scenarios; the solutions documented in this article may apply to other devices and manufacturers as well.
+
+>[!NOTE]
+>For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
+
+## Updating Surface device drivers and firmware
+
+For devices that receive updates through Windows Update, drivers for Surface components – and even firmware updates – are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS), the option to install drivers and firmware through Windows Update is not available. For these managed devices, the recommended driver management process is the deployment of driver and firmware updates using the Windows Installer (.msi) files, which are provided through the Microsoft Download Center. You can find a list of these downloads at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/en-us/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
+
+As .msi files, deployment of driver and firmware updates is performed in the same manner as deployment of an application. Instead of installing an application as would normally happen when an .msi file is run, the Surface driver and firmware .msi will apply the driver and firmware updates to the device. The single .msi file contains the driver and firmware updates required by each component of the Surface device. The updates for firmware are applied the next time the device reboots. You can read more about the .msi installation method for Surface drivers and firmware in [Manage Surface driver and firmware updates](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-pro-3-firmware-updates). For more information about how to deploy applications with Configuration Manager, see [Packages and programs in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs).
+
+>[!NOTE]
+>Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A workaround is available for Configuration Manager environments running on Windows Server 2008 R2 – for more information see [Can't import drivers into System Center Configuration Manager (KB3025419)](https://support.microsoft.com/en-us/kb/3025419).
+
+## Surface Ethernet adapters and Configuration Manager deployment
+
+The default mechanism that Configuration Manager uses to identify devices during deployment is the Media Access Control (MAC) address. Because the MAC address is associated with the Ethernet controller, an Ethernet adapter shared among multiple devices will cause Configuration Manager to identify each of the devices as only a single device. This can cause a Configuration Manager deployment of Windows to not be applied to intended devices.
+
+To ensure that Surface devices using the same Ethernet adapter are identified as unique devices during deployment, you can instruct Configuration Manager to identify devices using another method. This other method could be the MAC address of the wireless network adapter or the System Universal Unique Identifier (System UUID). You can specify that Configuration Manager use other identification methods with the following options:
+
+* Add an exclusion for the MAC addresses of Surface Ethernet adapters, which forces Configuration Manager to overlook the MAC address in preference of the System UUID, as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
+
+* Prestage devices by System UUID as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
+
+* Use a script to identify a newly deployed Surface device by the MAC address of its wireless adapter, as documented in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post.
+
+Another consideration for the Surface Ethernet adapter during deployments with Configuration Manager is the driver for the Ethernet controller. Beginning in Windows 10, version 1511, the driver for the Surface Ethernet adapter is included by default in Windows. For organizations that want to deploy the latest version of Windows 10 and use the latest version of WinPE, use of the Surface Ethernet adapter requires no additional actions.
+
+For versions of Windows prior to Windows 10, version 1511 (including Windows 10 RTM and Windows 8.1), you may still need to install the Surface Ethernet adapter driver and include the driver in your WinPE boot media. With its inclusion in Windows 10, the driver is no longer available for download from the Microsoft Download Center. To download the Surface Ethernet adapter driver, download it from the Microsoft Update Catalog as documented in the [Surface Ethernet Drivers](https://blogs.technet.microsoft.com/askcore/2016/08/18/surface-ethernet-drivers/) blog post from the Ask The Core Team blog.
+
+## Deploy Surface app with Configuration Manager
+
+With the release of Windows Store for Business, Surface app is no longer available as a driver and firmware download. Organizations that want to deploy Surface app to managed Surface devices or during deployment with the use of Configuration Manager, must acquire Surface app through Windows Store for Business and then deploy Surface app with PowerShell. You can find the PowerShell commands for deployment of Surface app, instructions to download Surface app, and prerequisite frameworks from Windows Store for Business in the [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/en-us/itpro/surface/deploy-surface-app-with-windows-store-for-business) article in the TechNet Library.
+
+## Use prestaged media with Surface clients
+
+If your organization uses prestaged media to pre-load deployment resources on to machines prior to deployment with Configuration Manager, the nature of Surface devices as UEFI devices may require you to take additional steps. Specifically, a native UEFI environment requires that you create multiple partitions on the boot disk of the system. If you are following along with the [documentation for prestaged media](https://technet.microsoft.com/en-us/library/79465d90-4831-4872-96c2-2062d80f5583?f=255&MSPPError=-2147217396#BKMK_CreatePrestagedMedia), the instructions provide for only single partition boot disks and therefore will fail when applied to Surface devices.
+
+Instructions for applying prestaged media to UEFI devices, such as Surface devices, can be found in the [How to apply Task Sequence Prestaged Media on multi-partitioned disks for BIOS or UEFI PCs in System Center Configuration Manager](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2014/04/02/how-to-apply-task-sequence-prestaged-media-on-multi-partitioned-disks-for-bios-or-uefi-pcs-in-system-center-configuration-manager/) blog post.
+
+## Licensing conflicts with OEM Activation 3.0
+
+Surface devices come preinstalled with a licensed copy of Windows. For example, Surface Pro 4 is preinstalled with Windows 10 Professional. The license key for this preinstalled copy of Windows is embedded in the firmware of the device with OEM Activation 3.0 (OA 3.0). When you run Windows installation media on a device with an OA 3.0 key, Windows setup automatically reads the license key and uses it to install and activate Windows. In most situations, this simplifies the reinstallation of Windows, because the user does not have to find or enter a license key.
+
+When you reimage a device by using Windows Enterprise, this embedded license key does not cause a conflict. This is because the installation media for Windows Enterprise is configured to install only an Enterprise edition of Windows and therefore is incompatible with the license key embedded in the system firmware. If a product key is not specified (such as when you intend to activate with Key Management Services (KMS) or Active Directory Based Activation), a Generic Volume License Key (GVLK) is used until Windows is activated by one of those technologies.
+
+However, issues may arise when organizations intend to use versions of Windows that are compatible with the firmware embedded key. For example, an organization that wants to install Windows 10 Professional on a Surface 3 device that originally shipped with Windows 10 Home edition may encounter difficulty when Windows setup automatically reads the Home edition key during installation and installs as Home edition rather than Professional. To avoid this conflict, you can use the Ei.cfg or Pid.txt file (see [Windows Setup Edition Configuration and Product ID Files](https://technet.microsoft.com/en-us/library/hh824952.aspx)) to explicitly instruct Windows setup to prompt for a product key, or you can enter a specific product key in the deployment task sequence. If you do not have a specific key, you can use the default product keys for Windows, which you can find in [Customize and deploy a Windows 10 operating system](https://dpcenter.microsoft.com/en/Windows/Build/cp-Windows-10-build) on the Device Partner Center.
+
+## Apply an asset tag during deployment
+
+Surface Book, Surface Pro 4, Surface Pro 3, and Surface 3 devices all support the application of an asset tag in UEFI. This asset tag can be used to identify the device from UEFI even if the operating system fails, and it can also be queried from within the operating system. To read more about the Surface Asset Tag function, see the [Asset Tag Tool for Surface Pro 3](https://blogs.technet.microsoft.com/askcore/2014/10/20/asset-tag-tool-for-surface-pro-3/) blog post.
+
+To apply an asset tag using the [Surface Asset Tag CLI Utility](https://www.microsoft.com/en-us/download/details.aspx?id=44076) during a Configuration Manager deployment task sequence, use the script and instructions found in the [Set Surface Asset Tag During a Configuration Manager Task Sequence](https://blogs.technet.microsoft.com/jchalfant/set-surface-pro-3-asset-tag-during-a-configuration-manager-task-sequence/) blog post.
+
+## Configure push-button reset
+
+When you deploy Windows to a Surface device, the push-button reset functionality of Windows is configured by default to revert the system back to a state where the environment is not yet configured. When the reset function is used, the system discards any installed applications and settings. Although in some situations it can be beneficial to restore the system to a state without applications and settings, in a professional environment this effectively renders the system unusable to the end user.
+
+Push-button reset can be configured, however, to restore the system configuration to a state where it is ready for use by the end user. Follow the process outlined in [Deploy push-button reset features](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/manufacture/desktop/deploy-push-button-reset-features) to customize the push-button reset experience for your devices.

devices/surface/deploy-surface-app-with-windows-store-for-business.md

@@ -91,7 +91,7 @@ To download the required frameworks for the Surface app, follow these steps:
 
 ##Install Surface app on your computer with PowerShell
 The following procedure provisions the Surface app onto your computer and makes it available for any user accounts created on the computer afterwards.
-1.	Using the procedure described in the [How to download Surface app from a Windows Store for Business account](#how-to-download-surface-app-from-a-windows-store-for-business-account) section of this article, download the Surface app AppxBundle and license file. 
+1.	Using the procedure described in the [How to download Surface app from a Windows Store for Business account](#download-surface-app-from-a-windows-store-for-business-account) section of this article, download the Surface app AppxBundle and license file. 
 2.	Begin an elevated PowerShell session.
 >**Note:**  If you don’t run PowerShell as an Administrator, the session won’t have the required permissions to install the app.
 3.	In the elevated PowerShell session, copy and paste the following command:
@@ -119,7 +119,7 @@ Before the Surface app is functional on the computer where it has been provision
 
 ##Install Surface app with MDT
 The following procedure uses MDT to automate installation of the Surface app at the time of deployment. The application is provisioned automatically by MDT during deployment and thus you can use this process with existing images. This is the recommended process to deploy the Surface app as part of a Windows deployment to Surface devices because it does not reduce the cross platform compatibility of the Windows image.
-1.	Using the procedure described [earlier in this article](#how-to-download-surface-app-from-a-windows-store-for-business-account), download the Surface app AppxBundle and license file. 
+1.	Using the procedure described [earlier in this article](#download-surface-app-from-a-windows-store-for-business-account), download the Surface app AppxBundle and license file. 
 2.	Using the New Application Wizard in the MDT Deployment Workbench, import the downloaded files as a new **Application with source files**.
 3.	On the **Command Details** page of the New Application Wizard, specify the default **Working Directory** and for the **Command** specify the file name of the AppxBundle, as follows:
 

devices/surface/deploy.md

@@ -16,6 +16,7 @@ Get deployment guidance for your Surface devices including information about MDT
 
 | Topic | Description |
 | --- | --- |
+| [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md) | Explains that LTSB is not supported for general-purpose Surface devices and should be used for specialized devices only. | 
 | [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) | Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.|
 | [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)| Find out how to perform a Windows 10 upgrade deployment to your Surface devices. |
 | [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.|

devices/surface/index.md

@@ -13,7 +13,7 @@ author: heatherpoulsen
 # Surface
 
 
-This library provides guidance to help you deploy Windows on Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization.
+This library provides guidance to help you deploy Windows on Microsoft Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization.
 
 For more information on planning for, deploying, and managing Surface devices in your organization, see the [Surface TechCenter](https://technet.microsoft.com/en-us/windows/surface).
 
@@ -23,12 +23,14 @@ For more information on planning for, deploying, and managing Surface devices in
 | --- | --- |
 | [Deploy Surface devices](deploy.md) | Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator. |
 | [Surface firmware and driver updates](update.md) | Find out how to download and manage the latest firmware and driver updates for your Surface device. |
+| [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) | Get guidance on how to deploy and manage Surface devices with System Center Configuration Manager. |
 | [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md) | Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT. |
 | [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) | Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. |
 | [Manage Surface UEFI settings](manage-surface-uefi-settings.md) | Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. |
 | [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. |
 | [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) | Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. |
 | [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. |
+| [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. |
 
 
 

devices/surface/ltsb-for-surface.md

@@ -0,0 +1,44 @@
+---
+title: Long-Term Servicing Branch for Surface devices (Surface)
+description: LTSB is not supported for general-purpose Surface devices and should be used for specialized devices only.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Long-Term Servicing Branch (LTSB) for Surface devices
+
+
+General-purpose Surface devices running Long-Term Servicing Branch (LTSB) are not supported. As a general guideline, if a Surface device runs productivity software, such as Microsoft Office, it is a general-purpose device that does not qualify for LTSB and should instead run Current Branch (CB) or Current Branch for Business (CBB). 
+
+>[!NOTE]
+>For more information about the servicing branches, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
+
+LTSB prevents Surface devices from receiving critical Windows 10 feature updates and certain non-security servicing updates. Customers with poor experiences using Surface devices in the LTSB configuration will be instructed to upgrade to CB or CBB. Furthermore, the Windows 10 Enterprise LTSB edition removes core features of Surface devices, including seamless inking and touch-friendly applications. It does not contain key in-box applications including Microsoft Edge, OneNote, Calendar or Camera. Therefore, productivity is impacted and functionality is limited. LTSB is not supported as a suitable servicing solution for general-purpose Surface devices. 
+
+General-purpose Surface devices are intended to run CB or CBB to receive full servicing and firmware updates and forward compatibility with the introduction of new Surface features. With CB, feature updates are available as soon as Microsoft releases them. Customers in the CBB servicing model receive the same build of Windows 10 as those in CB, at a later date.
+
+Surface devices in specialized scenarios–such as PCs that control medical equipment, point-of-sale systems, and ATMs–may consider the use of LTSB. These special-purpose systems typically perform a single task and do not require feature updates as frequently as other devices in the organization. 
+
+
+
+
+
+## Related topics
+
+- [Surface TechCenter](https://technet.microsoft.com/windows/surface)
+
+- [Surface for IT pros blog](http://blogs.technet.com/b/surface/)
+
+ 
+
+ 
+
+ 
+
+
+
+
+

education/windows/TOC.md

@@ -5,6 +5,7 @@
 ### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
 ### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
 ### [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
+## [Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)
 ## [Get Minecraft Education Edition](get-minecraft-for-education.md)
 ### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
 ### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)

education/windows/change-history-edu.md

@@ -12,6 +12,14 @@ author: jdeckerMS
 
 This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
 
+## November 2016
+
+| New or changed topic | Description|
+| --- | --- |
+| [Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)  | New. Learn about education scenarios for Windows Store for Business.  |
+| [For teachers - get Minecraft: Education Edition](teacher-get-minecraft.md)  | Updates. Subscription support for Minecraft: Education Edition.  |
+| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md)  | Updates. Subscription support for Minecraft: Education Edition.  |
+
 ## September 2016
 
 | New or changed topic | Description|

education/windows/chromebook-migration-guide.md

@@ -35,8 +35,8 @@ App migration or replacement is an essential part of your Chromebook migration.
 
 Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio).
 
-**Note**  
-The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.
+> [!NOTE]  
+> The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.
 
  
 

education/windows/deploy-windows-10-in-a-school-district.md

@@ -728,7 +728,7 @@ To implement this method, perform the following steps:
    Put the student information in the format the bulk-import feature requires.
 2. Bulk-import the student information into Azure AD.
 
-   For more information about how to perform this step, see the [Bulk-import user and group accounts in Office 365](#bulk-import-user-and-group-accounts-in-office-365) section.
+   For more information about how to perform this step, see the [Bulk-import user and group accounts into Office 365](#bulk-import-user-and-group-accounts-into-office-365) section.
 
 #### Summary
 

education/windows/education-scenarios-store-for-business.md

@@ -0,0 +1,180 @@
+---
+title: Education scenarios Windows Store for Business
+description: Learn how IT admins and teachers can use Windows Store for Business to acquire and manage apps in schools.
+keywords: ["school"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: trudyha
+---
+
+# Working with Windows Store for Business – education scenarios
+
+Learn about education scenarios for Windows Store for Business. IT admins and teachers can use Windows Store for Business to find, acquire, distribute, and manage apps. 
+
+## Manage Windows Store for Business settings
+
+### Access to Windows Store for Business
+Applies to: IT admins
+
+By default, when a teacher with a work or school account acquires Minecraft: Education Edition,they are automatically signed up for Window Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students. 
+
+However, tenant admins can control whether or not teachers automatically sign up for Windows Store for Business, and get the **Basic Purchaser** role. You can configure this with **Allow educators in my organization to sign up for the Windows Store for Business.** You'll find this on the **Permissions** page. 
+
+**To manage educator access to Windows Store for Business**
+1.  In Windows Store for Business, click **Settings**, and then click **Permissions**. 
+
+    ![Permission page for Windows Store for Business](images/minecraft-admin-permissions.png)
+
+2. Select, or clear **Allow educators in my organization to sign up for the Windows Store for Business**.
+
+### Windows Store for Business permissions
+Applies to: IT admins
+
+**Minecraft: Education Edition** adds a new role for teachers: **Basic Purchaser**. As an Admin, you can assign this role to teachers in your organization. When a teacher has been granted this role, they can:
+- View the Minecraft: Education Edition product description page 
+- Acquire and manage Minecraft: Education Edition, and other apps from Store for Business
+- Use info on Support page (including links to documentation and access to support through customer service)
+
+    ![assign roles to manage Minecraft permissions](images/minecraft-perms.png)
+
+**To assign Basic Purchaser role**
+
+1. Sign in to Store for Business </br>
+
+    > [!NOTE]
+    > You need to be a Global Administrator, or have the Store for Business Admin role to access the **Permissions** page.
+    
+2. Click **Settings**, and then choose **Permissions**.
+
+    ![Permission page for Windows Store for Business](images/minecraft-admin-permissions.png)
+3. Click **Add people**, type a name, select the correct person, choose the role you want to assign, and click **Save**.
+
+    ![Permission page for Windows Store for Business](images/minecraft-assign-roles.png)
+    
+    Windows Store for Business updates the list of people and permissions. 
+    
+    ![Permission page for Windows Store for Business](images/minecraft-assign-roles-2.png)
+
+### Private store
+
+Applies to: IT admins
+
+When you create you Windows Store for Business account, you'll have a set of apps included for free in your private store. Apps in your private store are available for all people in your organization to install and use. 
+
+These apps will automatically be in your private store:
+- Word mobile
+- Excel mobile
+- PowerPoint mobile
+- OneNote
+- Sway
+- Fresh Paint
+- Minecraft: Education Edition
+
+As an admin, you can remove any of these apps from the private store if you'd prefer to control how apps are distributed.
+
+## Manage domain settings 
+
+Applies to: IT admins
+
+### Self-service sign up
+Self-service sign up makes it easier for teachers and students in your organization to get started with **Minecraft: Education Edition**. If you have self-service sign up enabled in your tenant, teachers can assign **Minecraft: Education Edition** to students before they have a work or school account. Students receive an email that steps them through the process of signing up for a work or school account. For more information on self-service sign up, see [Using self-service sign up in your organization](https://support.office.com/article/Using-self-service-sign-up-in-your-organization-4f8712ff-9346-4c6c-bb63-a21ad7a62cbd?ui=en-US&rs=en-US&ad=US).
+
+### Domain verification
+For education organizations, domain verification ensures you are on the academic verification list. As an admin, you might need to verify your domain using the Office 365 portal. For more information, see [Verify your Office 365 domain to prove ownership, nonprofit or education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590?ui=en-US&rs=en-US&ad=US).
+
+## Acquire apps
+Applies to: IT admins and teachers
+
+Find apps for your school using Windows Store for Business. Admins in an education setting can use the same processes as Admins in an enterprise setting to find and acquire apps.
+ 
+**To acquire apps**
+- For info on how to acquire apps, see [Acquire apps in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business#acquire-apps) 
+
+**To add a payment method**
+
+If you the app you purchase has a price, you’ll need to provide a payment method. 
+- Click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card.
+ 
+For more information on payment options, see [payment options](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business#payment-options). 
+
+For more information on tax rates, see [tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information). 
+
+### Get started with Minecraft: Education Edition
+Teachers and IT administrators can now get trials or subscriptions to Minecraft: Education Edition and add it to Windows Store for Business for distribution.
+- [Get started with Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/get-minecraft-for-education)
+- [For IT admins – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/school-get-minecraft)
+- [For teachers – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/teacher-get-minecraft)
+
+
+## Manage WSfB inventory
+Applies to: IT admins and teachers
+
+### Manage purchases
+IT admins and teachers in educational settings can purchase apps from Windows Store for Business. Teachers need to have the Basic purchaser role, but if they've acquired Minecraft: Education Edition, they have the role by default. 
+
+While both groups can purchase apps, they can't manage purchases made by the other group. 
+
+Admins can:
+- Manage and distribute apps they purchased and apps that are purchased by other admins in the organization. 
+- View apps purchased by teachers.
+- View and manage apps on **Inventory**, under **Admin purchases**. 
+
+Teachers can:
+- Manage and distribute apps they purchased.
+- View and manage apps on **Inventory**, under **User purchases**. 
+
+> [!NOTE]
+> Teachers can't manage or view apps purchased by other teachers, or purchased by admins. Teachers can only work with the apps they purchased.
+ 
+
+### Distribute apps
+
+Manage and distribute apps to students and others in your organization. Different options are avaialble for admins and teachers. 
+
+Applies to: IT admins
+
+**To manage and distribute apps**
+- For info on how to distribute **Minecraft: Education Edition**, see [For IT admins – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/school-get-minecraft#distribute_minecraft)
+- For info on how to manage and distribute other apps, see [App inventory management - Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-management-windows-store-for-business)
+
+Applies to: Teachers
+
+For info on how to distribute **Minecraft: Education Edition**, see [For teachers – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/teacher-get-minecraft#distribute-minecraft). 
+
+**To assign an app to a student**
+
+1. Sign in to the Store for Business.
+2. Click **Manage**, and then choose **Inventory**.
+3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
+4. Type the email address, or name for the student that you're assigning the app to, and click **Confirm**.
+
+Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
+
+### Purchase additional licenses
+Applies to: IT admins and teachers
+
+You can manage current app licenses, or purchase more licenses for apps in your inventory. 
+
+**To purchase additional app licenses**
+1. From **Inventory**, click an app. 
+2. On the app page, click **View app details**. 
+3. From this page, click **Buy more** to purchase more licenses</br>
+-OR-</br>
+Click **Manage** to distribute or reclaim current licenses. 
+
+You'll have a summary of current license availability.  
+
+**Minecraft: Education Edition subscriptions**
+
+Similarly, you can purchase additional subscriptions of **Minecraft: Education Edition** through Windows Store for Business. Find **Minecraft: Education Edition** in your inventory and use the previous steps for purchasing additional app licenses. 
+
+## Manage WSfB order history
+Applies to: IT admins and teachers
+
+You can manage your orders through Windows Store for Business. For info on order history and how to refund an order, see [Manage app orders in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/manage-orders-windows-store-for-business). 
+
+It can take up to 24 hours after a purchase, before a receipt is available on your **Order history page**. 
+
+> [!NOTE]
+For **Minecraft: Education Edition**, you can request a refund through Windows Store for Business for two months from the purchase date. After two months, refunds require a support call. 

education/windows/get-minecraft-for-education.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 author: jdeckerMS
 ---
 
-# Get Minecraft Education Edition
+# Get Minecraft: Education Edition
 
 **Applies to:**
 
@@ -19,24 +19,24 @@ author: jdeckerMS
 
 <iframe width="501" height="282" src="https://www.youtube.com/embed/hl9ZQiektJE" frameborder="0" allowfullscreen></iframe>
 
-Teachers and IT administrators can now get early access to **Minecraft Education Edition** and add it their Microsoft Store for Business for distribution. 
+Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution. 
 
-![education.minecraft.net](images/minecraft.png)
+<!-- ![education.minecraft.net](images/minecraft.png) -->
 
 ## Prerequisites
  
-- **Minecraft Education Edition** requires Windows 10.
-- Early access to **Minecraft Education Edition** is offered to education tenants that are managed by Azure Active Directory (Azure AD).
-    - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft Education Edition**.
-    * Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan)
-    * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
+- **Minecraft: Education Edition** requires Windows 10.
+- Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD).
+    - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
+    * Office 365 Education, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan)
+    * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
 
-![teacher](images/teacher.png) 
+<!-- ![teacher](images/teacher.png) --> 
 
-[Learn how teachers can get and distribute **Minecraft Education Edition**](teacher-get-minecraft.md)
+[Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md)
 
   
-![IT administrator](images/school.png)
+<!-- ![IT administrator](images/school.png) -->
 
-[Learn how IT administrators can get and distribute **Minecraft Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
+[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
 

education/windows/index.md

@@ -1,32 +1,46 @@
 ---
 title: Windows 10 for Education (Windows 10)
-description: Learn about using Windows 10 in schools.
+description: Learn how to use Windows 10 in schools.
+keywords: Windows 10, education
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: edu
-author: jdeckerMS
+author: CelesteDG
 ---
 
 # Windows 10 for Education
-[Windows 10 Education and Windows 10 Pro Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers and students to do great things.
+<link rel="stylesheet" href="https://az835927.vo.msecnd.net/sites/uwp/Resources/css/custom.css">
 
-[Find out how to get Windows 10 Education or Windows 10 Pro Education for your school](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)
+[Windows 10 Education and Windows 10 Pro Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers, and students to do great things.
 
-[Learn more about what features and functionality are supported in each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
+## ![Learn more about Windows](images/education.png) Learn
 
-## In this section
+<div class="side-by-side"> <div class="side-by-side-content">
+<div class="side-by-side-content-left"><p>
+<b>[Windows 10 editions for education customers](windows-editions-for-education-customers.md)</b><br />Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.</p></div>
+<div class="side-by-side-content-right"><p><b>[Compare each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)</b><br />Find out more about the features and functionality we support in each edition of Windows.</p><p>
+<b>[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)</b><br />When you've made your decision, find out how to buy Windows for your school.</p></div>
+ </div></div>
 
-|Topic |Description |
-|------|------------|
-| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education.  |
-| [Provisioning options for Windows 10](set-up-windows-10.md) | Learn about your options for setting up Windows 10.  |
-| [Get Minecraft Education Edition](get-minecraft-for-education.md) | Learn how to get early access to **Minecraft Education Edition**. |
-| [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the **Take a Test** app in Windows 10 |
-| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft. |
-| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in a school. |
-| [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) |Learn how to deploy Windows 10 in a school district.|
-| [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. |
+## ![Plan for Windows 10 in your school](images/clipboard.png) Plan
+
+<div class="side-by-side"> <div class="side-by-side-content">
+<div class="side-by-side-content-left"><p>
+<b>[Provisioning options for Windows 10](set-up-windows-10.md)</b><br />Depending on your school's device management needs, Windows offers a variety of options that you can use to set up Windows 10 on your devices.</p><p>
+<b>[Get Minecraft Education Edition](get-minecraft-for-education.md)</b><br />Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.</p></div>
+<div class="side-by-side-content-right"><p><b>[Take tests in Windows 10](take-tests-in-windows-10.md)</b><br />Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.</p>
+<p><b>[Chromebook migration guide](chromebook-migration-guide.md)</b><br />Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.</p></div>
+ </div></div>
+
+ ## ![Deploy Windows 10 for education](images/PCicon.png) Deploy
+
+ <div class="side-by-side"> <div class="side-by-side-content">
+ <div class="side-by-side-content-left"><p><b>[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)</b><br />Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.</p></div>
+ <div class="side-by-side-content-right"><p>
+ <b>[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)</b><br />Get step-by-step guidance to help you deploy Windows 10 in a school environment.</p><p>
+ <b>[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)</b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p></div>
+   </div></div>
 
 ## Related topics