Merge branch 'master' into minortypos

.gitignore

@@ -10,7 +10,6 @@ Tools/NuGet/
 .openpublishing.build.mdproj
 .openpublishing.buildcore.ps1
 packages.config
-windows/keep-secure/index.md
 
 # User-specific files  
 .vs/

.openpublishing.publish.config.json

@@ -31,7 +31,7 @@
       "build_output_subfolder": "devices/hololens",
       "locale": "en-us",
       "version": 0,
-      "open_to_public_contributors": false,
+      "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
         "ManagedReference": "Content",
@@ -93,6 +93,20 @@
       "type_mapping": {
         "Conceptual": "Content"
       }
+    },
+    {
+      "docset_name": "smb",
+      "build_source_folder": "smb",
+      "build_output_subfolder": "smb",
+      "locale": "en-us",
+      "version": 0,
+      "open_to_public_contributors": false,
+      "type_mapping": {
+        "Conceptual": "Content",
+        "ManagedReference": "Content",
+        "RestApi": "Content"
+      },
+      "build_entry_point": "op"
     }
   ],
   "notification_subscribers": [
@@ -104,5 +118,6 @@
   "git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/windows-itpro-docs",
   "git_repository_branch_open_to_public_contributors": "master",
   "skip_source_output_uploading": false,
-  "dependent_repositories": []
+  "dependent_repositories": [],
+  "need_generate_pdf_url_template": false
 }

1.ps1

@@ -0,0 +1,3 @@
+git add .
+git commit -m "changes"
+git push -u origin vso-10788146

README.md

@@ -8,6 +8,7 @@ Welcome! This repository houses the docs that are written for IT professionals f
 - [Surface](https://technet.microsoft.com/itpro/surface)
 - [Surface Hub](https://technet.microsoft.com/itpro/surface-hub)
 - [Windows 10 for Education](https://technet.microsoft.com/edu/windows)
+- [HoloLens](https://technet.microsoft.com/itpro/hololens)
 - [Microsoft Desktop Optimization Pack](https://technet.microsoft.com/itpro/mdop) 
 
 ## Contributing

browsers/edge/Index.md

@@ -21,7 +21,11 @@ localizationpriority: high
 Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge also introduces new features like Web Note, Reading View, and Cortana that you can use along with your normal web browsing abilities.
 
 Microsoft Edge lets you stay up-to-date through the Windows Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools.
-<p>**Note**<br>This content isn't meant to be a step-by-step guide, so not everything that's talked about in this guide will be necessary for you to manage and deploy Microsoft Edge in your company.
+
+> **Note**<br>This content isn't meant to be a step-by-step guide, so not everything that's talked about in this guide will be necessary for you to manage and deploy Microsoft Edge in your company.
+
+
+> **Note**<br>For more info about the potential impact of using Microsoft Edge in a large organization, you can download an infographic from here: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892).
 
 ## In this section
 
@@ -54,7 +58,9 @@ You'll need to keep running them using IE11. If you don't have IE11 installed an
 
 ## Related topics
 
+- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
 - [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956)
 - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760644)
 - [Internet Explorer 11 - FAQ for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760645)
 - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646)
+

browsers/edge/available-policies.md

@@ -19,7 +19,9 @@ localizationpriority: high
 Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
 
 By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain.
-<p>**Note**<br>For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows Powershell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
+
+> **Note**<br>
+> For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows Powershell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
 
 ## Group Policy settings
 Microsoft Edge works with these Group Policy settings (`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\`) to help you manage your company's web browser configurations:
@@ -32,25 +34,26 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
 |Configure Autofill |Windows 10 or later |This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill.<p>If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge.<p>If you disable this setting, employees can’t use Autofill to automatically fill in forms while using Microsoft Edge.<p>If you don’t configure this setting, employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge. |**Not configured (default):** Employees can choose to turn Autofill on or off.<p>**Enabled:** Employees can use Autofill to complete form fields.<p>**Disabled:** Employees can’t use Autofill to complete form fields. |
 |Configure cookies |Windows 10 or later|This setting lets you configure how to work with cookies.<p>If you enable this setting, you must also decide whether to:<br><ul><li>**Allow all cookies (default):** Allows all cookies from all websites.</li><li>**Block all cookies:** Blocks all cookies from all websites.</li><li>**Block only 3rd-party cookies:** Blocks only cookies from 3rd-party websites.</li></ul><p>If you disable or don't configure this setting, all cookies are allowed from all sites. |**Enabled:** Lets you decide how your company treats cookies.<br>If you use this option, you must also choose whether to:<br><ul><li>**Allow all cookies (default):** Allows all cookies from all websites.</li><li>**Block all cookies:** Blocks all cookies from all websites.</li><li>**Block only 3rd-party cookies:** Blocks only cookies from 3rd-party websites.</li></ul><p>**Disabled or not configured:** All cookies are allowed from all sites.|
 |Configure Do Not Track |Windows 10 or later |This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info.  By default, Do Not Track requests aren’t sent, but employees can choose to turn on and send requests.<p>If you enable this setting, Do Not Track requests are always sent to websites asking for tracking info.<p>If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info.<p>If you don’t configure this setting, employees can choose whether to send Do Not Track requests to websites asking for tracking info. |**Not configured (default):** Employees can choose to send Do Not Track headers on or off.<p>**Enabled:** Employees can send Do Not Track requests to websites requesting tracking info.<p>**Disabled:** Employees can’t send Do Not Track requests to websites requesting tracking info. |
-|Configure Edge Extensions |Windows 10 Insider Preview |This policy setting lets you decide whether employees can use Edge Extensions.<p>If you enable or don’t configure this setting, employees can use Edge Extensions.<p>If you disable this setting, employees can’t use Edge Extensions. |**Enabled or not configured:** Lets employees use Edge Extensions.<p>**Disabled:** Stops employees from using Edge Extensions. |
+|Allow Extensions |Windows 10, Version 1607 or later |This policy setting lets you decide whether employees can use Edge Extensions.<p>If you enable or don’t configure this setting, employees can use Edge Extensions.<p>If you disable this setting, employees can’t use Edge Extensions. |**Enabled or not configured:** Lets employees use Edge Extensions.<p>**Disabled:** Stops employees from using Edge Extensions. |
 |Configure Favorites |Windows 10, Version 1511 or later |This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time.<p>If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed.<p>If you disable or don’t configure this setting, employees will see the Favorites that they set in the Favorites hub. |**Enabled:** Configure the default list of Favorites for your employees. If you use this option, you must also add the URLs to the sites.<p>**Disabled or not configured:** Uses the Favorites list and URLs specified in the Favorites hub. |
 |Configure Home pages |Windows 10, Version 1511 or later |This policy setting lets you configure one or more Home pages. for domain-joined devices. Your employees won't be able to change this after you set it.<p>If you enable this setting, you can configure one or more Home pages. If this setting is enabled, you must also include URLs to the pages, separating multiple pages by using angle brackets in this format: <br>`<support.contoso.com><support.microsoft.com>`<p>If you disable or don’t configure this setting, your default Home page is the webpage specified in App settings. |**Enabled:** Configure your Home pages. If you use this option, you must also include site URLs.<p>**Disabled or not configured (default):** Uses the Home pages and URLs specified in the App settings. |
 |Configure Password Manager |Windows 10 or later |This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on.<p>If you enable this setting, employees can use Password Manager to save their passwords locally.<p>If you disable this setting, employees can’t use Password Manager to save their passwords locally.<p>If you don’t configure this setting, employees can choose whether to use Password Manager to save their passwords locally. |**Not configured:** Employees can choose whether to use Password Manager.<p>**Enabled (default):** Employees can use Password Manager to save passwords locally.<p>**Disabled:** Employees can't use Password Manager to save passwords locally. |
 |Configure Pop-up Blocker |Windows 10 or later |This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.<p>If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing.<p>If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear.<p>If you don’t configure this setting, employees can choose whether to use Pop-up Blocker. |**Enabled or not configured (default):** Turns on Pop-up Blocker, stopping pop-up windows.<p>**Disabled:** Turns off Pop-up Blocker, allowing pop-up windows. |
 |Configure search suggestions in Address bar |Windows 10 or later |This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.<p>If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge.<p>If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge.<p>If you don’t configure this setting, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. |**Not configured (default):** Employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.<p>**Enabled:** Employees can see search suggestions in the Address bar of Microsoft Edge.<p>**Disabled:** Employees can’t see search suggestions in the Address bar of Microsoft Edge. |
 |Configure SmartScreen Filter |Windows 10 or later |This policy setting lets you configure whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, SmartScreen Filter is turned on.<p>If you enable this setting, SmartScreen Filter is turned on and employees can’t turn it off.<p>If you disable this setting, SmartScreen Filter is turned off and employees can’t turn it on.<p>If you don’t configure this setting, employees can choose whether to use SmartScreen Filter. |**Not configured (default):** Employees can choose whether to use SmartScreen Filter.<p>**Enabled:** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software.<p>**Disabled:** Turns off SmartScreen Filter. |
-|Configure the Enterprise Mode Site List |Windows 10 or later| This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.<p>If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode.<p>If you disable or don’t configure this setting, Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. |**Enabled:** Lets you use the Enterprise Mode Site List to address common compatibility problems with legacy apps, if it’s configured.<br>If you use this option, you must also add the location to your site list in the `{URI}` box. When configured, any site on the list will always open in Internet Explorer 11.<p>**Disabled or not configured (default):** You won't be able to use the Enterprise Mode Site List. |
-|Prevent access to the about:flags page |Windows 10 Insider Preview |This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.<p>If you enable this policy setting, employees can’t access the about:flags page.<p>If you disable or don’t configure this setting, employees can access the about:flags page. |**Enabled:** Stops employees from using the about:flags page.<p>**Disabled or not configured (default):** Lets employees use the about:flags page. |
+|Configure the Enterprise Mode Site List |Windows 10 or later| This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.<p>If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode.<p>If you disable or don’t configure this setting, Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps.<p>**Note**<br>If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.<p>If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.|**Enabled:** Lets you use the Enterprise Mode Site List to address common compatibility problems with legacy apps, if it’s configured.<p>If you use this option, you must also add the location to your site list in the `{URI}` box. When configured, any site on the list will always open in Internet Explorer 11.<p>**Disabled or not configured (default):** You won't be able to use the Enterprise Mode Site List.|
+|Prevent access to the about:flags page |Windows 10, Version 1607 or later|This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.<p>If you enable this policy setting, employees can’t access the about:flags page.<p>If you disable or don’t configure this setting, employees can access the about:flags page. |**Enabled:** Stops employees from using the about:flags page.<p>**Disabled or not configured (default):** Lets employees use the about:flags page. |
 |Prevent bypassing SmartScreen prompts for files |Windows 10, Version 1511 or later	|This policy setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files.<p>If you enable this setting, employees can’t ignore SmartScreen Filter warnings and they’re blocked from downloading the unverified files.<p>If you disable or don’t configure this setting, employees can ignore SmartScreen Filter warnings and continue the download process. |**Enabled:** Stops employees from ignoring the SmartScreen Filter warnings about unverified files.<p>**Disabled or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about unverified files and lets them continue the download process. |
 |Prevent bypassing SmartScreen prompts for sites |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites.<p>If you enable this setting, employees can’t ignore SmartScreen Filter warnings and they’re blocked from continuing to the site.<p>If you disable or don’t configure this setting, employees can ignore SmartScreen Filter warnings and continue to the site. |**Enabled:** Stops employees from ignoring the SmartScreen Filter warnings about potentially malicious sites.<p>**Disabled or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about potentially malicious sites and continue to the site. |
 |Prevent using Localhost IP address for WebRTC |Windows 10, Version 1511 or later |This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off.<p>If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol.<p>If you disable or don’t configure this setting, Localhost IP addresses are shown while making calls using the WebRTC protocol. |**Enabled:** Hides the Localhost IP address during calls using the WebRTC protocol.<p>**Disabled or not configured (default):** Shows the Localhost IP address during phone calls using the WebRTC protocol. |
 |Send all intranet sites to Internet Explorer 11 |Windows 10 or later |This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.<p>If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11.<p>If you disable or don’t configure this setting, all websites, including intranet sites, are automatically opened using Microsoft Edge. |**Enabled:** Automatically opens all intranet sites using Internet Explorer 11.<p>**Disabled or not configured (default):** Automatically opens all websites, including intranet sites, using Microsoft Edge. |
-|Show message when opening sites in Internet Explorer |Windows 10 Insider Preview |This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.<p>If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.<p>If you disable or don’t configure this setting, the default app behavior occurs and no additional page appears. |**Enabled:** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.<p>**Disabled or not configured (default):** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. |
+|Show message when opening sites in Internet Explorer |Windows 10, Version 1607 and later |This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.<p>If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.<p>If you disable or don’t configure this setting, the default app behavior occurs and no additional page appears. |**Enabled:** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.<p>**Disabled or not configured (default):** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. |
 
 ##  Using Microsoft Intune to manage your Mobile Data Management (MDM) settings for Microsoft Edge
 If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=722885) page.
 
-<p>**Note**<br>The **Supports** column uses these options:
+> **Note**<br>
+> The **Supports** column uses these options:
 
 -   **Desktop.** Supports Windows 10 Pro and Windows 10 Enterprise computers that are enrolled with Intune only.
 
@@ -67,22 +70,22 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
 |AllowCookies |Windows 10 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowCookies</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Allows all cookies from all sites.</li><li>**1.** Blocks only cookies from 3rd party websites</li><li>**2.** Blocks all cookies from all sites.</li></ul></li></ul> |
 |AllowDeveloperTools |Windows 10, Version 1511 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools</li><li>**Data type:** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can't use the F12 Developer Tools</li><li>**1 (default).** Employees can use the F12 Developer Tools</li></ul></li></ul> |
 |AllowDoNotTrack |Windows 10 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Stops employees from sending Do Not Track headers to websites requesting tracking info.</li><li>**1.** Employees can send Do Not Track headers to websites requesting tracking info.</li></ul></li></ul> |
-|AllowExtensions |Windows 10 Insider Preview |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can’t use Edge Extensions.</li><li>**1 (default).** Employees can use Edge Extensions.</li></ul></li></ul> |
+|AllowExtensions |Windows 10, Version 1607 and later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can’t use Edge Extensions.</li><li>**1 (default).** Employees can use Edge Extensions.</li></ul></li></ul> |
 |AllowInPrivate |Windows 10, Version 1511 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can’t use InPrivate browsing.</li><li>**1 (default).** Employees can use InPrivate browsing.</li></ul></li></ul> |
 |AllowPasswordManager |Windows 10 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can't use Password Manager to save passwords locally.</li><li>**1.** Employees can use Password Manager to save passwords locally.</li></ul></li></ul> |
 |AllowPopups |Windows 10 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Turns off Pop-up Blocker, allowing pop-up windows.</li><li>**1.** Turns on Pop-up Blocker, stopping pop-up windows.</li></ul></li></ul> |
-|AllowSearchSuggestionsinAddressBar |Windows 10 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can’t see search suggestions in the Address bar of Microsoft Edge.</li><li>**1.** Employees can see search suggestions in the Address bar of Microsoft Edge.</li></ul></li></ul> |
+|AllowSearchSuggestions<br>inAddressBar |Windows 10 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can’t see search suggestions in the Address bar of Microsoft Edge.</li><li>**1.** Employees can see search suggestions in the Address bar of Microsoft Edge.</li></ul></li></ul> |
 |AllowSmartScreen |Windows 10 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Turns off SmartScreen Filter.</li><li>**1.** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software.</li></ul></li></ul> |
-|EnterpriseModeSiteList |Windows 10 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList</li><li>**Data type.** String</li><li>**Allowed values:**<ul><li>Not configured.</li><li>**1 (default).** Use the Enterprise Mode Site List, if configured.</li><li>**2.** Specify the location to the site list.</li></ul></li></ul> |
+|EnterpriseModeSiteList |Windows 10 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList</li><li>**Data type.** String</li><li>**Allowed values:**<ul><li>Not configured.</li><li>**1 (default).** Use the Enterprise Mode Site List, if configured.</li><li>**2.** Specify the location to the site list.</li></ul><p>**Note**<br>If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.<p>If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.</li></ul>|
 |Favorites |Windows 10, Version 1511 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/Favorites</li><li>**Data type.** String</li><li>**Allowed values:**<ul><li>Configure the **Favorite** URLs for your employees.<p>**Example:**<br>`<contoso.com>`<br>`<fabrikam.com>`<p>**Note**<br> URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11.</li></ul> |
 |FirstRunURL |Windows 10, Version 1511 or later |Mobile |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/FirstRunURL</li><li>**Data type.** String</li><li>**Allowed values:**<ul><li>Configure the first run URL for your employees.<p>**Example:**<br>`<contoso.one>`</li></ul></li></ul> |
 |HomePages |Windows 10, Version 1511 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/HomePages</li><li>**Data type.** String</li><li>**Allowed values:**<ul><li>Configure the Home page URLs for your employees.<p>**Example:**<br>`<contoso.com/support><fabrikam.com/support>`</li></ul></li></ul> |
-|PreventAccessToAboutFlagsInMicrosoftEdge |Windows 10 Insider Preview |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can access the about:flags page in Microsoft Edge.</li><li>**1.** Employees can't access the about:flags page in Microsoft Edge.</li></ul></li></ul> |
-|PreventSmartScreenPromptOverride |Windows 10, Version 1511 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can ignore SmartScreen warnings.</li><li>**1.** Employees can't ignore SmartScreen warnings.</li></ul></li></ul> |
-|PreventSmartScreenPromptOverrideForFiles |Windows 10, Version 1511 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles </li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can ignore SmartScreen warnings for files.</li><li>**1.** Employees can't ignore SmartScreen warnings for files.</li></ul></li></ul> |
-|PreventUsingLocalHostIPAddressForWebRTC |Windows 10, Version 1511 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Shows an employee's LocalHost IP address while using the WebRTC protocol.</li><li>**1.** Doesn't show an employee's LocalHost IP address while using the WebRTC protocol.</li></ul></li></ul> |
-|SendIntranetTraffictoInternetExplorer |Windows 10 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Automatically opens all websites, including intranet sites, using Microsoft Edge.</li><li>**1.** Automatically opens all intranet sites using Internet Explorer 11.</li></ul></li></ul> |
-|ShowMessageWhenOpeningInteretExplorerSites |Windows 10 Insider Preview |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInteretExplorer</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li><li>**1.** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li></ul></li></ul> |
+|PreventAccessToAbout<br>FlagsInMicrosoftEdge |Windows 10, Version 1607 and later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can access the about:flags page in Microsoft Edge.</li><li>**1.** Employees can't access the about:flags page in Microsoft Edge.</li></ul></li></ul> |
+|PreventSmartScreen<br>PromptOverride |Windows 10, Version 1511 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can ignore SmartScreen warnings.</li><li>**1.** Employees can't ignore SmartScreen warnings.</li></ul></li></ul> |
+|PreventSmartScreen<br>PromptOverrideFor<br>Files |Windows 10, Version 1511 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles </li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can ignore SmartScreen warnings for files.</li><li>**1.** Employees can't ignore SmartScreen warnings for files.</li></ul></li></ul> |
+|PreventUsingLocalHost<br>IPAddressForWebRTC |Windows 10, Version 1511 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Shows an employee's LocalHost IP address while using the WebRTC protocol.</li><li>**1.** Doesn't show an employee's LocalHost IP address while using the WebRTC protocol.</li></ul></li></ul> |
+|SendIntranetTraffic<br>toInternetExplorer |Windows 10 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Automatically opens all websites, including intranet sites, using Microsoft Edge.</li><li>**1.** Automatically opens all intranet sites using Internet Explorer 11.</li></ul></li></ul> |
+|ShowMessageWhen<br>OpeningInteretExplorer<br>Sites |Windows 10, Version 1607 and later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInteretExplorer</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li><li>**1.** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li></ul></li></ul> |
 
 ## Microsoft Edge and Windows 10-specific Group Policy settings
 These are additional Windows 10-specific Group Policy settings that work with Microsoft Edge.

browsers/edge/change-history-for-microsoft-edge.md

@@ -4,6 +4,7 @@ description: This topic lists new and updated topics in the Microsoft Edge docum
 ms.prod: edge
 ms.mktglfcycl: explore
 ms.sitesec: library
+localizationpriority: high
 ---
 
 # Change history for Microsoft Edge
@@ -11,6 +12,15 @@ This topic lists new and updated topics in the Microsoft Edge documentation for
 
 For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/microsoft-edge/platform/changelog/).
 
+## November 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added the infographic image and a download link.|
+|[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |Added a note about the 65 second wait before checking for a newer version of the site list .XML file. |
+|[Available policies for Microsoft Edge](available-policies.md) |Added notes to the Configure the Enterprise Mode Site List Group Policy and the EnterpriseModeSiteList MDM policy about the 65 second wait before checking for a newer version of the site list .XML file. |
+|[Microsoft Edge - Deployment Guide for IT Pros](index.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. |
+|[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. |
+
 ## July 2016
 |New or changed topic | Description |
 |----------------------|-------------|

browsers/edge/emie-to-improve-compatibility.md

@@ -19,13 +19,15 @@ localizationpriority: high
 If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.
 
 Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11.
-<p>**Note**<br>If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714).
+
+> **Note**<br>
+>If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714).
 
 ## Fix specific websites
 
 Microsoft Edge doesn't support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and need IE11, you can add them to the Enterprise Mode site list, using the Enterprise Mode Site List Manager.
 
-![](images/wedge.gif) **To add sites to your list**
+**To add sites to your list**
 
 1.  In the Enterprise Mode Site List Manager, click **Add**.<p>If you already have an existing site list, you can import it into the tool. After it's in the tool, the xml updates the list, checking **Open in IE** for each site. For info about importing the site list, see [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](https://go.microsoft.com/fwlink/p/?LinkId=618322).<p>![Enterprise Mode Site List Manager with Open in IE box](images/emie_open_in_ie.png)
 
@@ -43,7 +45,10 @@ Microsoft Edge doesn't support ActiveX controls, Browser Helper Objects, VBScrip
 
 You must turn on the **Use Enterprise Mode Site List** Group Policy setting before Microsoft Edge can use the Enterprise Mode site list. This Group Policy applies to both Microsoft Edge and IE11, letting Microsoft Edge switch to IE11 as needed, based on the Enterprise Mode site list. For more info about IE11 and Enterprise Mode, see [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377).
 
-![](images/wedge.gif) **To turn on Enterprise Mode using Group Policy**
+> **Note**<br>
+> If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.<p>If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
+
+**To turn on Enterprise Mode using Group Policy**
 
 1.  Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Allows you to configure the Enterprise Mode Site list** setting.<p>Turning this setting on also requires you to create and store a site list.<p>![Local Group Policy Editor for using a site list](images/edge-emie-grouppolicysitelist.png)
 
@@ -51,7 +56,7 @@ You must turn on the **Use Enterprise Mode Site List** Group Policy setting befo
 
 3.  Refresh your policy in your organization and then view the affected sites in Microsoft Edge.<p>The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is.
 
-![](images/wedge.gif) **To turn on Enterprise Mode using the registry**
+**To turn on Enterprise Mode using the registry**
 
 1.  **To turn on Enterprise Mode for all users on the PC:** Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode`.
 
@@ -70,11 +75,15 @@ You must turn on the **Use Enterprise Mode Site List** Group Policy setting befo
 ## Fix your intranet sites
 
 You can add the **Send all intranet traffic over to Internet Explorer** Group Policy setting for Windows 10 so that all of your intranet sites open in IE11. This means that even if your employees are using Microsoft Edge, they will automatically switch to IE11 while viewing the intranet.
-<p>**Note**<br>If you want to use Group Policy to set IE as the default browser for Internet sites, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714).
 
-![](images/wedge.gif) **To turn on Sends all intranet traffic over to Internet Explorer using Group Policy**
+> **Note**<br>
+> If you want to use Group Policy to set IE as the default browser for Internet sites, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714).
 
-1.  Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Microsoft Edge\Sends all intranet traffic over to Internet Explorer` setting.<p>![Local Group Policy Editor with setting to send all intranet traffic to IE11](images/sendintranettoie.png)
+**To turn on Sends all intranet traffic over to Internet Explorer using Group Policy**
+
+1.  Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Microsoft Edge\Sends all intranet traffic over to Internet Explorer` setting.
+
+    ![Local Group Policy Editor with setting to send all intranet traffic to IE11](images/sendintranettoie.png)
 
 2.  Click **Enabled**.
 

browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md

@@ -25,6 +25,12 @@ Microsoft Edge is the default browser experience for Windows 10 and Windows 10 M
 
 We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
 
+If you're having trouble deciding whether Microsoft Edge is good for your organization, you can take a look at this infographic about the potential impact of using Microsoft Edge in an organization.
+
+![Microsoft Edge infographic](images/microsoft-edge-infographic-sm.png)<br>
+[Click to enlarge](img-microsoft-edge-infographic-lg.md)<br>
+[Click to download image](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
+
 ### Microsoft Edge
 Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
 
@@ -44,9 +50,10 @@ IE11 offers enterprises additional security, manageability, performance, backwar
 -   **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
 
 ## Related topics
+- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
 - [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
 - [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
 - [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
 - [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
 - [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index)
-- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
+- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)

browsers/edge/img-microsoft-edge-infographic-lg.md

@@ -0,0 +1,10 @@
+---
+description: A full-sized view of the Microsoft Edge infographic.
+title: Full-sized view of the Microsoft Edge infographic
+---
+
+Return to: [Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)<br>
+Download image: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
+
+![Full-sized Microsoft Edge infographic](images/img-microsoft-edge-infographic-lg.png)
+

browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md

@@ -11,6 +11,11 @@ ms.sitesec: library
 # Change history for Internet Explorer 11
 This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
 
+## November 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Updated the DocMode reason section to correct Code 8 and to add Code 9.|
+
 ## August 2016
 |New or changed topic | Description |
 |----------------------|-------------|

browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md

@@ -83,7 +83,8 @@ The codes in this table can tell you what document mode was set by IE for a webp
 |5 |Page is using an X-UA-compatible HTTP header. |
 |6 |Page appears on an active **Compatibility View** list. |
 |7 |Page is using native XML parsing. |
-|9 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. |
+|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. |
+|9 |Page state is set by the browser mode and the page's DOCTYPE.|
 
 #### Browser state reason
 The codes in this table can tell you why the browser is in its current state. Also called “browser mode”.<br>These codes only apply to Internet Explorer 10 and Internet Explorer 11.

browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md

@@ -10,7 +10,6 @@ title: Deprecated document modes and Internet Explorer 11 (Internet Explorer 11
 ms.sitesec: library
 ---
 
-
 # Deprecated document modes and Internet Explorer 11
 
 **Applies to:**
@@ -25,8 +24,8 @@ Windows Internet Explorer 8 introduced document modes as a way to move from the
 
 This means that while Internet Explorer 11 will continue to support document modes, Microsoft Edge won’t. And because of that, it also means that if you want to use Microsoft Edge, you’re going to have to update your legacy webpages and apps to support modern features, browsers, and devices.
 
-**Note**<br>
-For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953).
+>**Note**<br>
+>For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953).
 
 ## What is document mode?
 Each release after Internet Explorer 8 has helped with the transition by introducing additional document modes that emulated previously supported versions, while also introducing support for features defined by industry standards. During this time, numerous websites and apps were updated to the latest and greatest industry standards, while many other sites and apps continued to simply rely on document modes to work properly.
@@ -41,7 +40,8 @@ The compatibility improvements made in IE11 lets older websites just work in the
 ## Document mode selection flowchart
 This flowchart shows how IE11 works when document modes are used.
 
-![Flowchart detailing how document modes are chosen in IE11](images/docmodeflow2.png)
+![Flowchart detailing how document modes are chosen in IE11](images/docmode-decisions-sm.png)<br>
+[Click this link to enlarge image](img-ie11-docmode-lg.md)
 
 ## Known Issues with Internet Explorer 8 document mode in Enterprise Mode
 The default document mode for Enterprise Mode is Internet Explorer 8. While this mode provides a strong emulation of that browser, it isn’t an exact match. For example, Windows Internet Explorer 9 fundamentally changed how document modes work with iframes and document modes can’t undo architectural changes. It’s also a known issue that Windows 10 supports GDI font rendering while using Enterprise Mode, but uses natural metrics once outside of Enterprise Mode.

browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md

@@ -0,0 +1,11 @@
+---
+description: A full-sized view of how document modes are chosen in IE11.
+title: Full-sized flowchart detailing how document modes are chosen in IE11
+---
+
+Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)<br>
+
+<p style="overflow: auto;">
+	<img src="images/docmode-decisions-lg.png" alt="Full-sized flowchart detailing how document modes are chosen in IE11" width="1355" height="1625" style="max-width:none;">
+</p>
+

browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md

@@ -17,7 +17,7 @@ If you’re having problems launching your legacy apps while running Internet Ex
 
 1.  **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
 
-2.  **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
+2.  **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
 
 For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page.
 

browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md

@@ -41,8 +41,8 @@ In IE, press **ALT+V** to show the **View** menu, press **T** to enter the **Too
 ## Where did the search box go?
 IE11 uses the **One Box** feature, which lets users type search terms directly into the **Address bar**. Any text entered into the **Address bar** that doesn't appear to be a URL is automatically sent to the currently selected search provider.
 
-**Note**<br>
-Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see  [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).
+>[!NOTE]
+>Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see  [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).
 
  
 

browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md

@@ -20,8 +20,8 @@ Included examples:
 - [Example 4: Connect directly if the host is in specified subnet](#example-4-connect-directly-if-the-host-is-in-specified-subnet)
 - [Example 5: Determine the connection type based on the host domain](#example-5-determine-the-connection-type-based-on-the-host-domain)
 - [Example 6: Determine the connection type based on the protocol](#example-6-determine-the-connection-type-based-on-the-protocol)
-- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-IP-address)
-- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-IP-address-matches-the-specified-IP-address)
+- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-ip-address)
+- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-ip-address-matches-the-specified-ip-address)
 - [Example 9: Connect using a proxy server if there are periods in the host name](#example-9-connect-using-a-proxy-server-if-there-are-periods-in-the-host-name)
 - [Example 10: Connect using a proxy server based on specific days of the week](#example-10-connect-using-a-proxy-server-based-on-specific-days-of-the-week)
 

browsers/internet-explorer/index.md

@@ -6,6 +6,7 @@ ms.prod: IE11
 title: Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
 assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0
 ms.sitesec: library
+localizationpriority: low
 ---
 
 

devices/hololens/TOC.md

@@ -1 +1,9 @@
-# [Placeholder](index.md)
+# [Microsoft HoloLens](index.md)
+## [HoloLens in the enterprise: requirements](hololens-requirements.md)
+## [Set up HoloLens](hololens-setup.md)
+## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) 
+## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
+## [Set up HoloLens in kiosk mode](hololens-kiosk.md)
+## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
+## [Install apps on HoloLens](hololens-install-apps.md)
+## [Change history for Microsoft HoloLens documentation](change-history-hololens.md)

devices/hololens/change-history-hololens.md

@@ -0,0 +1,21 @@
+---
+title: Change history for Microsoft HoloLens documentation
+description: This topic lists new and updated topics for HoloLens.
+keywords: change history
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Change history for Microsoft HoloLens documentation
+
+This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
+
+## January 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| All topics | Changed all references from **Windows Holographic Enterprise** to **Windows Holographic for Business** |

devices/hololens/hololens-checklist.md

@@ -1,30 +0,0 @@
----
-title: Checklist for HoloLens in the enterprise (HoloLens)
-description: tbd
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.pagetype: hololens, devices
-ms.sitesec: library
-author: jdeckerMS
----
-
-# Checklist: HoloLens in the enterprise
-
-[Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers)
-
-
-Windows Store for Business 
-
-Requirements
-
-- IT Admins: Before you sign up for the Store for Business, at a minimum, you'll need an Azure Active Directory (AAD) account for your organization, and you'll need to be the global administrator for your organization. Once the Global Admin has signed in, they can give permissions to other employees.
-- End Users: Need Azure AD account when they access Store for Business content from Windows-based devices.
-
-[Getting started with Azure Active Directory Premium](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/)
-
-[Get started with Intune](https://docs.microsoft.com/en-us/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune)
-
-[Enroll devices for management in Intune](https://docs.microsoft.com/en-us/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms)
-
-[Azure AD editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/)
-

devices/hololens/hololens-enroll-mdm.md

@@ -0,0 +1,39 @@
+---
+title: Enroll HoloLens in MDM (HoloLens)
+description: Enroll HoloLens in mobile device management (MDM) for easier management of multiple devices.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Enroll HoloLens in MDM
+
+You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft InTune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
+
+>[!NOTE]
+>Mobile device management (MDM) for the Development edition of HoloLens does not include VPN, BitLocker, or kiosk mode. Those features are only available when you [upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
+
+
+## Requirements
+ Your organization will need to have mobile device management (MDM) set up in order to manage HoloLens devices. Your MDM provider can be Microsoft Intune or a 3rd party provider that uses Microsoft MDM APIs.
+
+## Auto-enrollment in MDM 
+
+If your organization uses Azure Active Directory (Azure AD) and an MDM solution that accepts an AAD token for authentication (currently, only supported in Microsoft Intune and Airwatch), your IT admin can configure Azure AD to automatically allow MDM enrollment after the user signs in with their Azure AD account. [Learn how to configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment) 
+
+When auto-enrollment is enabled, no additional manual enrollment is needed. When the user signs in with an Azure AD account, the device is enrolled in MDM after completing the first-run experience.
+
+## Enroll through Settings app
+
+ When the device is not enrolled in MDM during the first-run experience, the user can manually enroll the device with the organization's MDM server using the Settings app.
+ 
+1. Go to **Settings** > **Accounts** > **Work access**.
+
+2. Select **Enroll into device management** and enter your organizational account. You will be redirected to your organization's sign in page.
+
+4. Upon successful authentication to the MDM server, a success message is shown.
+
+Your device is now enrolled with your MDM server. The device will need to restart to acquire policies, certificates, and apps. The Settings app will now reflect that the device is enrolled in device management.

devices/hololens/hololens-install-apps.md

@@ -0,0 +1,87 @@
+---
+title: Install apps on HoloLens (HoloLens)
+description: The recommended way to install apps on HoloLens is to use Windows Store for Business.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Install apps on HoloLens
+
+The recommended way to install Universal Windows Platform (UWP) apps on HoloLens is to use Windows Store for Business. You can make your own [line-of-business application](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps) available through Windows Store for Business.
+
+You can also deploy apps using your mobile device management (MDM) provider or use the Windows Device Portal to install apps, if you enable **Developer Mode** on the HoloLens device.
+
+>[!IMPORTANT]
+    >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device.**Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
+
+## Use Windows Store for Business to deploy apps to HoloLens
+
+Windows Store for Business is a private Windows Store for your enterprise. People in your organization can open the Store app and select your private Store to install apps that you have made available to them. 
+
+![How Windows Store for Business appears in Store app](images/wsfb-private.png)
+
+In your Windows Store for Business dashboard, you can also download apps to distribute to devices that aren't connected to the Internet, plus add line-of-business (LOB) apps for distribution. 
+
+### Requirements
+
+- You need to be a global administrator for your Azure Active Directory (Azure AD) tenant. 
+
+    >[!TIP]
+    >You can create an Azure AD account and tenant as part of the Store for Business sign-up process.
+     
+- End users need Azure AD accounts when they access Store for Business content from Windows-based devices.
+
+### Windows Store for Business process
+
+1. [Sign up for Windows Store for Business.](https://technet.microsoft.com/itpro/windows/manage/sign-up-windows-store-for-business)
+2. [Assign roles and permissions for managing your Store for Business.](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business)
+3. (Optional) [Configure Windows Store for Business to work with your MDM provider.](https://technet.microsoft.com/itpro/windows/manage/configure-mdm-provider-windows-store-for-business)
+3. [Get apps for your Store for Business.](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business)
+4. [Distribute apps to your employees.](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-to-your-employees-windows-store-for-business)
+
+### Install apps on HoloLens from Windows Store for Business
+
+The method that you use to install an app from your Windows Store for Business on HoloLens depends on the the distribution method that you choose.
+
+| Distribution method | To install on HoloLens|
+| --- | --- |
+| Using private store | Open the Store app and select the tab for your organization to choose from available apps.  |
+| Using MDM | [You can configure MDM to synchronize your Store for Business inventory.](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool)  |
+
+
+
+## Use MDM to deploy apps to HoloLens
+
+You can deploy UWP apps to HoloLens using your MDM provider. For Intune instructions, see [Deploy apps in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/add-apps).
+
+Using Intune, you can also [monitor your app deployment](https://docs.microsoft.com/intune/deploy-use/monitor-apps-in-microsoft-intune).
+
+
+## Use the Windows Device Portal to install apps on HoloLens.
+
+1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/holographic/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC. 
+
+2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_usb).
+
+3. [Create a user name and password](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
+
+    >[!TIP]
+    >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#security_certificate). 
+
+4. In the Windows Device Portal, click **Apps**.
+
+    ![App Manager](images/apps.png)
+    
+5. In **Install app**, select an **app package** from a folder on your computer or network. If the app package requires additional software, click **Add dependency**.
+
+6. In **Deploy**, click **Go** to deploy the app package and added dependencies to the connected HoloLens.
+
+
+
+
+
+

devices/hololens/hololens-kiosk.md

@@ -0,0 +1,38 @@
+---
+title: Set up HoloLens in kiosk mode (HoloLens)
+description: Kiosk mode limits the user's ability to launch new apps or change the running app. 
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Set up HoloLens in kiosk mode
+
+
+
+Kiosk mode limits the user's ability to launch new apps or change the running app. When kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings.
+
+1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/holographic/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC. 
+
+    >[!IMPORTANT]
+    >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
+    
+2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_usb).
+
+3. [Create a user name and password](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
+
+    >[!TIP]
+    >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#security_certificate). 
+
+4. In the Windows Device Portal, click **Kiosk Mode**.
+
+    ![Kiosk Mode](images/kiosk.png)
+
+    >[!NOTE]
+    >The kiosk mode option will be available if the device is [enrolled in device management](hololens-enroll-mdm.md) and has a [license to upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
+
+5. Select **Enable Kiosk Mode**, choose an app to run when the device starts, and click **Save**.
+

devices/hololens/hololens-provisioning.md

@@ -0,0 +1,121 @@
+---
+title: Configure HoloLens using a provisioning package (HoloLens)
+description: Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Configure HoloLens using a provisioning package
+
+Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. 
+
+Some of the HoloLens configurations that you can apply in a provisioning package: 
+- Upgrade to Windows Holographic for Business
+- Set up a local account
+- Set up a Wi-Fi connection
+- Apply certificatess to the device
+
+To install Windows ICD and create provisioning packages, you must [install the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
+
+When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration Designer** from the **Select the features you want to install** dialog box.
+
+![Choose Configuration Designer](images/adk-install.png)
+
+> [!NOTE]
+> In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features.
+
+
+## Create a provisioning package for HoloLens
+
+>[!NOTE]
+>Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md).
+
+1. On the Windows ICD start page, select **Advanced provisioning**.
+
+2. In the **Enter project details** window, specify a name for your project and the location for your project. Optionally, enter a brief description to describe your project.
+
+3. Click **Next**.
+
+4. In the **Choose which settings to view and configure** window, select **Windows 10 Holographic**, and then click **Next**.
+
+6. Click **Finish**.
+
+7. Expand **Runtime settings** and customize the package with any of the settings [described below](#what-you-can-configure).
+
+    >[!IMPORTANT]
+    >If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/holographic/reset_or_recover_your_hololens#perform_a_full_device_recovery).
+
+8. On the **File** menu, click **Save**. 
+
+4. Read the warning that project files may contain sensitive information, and click **OK**.
+
+    >[!IMPORTANT]
+    >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+    
+3. On the **Export** menu, click **Provisioning package**.
+
+4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next**.
+
+5. Set a value for **Package Version**.
+
+    >[!TIP]
+    >You can make changes to existing packages and change the version number to update previously applied packages.
+
+6. On the **Select security details for the provisioning package**, click **Next**.
+
+7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+
+    Optionally, you can click Browse to change the default output location.
+
+8. Click **Next**.
+
+9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+
+10. When the build completes, click **Finish**. 
+
+
+## Apply a provisioning package to HoloLens
+
+1. Connect the device via USB to a PC and start the device, but do not continue past the **fit** page of OOBE (the first page with the blue box).
+
+2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously.
+
+3. HoloLens will show up as a device in File Explorer on the PC.
+
+4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
+
+5. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the **fit** page.
+
+6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
+
+7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.
+
+>[!NOTE]
+>If the device was purchased before August 2016, you will need to sign into the device with aa Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package.
+
+## What you can configure
+
+Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
+
+In Windows ICD, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens). The following table describes settings that you might want to configure for HoloLens.
+
+![Common runtime settings for HoloLens](images/icd-settings.png)
+
+| Setting | Description |
+| --- | --- |
+| **Accounts**  | Create a local account. HoloLens currently supports a single user only. Creating multiple local accounts in a provisioning package is not supported. <br><br>**IMPORTANT**<br>If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/holographic/reset_or_recover_your_hololens#perform_a_full_device_recovery). |
+| **Certificates** | Deploy a certificate to HoloLens.  |
+| **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens.   |
+| **EditionUpgrade** | [Upgrade to Windows Holographic for Business.](hololens-upgrade-enterprise.md)  |
+| **Policies** | Allow or prevent developer mode on HoloLens.  |
+
+>[!NOTE]
+>App installation (**UniversalAppInstall**) using a provisioning package is not currently supported for HoloLens.
+
+
+
+

devices/hololens/hololens-requirements.md

@@ -0,0 +1,55 @@
+---
+title: HoloLens in the enterprise requirements (HoloLens)
+description: Requirements for general use, Wi-Fi, and device management for HoloLens in the enterprise.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Microsoft HoloLens in the enterprise: requirements
+
+When you develop for HoloLens, there are [system requirements and tools](https://developer.microsoft.com/windows/holographic/install_the_tools) that you need. In an enterprise environment, there are also a few requirements to use and manage HoloLens which are listed below.
+
+## General use
+- Microsoft account or Azure Active Directory (Azure AD) account
+- Wi-Fi network to set up HoloLens
+
+>[!NOTE]
+>After you set up HoloLens, you can use it offline [with some limitations](https://support.microsoft.com/help/12645/hololens-use-hololens-offline).
+
+
+## Supported wireless network EAP methods 
+- PEAP-MS-CHAPv2
+- PEAP-TLS
+- TLS 
+- TTLS-CHAP
+- TTLS-CHAPv2
+- TTLS-MS-CHAPv2
+- TTLS-PAP
+- TTLS-TLS
+
+## Device management 
+   - Users have Azure AD accounts with [Intune license assigned](https://docs.microsoft.com/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4)
+   - Wi-Fi network
+   - Intune or a 3rd party mobile device management (MDM) provider that uses Microsoft MDM APIs
+   
+## Upgrade to Windows Holographic for Business 
+- HoloLens Enterprise license XML file
+
+
+
+
+
+## Related resources
+
+[Getting started with Azure Active Directory Premium](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/)
+
+[Get started with Intune](https://docs.microsoft.com/en-us/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune)
+
+[Enroll devices for management in Intune](https://docs.microsoft.com/en-us/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms)
+
+[Azure AD editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/)
+

devices/hololens/hololens-setup.md

@@ -0,0 +1,44 @@
+---
+title: Set up HoloLens (HoloLens)
+description: The first time you set up HoloLens, you'll need a Wi-Fi network and either a Microsoft or Azure Active Directory account.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Set up HoloLens
+
+Before you get started setting up your HoloLens, make sure you have a Wi-Fi network and a Microsoft account or an Azure Active Directory (Azure AD) account. 
+
+## Network connectivity requirements
+
+The first time you use your HoloLens, you'll be guided through connecting to a Wi-Fi network. You need to connect HoloLens to a Wi-Fi network with Internet connectivity so that the user account can be authenticated.
+
+- It can be an open Wi-Fi or password-protected Wi-Fi network.
+- The Wi-Fi network cannot require you to navigate to a webpage to connect.
+- The Wi-Fi network cannot require certificates to connect.
+- The Wi-Fi network does not need to provide access to enterprise resources or intranet sites. 
+
+## HoloLens setup
+
+The HoloLens setup process combines a quick tutorial on using HoloLens with the steps needed to connect to the network and add an account.
+
+1. Be sure your HoloLens is [charged](https://support.microsoft.com/help/12627), then [adjust it](https://support.microsoft.com/help/12632) for a comfortable fit.
+2. [Turn on HoloLens](https://support.microsoft.com/help/12642). You will be guided through a calibration procedure and how to perform [the gestures](https://support.microsoft.com/help/12644/hololens-use-gestures) that you will use to operate HoloLens.
+3. Next, you'll be guided through connecting to a Wi-Fi network. 
+4. After HoloLens connects to the Wi-Fi network, you select between **My work or school owns it** and **I own it**. 
+    - When you choose **My work or school owns it**, you sign in with an Azure AD account. If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app).
+        1. Enter your organizational account. 
+        2. Accept privacy statement.
+        3. Sign in using your Azure AD credentials. This may redirect to your organization's sign-in page.
+        4. Continue with device setup.
+    - When you choose **I own it**, you sign in with a Microsoft account. After setup is complete, you can [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app).
+        1. Enter your Microsoft account. 
+        2. Enter your password. If your Microsoft account requires [two-step verification (2FA)](https://blogs.technet.microsoft.com/microsoft_blog/2013/04/17/microsoft-account-gets-more-secure/), complete the verification process. 
+5. The device sets your time zone based on information obtained from the Wi-Fi network. 
+6. Next, you learn how to perform the bloom gesture and how to select and place the Start screen. After you place the Start screen, setup is complete and you can begin using HoloLens.
+
+

devices/hololens/hololens-upgrade-enterprise.md

@@ -0,0 +1,137 @@
+---
+title: Unlock Windows Holographic for Business features (HoloLens)
+description: HoloLens provides extra features designed for business when you upgrade to Windows Holographic for Business.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Unlock Windows Holographic for Business features
+
+Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/holographic/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business. 
+
+When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
+
+>[!TIP]
+>You can tell that the HoloLens has been upgraded to the business edition in **Settings** > **Network & Internet**. The **VPN** option is only available in Windows Holographic for Business.
+
+
+
+## Edition upgrade using MDM 
+
+The enterprise license can be applied by any MDM provider that supports the [WindowsLicensing configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904983.aspx). The latest version of the Microsoft MDM API will support WindowsLicensing CSP.
+
+
+**Overview**
+
+1.	Set up the edition upgrade policy.
+2.	Deploy the policy.
+3.	[Enroll the device through the Settings app](hololens-enroll-mdm.md).
+
+The procedures in this topic use Microsoft Intune as an example. On other MDM providers, the specific steps for setting up and deploying the policy might vary.
+
+### Set up the Edition Upgrade policy
+
+1.	Sign into the Intune Dashboard with your Intune admin account.
+
+2.	In the **Policy** workspace, select **Configuration Policies** and then **Add**.
+
+    ![Click Add](images/intune1.png)
+
+3.	In **Create a new policy**, select the **Edition Upgrade Policy (Windows 10 Holographic and later** template, and click **Create Policy**.
+
+    ![Select template](images/intune2.png)
+
+4.	Enter a name for the policy. 
+
+5. In the **Edition Upgrade** section, in **License File**, browse to and select the XML license file that was provided when you purchased the Commercial Suite.
+
+    ![Enter the XML file name](images/intune3.png)
+ 
+5.	Click **Save Policy**.
+
+
+
+### Deploy the Edition Upgrade policy
+
+Next, you will assign the Edition Upgrade policy to selected groups.
+
+1. In the **Policy** workspace, select the Edition upgrade policy that you created, and then choose **Manage Deployment**.
+
+2. In the **Manage Deployment** dialog box, select one or more groups to which you want to deploy the policy, and then choose **Add** > **OK**.
+
+When these users enroll their devices in MDM, the Edition Upgrade policy will be applied. 
+
+
+For more information about groups, see [Use groups to manage users and devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune).
+
+## Edition upgrade using a provisioning package
+
+Provisioning packages are files created by the Windows Imaging and Configuration Designer (ICD) tool that apply a specified configuration to a device. 
+
+### Create a provisioning package that upgrades the Windows Holographic edition
+
+1.	[Create a provisioning package for HoloLens.](hololens-provisioning.md#create-a-provisioning-package-for-hololens)
+
+2.  Go to **Runtime settings** > **EditionUpgrade**, and select **EditionUpgradeWithLicense**.
+
+    ![Upgrade edition with license setting selected](images/icd1.png)
+
+2.	Browse to and select the XML license file that was provided when you purchased the Commercial Suite.
+
+    >[!NOTE]
+    >You can configure [additional settings in the provisioning package](hololens-provisioning.md).
+
+3. On the **File** menu, click **Save**. 
+
+4. Read the warning that project files may contain sensitive information, and click **OK**.
+
+    >[!IMPORTANT]
+    >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+    
+3. On the **Export** menu, click **Provisioning package**.
+
+4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next**.
+
+5. Set a value for **Package Version**.
+
+    >[!TIP]
+    >You can make changes to existing packages and change the version number to update previously applied packages.
+
+6. On the **Select security details for the provisioning package**, click **Next**.
+
+7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+
+    Optionally, you can click Browse to change the default output location.
+
+8. Click **Next**.
+
+9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+
+10. When the build completes, click **Finish**. 
+
+
+### Apply the provisioning package to HoloLens
+
+1. Connect the device via USB to a PC and start the device, but do not continue past the **fit** page of OOBE (the first page with the blue box).
+
+2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously.
+
+3. HoloLens will show up as a device in File Explorer on the PC.
+
+4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
+
+5. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the **fit** page.
+
+6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
+
+7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.
+
+>[!NOTE]
+>If the device was purchased before August 2016, you will need to sign into the device with aa Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. 
+
+
+

devices/hololens/index.md

@@ -1,3 +1,40 @@
 ---
-redirect_url: https://developer.microsoft.com/windows/holographic/commercial_features
+title: Microsoft HoloLens (HoloLens)
+description: HoloLens provides extra features designed for business in the Commercial Suite.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
 ---
+
+# Microsoft HoloLens
+
+
+<table><tbody>
+<tr><td style="border: 0px;width: 75%;valign= top"><p>Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10.</p><p> Microsoft HoloLens is available in the **Development Edition**, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the **Commercial Suite**, which runs Windows Holographic for Business when you apply the Enterprise license file to the device.</p></td><td align="left" style="border: 0px">![Hololens](images/hololens.png)</td></tr>
+</tbody></table>
+
+## In this section
+
+| Topic | Description |
+| --- | --- |
+| [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management |
+| [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time  |
+| [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)  | How to upgrade your Development Edition HoloLens to Windows Holographic for Business|
+| [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft InTune |
+| [Set up HoloLens in kiosk mode](hololens-kiosk.md) | Enable kiosk mode for HoloLens, which limits the user's ability to launch new apps or change the running app  |
+| [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging |
+| [Install apps on HoloLens](hololens-install-apps.md) | Use Windows Store for Business, mobile device management (MDM), or the Windows Device Portal to install apps on HoloLens|
+</br>
+
+## Related resources
+
+- [Help for using HoloLens](https://support.microsoft.com/products/hololens)
+
+- [Documentation for Holographic app development](https://developer.microsoft.com/windows/holographic/documentation)
+
+- [HoloLens Commercial Suite](https://www.microsoft.com/microsoft-hololens/hololens-commercial)
+
+- [HoloLens release notes](https://developer.microsoft.com/en-us/windows/holographic/release_notes)

devices/surface-hub/TOC.md

@@ -5,7 +5,8 @@
 #### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
 #### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
 ##### [Online deployment](online-deployment-surface-hub-device-accounts.md)
-##### [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md)
+##### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md)
+##### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md)
 ##### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)
 ##### [Create a device account using UI](create-a-device-account-using-office-365.md)
 ##### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)
@@ -35,4 +36,6 @@
 #### [Using a room control system](use-room-control-system-with-surface-hub.md)
 ### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
 ### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)
-### [Change history for Surface Hub](change-history-surface-hub.md)
+## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
+## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
+## [Change history for Surface Hub](change-history-surface-hub.md)

devices/surface-hub/accessibility-surface-hub.md

@@ -30,7 +30,7 @@ The full list of accessibility settings are available to IT admins in the **Sett
 | Mouse                 | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. |
 | Other options         | Defaults selected for **Visual options** and **Touch feedback**. |
 
-Additionally, these accessibility features and apps are returned to default settings when users press [**I'm Done**](i-am-done-finishing-your-surface-hub-meeting.md):
+Additionally, these accessibility features and apps are returned to default settings when users press [I'm Done](i-am-done-finishing-your-surface-hub-meeting.md):
 - Narrator
 - Magnifier
 - High contrast

devices/surface-hub/admin-group-management-for-surface-hub.md

@@ -74,7 +74,7 @@ If your organization is using AD or Azure AD, we recommend you either domain joi
 |---------------------------------------------------|-----------------------------------------|-------|
 | Create a local admin account                      | None                                    | The user name and password specified during first run |
 | Domain join to Active Directory (AD)              | Your organization uses AD               | Any AD user from a specific security group in your domain |
-| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic   | Global administators only |
+| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic   | Global administrators only |
 |                                              | Your organization uses Azure AD Premium or Enterprise Mobility Suite (EMS) | Global administrators and additional administrators |
 
 

devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md

@@ -1620,7 +1620,7 @@ In the following cmdlets, `$strPolicy` is the name of the ActiveSync policy, and
 
 Note that in order to run the cmdlets, you need to set up a remote PowerShell session and:
 
--   Your admin account must be remote-PowerShell-enabled. This allows the admin to use the PowerShell cmdlets that are needed by the script. (This permission can be set using set-user `$admin -RemotePowerShellEnabled $true`)
+-   Your admin account must be remote-PowerShell-enabled. This allows the admin to use the PowerShell cmdlets that are needed by the script. (This permission can be set using `set-user $admin -RemotePowerShellEnabled $true`)
 -   Your admin account must have the "Reset Password" role if you plan to run the creation scripts. This allows the admin to change the password of the account, which is needed for the script. The Reset Password Role can be enabled using the Exchange Admin Center.
 
 Create the policy.
@@ -1667,7 +1667,7 @@ This retrieves device information for every device that the account has been pro
 For a device account to automatically accept or decline meeting requests based on its availability, the **AutomateProcessing** attribute must be set to **AutoAccept**. This is recommended as to prevent overlapping meetings.
 
 ```PowerShell
-Set-CalendarProcessing $ strRoomUpn -AutomateProcessing AutoAccept
+Set-CalendarProcessing $strRoomUpn -AutomateProcessing AutoAccept
 ```
 
 ### <a href="" id="accept-ext-meetings-cmdlet"></a>Accepting external meeting requests

devices/surface-hub/change-history-surface-hub.md

@@ -14,6 +14,32 @@ localizationpriority: medium
 
 This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
 
+## January 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | New |
+| [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | New |
+| [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) | Added graphics cards verified to work with 84" Surface Hubs and added information about the lengths of cables. |
+| [Online deployment](online-deployment-surface-hub-device-accounts.md) | Updated procedures for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. |
+
+## December 2016
+
+| New or changed topic | Description|
+| --- | --- |
+| [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) | Added information about Bluetooth accessories. |
+| [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) | Updated example procedures to include screenshots. |
+
+## November 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | New |
+| [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) | Added information for Video Out and a table to help select a display method. |
+| [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Added instructions for creating accounts for Surface Hub in a Skype for Business hybrid environment. |
+
+
+
 ## RELEASE: Windows Anniversary Update for Surface Hub (Windows 10, version 1607)
 The topics in this library have been updated for Windows 10, version 1607 (also known as Windows Anniversary Update for Surface Hub). These topics had significant updates for this release:
 - [Windows Updates (Surface Hub)](manage-windows-updates-for-surface-hub.md)

devices/surface-hub/connect-and-display-with-surface-hub.md

@@ -1,28 +1,42 @@
 ---
 title: Connect other devices and display with Surface Hub
-description: You can connect other device to your Surface Hub to display content. This topic describes guest mode and replacement PC modes that is available through a wired connection.
+description: You can connect other device to your Surface Hub to display content. 
 ms.assetid: 8BB80FA3-D364-4A90-B72B-65F0F0FC1F0D
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
 # Connect other devices and display with Surface Hub
 
 
-You can connect other device to your Surface Hub to display content. This topic describes guest mode and replacement PC modes that is available through a wired connection.
+You can connect other devices to your Microsoft Surface Hub to display content. This topic describes the Guest Mode, Replacement PC Mode, and Video Out functionality available through wired connections, and also lists accessories that you can connect to Surface Hub using [Bluetooth](#bluetooth-accessories).
 
-## Guest mode
+## Which method should I choose?
+
+When connecting external devices and displays to a Surface Hub, there are several available options. The method you use will depend upon your scenario and needs. 
+
+| When you want to: | Use this method: |
+| --- | --- |
+| Mirror the Surface Hub's display on another device. | [Video Out](#video-out) |
+| Present another device's display on the Surface Hub screen and interact with both the device's content and the built-in Surface Hub experience. | [Guest Mode](#guest-mode) |
+| Power the Surface Hub from an external Windows 10 PC, turning off the embedded computer of the Surface Hub. Cameras, microphones, speakers, and other peripherals, are sent to the external PC, in addition to pen and touch. | [Replacement PC Mode](#replacement-pc-mode) |
 
 
-Guest mode uses a wired connection, so people can display content from their devices to the Surface Hub. If the source device is Windows based, that device can also provide Touchback and Inkback. Surface Hub's internal PC takes video and audio from the connected device and displays them on the Surface Hub. If Surface Hub encounters an HDCP signal, the source will be re-routed through an alternate path, allowing the source to be displayed full-screen without violating HDCP requirements.
+## Guest Mode
+
+
+Guest Mode uses a wired connection, so people can display content from their devices to the Surface Hub. If the source device is Windows-based, that device can also provide Touchback and Inkback. Surface Hub's internal PC takes video and audio from the connected device and presents them on the Surface Hub. If Surface Hub encounters a High-Bandwidth Digital Content Protection (HDCP) signal, the source will be re-routed through an alternate path, allowing the source to be displayed full-screen without violating HDCP requirements.
+
+>[!NOTE]
+>When an HDCP source is connected, use the side  keypad to change source inputs.
 
 ### Ports
 
-Use these ports on the Surface Hub for the guest mode.
+Use these ports on the Surface Hub for Guest Mode.
 
 <table>
 <colgroup>
@@ -93,7 +107,7 @@ Use these ports on the Surface Hub for the guest mode.
 
 ### Port locations
 
-These are the port connections used for guest mode on the 55" and 84" Surface Hubs.
+These are the port connections used for Guest Mode on the 55" and 84" Surface Hubs.
 
 ![image showing guest ports on 55" surface hub. ](images/sh-55-guest-ports.png)
 
@@ -105,7 +119,7 @@ Wired port connections on 84" Surface Hub
 
 ### Port enumeration
 
-When a Surface hub is connected to guest computer with the wired connect USB port, a number of USB devices are discovered and configured. These peripheral devices are created for touchback and inkback. The peripheral devices can viewed in Device Manager. Device Manager will show duplicate names for some devices.
+When a Surface hub is connected to a guest computer with the wired connect USB port, a number of USB devices are discovered and configured. These peripheral devices are created for Touchback and Inkback. The peripheral devices can be viewed in Device Manager. Device Manager will show duplicate names for some devices.
 
 **Human interface devices**
 
@@ -137,9 +151,9 @@ When a Surface hub is connected to guest computer with the wired connect USB por
 
 -   USB composite device
 
-### Guest mode connectivity
+### Guest Mode connectivity
 
-Your choice of video cable will be determined by what is available from your source input. The Surface Hub has three choices of video input, DisplayPort, HDMI and VGA. Please refer to the below chart for available resolutions.
+Your choice of video cable will be determined by what is available from your source input. The Surface Hub has three choices of video input: DisplayPort, HDMI, and VGA. See the following chart for available resolutions.
 
 <table style="width:100%;">
 <colgroup>
@@ -206,9 +220,9 @@ Your choice of video cable will be determined by what is available from your sou
 
  
 
-Source audio is provided by DisplayPort and HDMI cables. If you must use VGA, Surface Hub has an audio input port that uses a 3.5 mm plug. Surface Hub also uses a USB cable that provides touch and inkback from the Surface Hub to compatible Windows 10 devices. The USB cable can be used with any video input that is already connected with a cable.
+Source audio is provided by DisplayPort and HDMI cables. If you must use VGA, Surface Hub has an audio input port that uses a 3.5 mm plug. Surface Hub also uses a USB cable that provides Touchback and Inkback from the Surface Hub to compatible Windows 10 devices. The USB cable can be used with any video input that is already connected with a cable.
 
-Someone using guest mode to connect a PC would use one of these options:
+Someone using Guest Mode to connect a PC would use one of these options:
 
 **DisplayPort** -- DisplayPort cable and USB 2.0 cable
 
@@ -216,16 +230,16 @@ Someone using guest mode to connect a PC would use one of these options:
 
 **VGA** -- VGA cable, 3.5 mm audio cable, and USB 2.0 cable
 
-If the computer you are using for guest mode is not compatible with Touch and Inkback, then you won't need the USB cable.
+If the computer you are using for Guest Mode is not compatible with Touchback and Inkback, then you won't need the USB cable.
 
-## Replacement PC mode
+## Replacement PC Mode
 
 
-In replacement PC mode, the embedded computer of the Surface Hub is turned off and an external PC is connected to the Surface Hub. Connections to replacement PC ports give access to key peripherals on the Surface Hub, including the screen, pen, and touch features. This does mean that your Surface Hub won’t have the benefit of the Windows Team experience, but you will have the flexibility offered by providing and managing your own Windows computer.
+In Replacement PC Mode, the embedded computer of the Surface Hub is turned off and an external PC is connected to the Surface Hub. Connections to replacement PC ports give access to key peripherals on the Surface Hub, including the screen, pen, and touch features. This does mean that your Surface Hub won’t have the benefit of the Windows Team experience, but you will have the flexibility offered by providing and managing your own Windows computer.
 
 ### Software requirements
 
-You can run Surface Hub in replacement PC mode with 64-bit versions of Windows 10 Home, Windows 10 Pro and Windows 10 Enterprise. You can download the  [Surface Hub Replacement PC driver package](https://www.microsoft.com/download/details.aspx?id=52210) from the Microsoft download center. We recommend that you install these drivers on any computer you plan to use as a replacement PC.
+You can run Surface Hub in Replacement PC Mode with 64-bit versions of Windows 10 Home, Windows 10 Pro, and Windows 10 Enterprise. You can download the  [Surface Hub Replacement PC driver package](https://www.microsoft.com/download/details.aspx?id=52210) from the Microsoft Download Center. We recommend that you install these drivers on any computer you plan to use as a replacement PC.
 
 ### Hardware requirements
 
@@ -233,11 +247,11 @@ Surface Hub is compatible with a range of hardware. Choose the processor and mem
 
 ### Graphics adapter
 
-In replacement PC mode, Surface Hub supports any graphics adapter that can produce a DisplayPort signal. You'll improve your experience with a graphics adapter that can match Surface Hub's resolution and refresh rate. For example, though the best and recommended replacement PC experience on the Surface Hub is with a 120Hz video signal, 60Hz video signals are also supported.
+In Replacement PC Mode, Surface Hub supports any graphics adapter that can produce a DisplayPort signal. You'll improve your experience with a graphics adapter that can match Surface Hub's resolution and refresh rate. For example, the best and recommended replacement PC experience on the Surface Hub is with a 120Hz video signal.
 
 **55" Surface Hubs** - For best experience, use a graphics card capable of 1080p resolution at 120Hz.
 
-**84" Surface Hubs** - For best experience, use a graphics card capable of outputting four DisplayPort 1.2 streams to produce 2160p at 120Hz (3840 x 2160 at 120Hz vertical refresh). We've verified that this works with the NVIDIA Quadro K2200, NVIDIA Quadro K4200, and NVIDIA Quadro M6000. These are not the only graphics cards - others are available from other vendors. 
+**84" Surface Hubs** - For best experience, use a graphics card capable of outputting four DisplayPort 1.2 streams to produce 2160p at 120Hz (3840 x 2160 at 120Hz vertical refresh). We've verified that this works with the NVIDIA Quadro K2200, NVIDIA Quadro K4200, NVIDIA Quadro M6000, AMD FirePro W5100, AMD FirePro W7100, and AMD FirePro W9100. These are not the only graphics cards - others are available from other vendors. 
 
 Check directly with graphics card vendors for the latest drivers.
 
@@ -259,7 +273,7 @@ Check directly with graphics card vendors for the latest drivers.
 </tr>
 <tr class="even">
 <td><p>AMD</p></td>
-<td><p>[http://support.amd.com/download](http://support.amd.com/download)</p></td>
+<td><p>[http://support.amd.com/en-us/download](http://support.amd.com/en-us/download)</p></td>
 </tr>
 <tr class="odd">
 <td><p>Intel</p></td>
@@ -272,7 +286,7 @@ Check directly with graphics card vendors for the latest drivers.
 
 ### Ports
 
-Replacement PC ports on 55" Surface Hub.
+Replacement PC ports on 55" Surface Hub
 
 ![image showing replacement pc ports on 55" surface hub. ](images/sh-55-rpc-ports.png)
 
@@ -295,7 +309,7 @@ Replacement PC ports on 55" Surface Hub.
 <tr class="odd">
 <td><p>PC video</p></td>
 <td><p>Video input</p></td>
-<td><p>DisplayPort 1.2</p></td>
+<td><p>DP 1.2</p></td>
 <td><ul>
 <li><p>Full screen display of 1080p at 120 Hz, plus audio</p></li>
 <li><p>HDCP compliant</p></li>
@@ -329,7 +343,7 @@ Replacement PC ports on 55" Surface Hub.
 
  
 
-Replacement PC ports on 84" Surface Hub.
+Replacement PC ports on 84" Surface Hub
 
 ![image showing replacement pc ports on 84" surface hub. ](images/sh-84-rpc-ports.png)
 
@@ -352,7 +366,7 @@ Replacement PC ports on 84" Surface Hub.
 <tr class="odd">
 <td><p>PC video</p></td>
 <td><p>Video input</p></td>
-<td><p>DisplayPort 1.2 (2x)</p></td>
+<td><p>DP 1.2 (2x)</p></td>
 <td><ul>
 <li><p>Full screen display of 2160p at 120 Hz, plus audio</p></li>
 <li><p>HDCP compliant</p></li>
@@ -388,13 +402,12 @@ Replacement PC ports on 84" Surface Hub.
 
 ### Replacement PC setup instructions
 
-**To use replacement PC mode**
+**To use Replacement PC Mode**
 
 1.  Download and install the [Surface Hub Replacement PC driver package](https://www.microsoft.com/download/details.aspx?id=52210) on the replacement PC.
 
-    **Note**  We recommend that you set sleep or hibernation on the replacement PC so the Surface Hub will turn off the display when it isn't being used.
-
-     
+    >[!NOTE]
+    >We recommend that you set sleep or hibernation on the replacement PC so the Surface Hub will turn off the display when it isn't being used.
 
 2.  Turn off the Surface Hub using the power switch next to the power cable.
 
@@ -421,10 +434,55 @@ You can switch the Surface Hub to use the internal PC.
 3.  Turn on the Surface Hub using the power switch next to the power cable.
 
  
-
+## Video Out
  
+The Surface Hub includes a Video Out port for mirroring visual content from the Surface Hub to another display.
+
+### Ports
+
+Video Out port on the 55" Surface Hub
+
+![Illustration of video output port](images/video-out-55.png)
+
+Video Out port on the 84" Surface Hub
+
+![Illustration of video output port](images/video-out-84.png)
+
+<table>
+<thead>
+<tr class="header">
+<th>Description</th>
+<th>Type</th>
+<th>Interface</th>
+<th>Capabilities</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td><p>Video Output Mirror</p></td>
+<td><p>Video Output</p></td>
+<td><p>Video Output</p></td>
+<td><ul>
+<li><p>Supports connection to a standard DisplayPort monitor (only supports an x4 Link displaying 1080p60 resolution at 24bpp)</p></li>
+<li><p>Supports use with HDMI monitors (supporting 1080p60) by using a DisplayPort-to-HDMI adaptor</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+## Cables
+
+Both the 55” and 84” Surface Hub devices have been tested to work with Certified DisplayPort and HDMI cables.  While vendors do sell longer cables that may work with the Surface Hub, only those cables that have been certified by testing labs are certain to work with the Hub. For example, DisplayPort cables are certified only up to 3 meters, however many vendors sell cables that are 3 times that length. If a long cable is necessary, we strongly suggest using HDMI.  HDMI has many cost-effective solutions for long-haul cables, including the use of repeaters. Nearly every DisplayPort source will automatically switch to HDMI signaling if a HDMI sink is detected.
 
 
+## Bluetooth accessories
 
+You can connect the following accessories to Surface Hub using Bluetooth:
 
+- Mice
+- Keyboards
+- Headsets
+- Speakers
 
+>[!NOTE]
+>After you connect a Bluetooth headset or speaker, you might need to change the [default microphone and speaker settings](local-management-surface-hub-settings.md).

devices/surface-hub/create-and-test-a-device-account-surface-hub.md

@@ -46,7 +46,8 @@ For detailed steps using PowerShell to provision a device account, choose an opt
 | Organization deployment             |  Description                  |
 |---------------------------------|--------------------------------------|
 | [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md) | Your organization's environment is deployed entirely on Office 365. |
-| [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync). |
+| [On-premises deployment (single-forest)](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a single-forest environment. |
+| [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a multi-forest environment. |
 | [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. |
 
 If you prefer to use a graphical user interface, some steps can be done using UI instead of PowerShell. 

devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md

@@ -0,0 +1,169 @@
+---
+title: Differences between Surface Hub and Windows 10 Enterprise
+description: This topic explains the differences between Windows 10 Team and Windows 10 Enterprise.
+keywords: change history
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: isaiahng
+localizationpriority: medium
+---
+
+# Differences between Surface Hub and Windows 10 Enterprise
+
+The Surface Hub operating system, Windows 10 Team, is based on Windows 10 Enterprise, providing rich support for enterprise management, security, and other features. However, there are important differences between them. While the Enterprise edition is designed for PCs, Windows 10 Team is designed from the ground up for large screens and meeting rooms. When you evaluate security and management requirements for Surface Hub, it's best to consider it as a new operating system. This article is designed to help highlight the key differences between Windows 10 Team on Surface Hub and Windows 10 Enterprise, and what the differences mean for your organization.
+
+## User interface
+
+### Shell (OS user interface)
+
+The Surface Hub's shell is designed from the ground up to be large screen and touch optimized. It doesn't use the same shell as Windows 10 Enterprise.
+
+*Organization policies that this may affect:* <br> Settings related to controls in the Windows 10 Enterprise shell don't apply for Surface Hub.
+
+### Lock screen and screensaver
+
+Surface Hub doesn't have a lock screen or a screen saver, but it has a similar feature called the welcome screen. The welcome screen shows scheduled meetings from the device account's calendar, and easy entry points to the Surface Hub's top apps - Skype for Business, Whiteboard, and Connect.
+
+*Organization policies that this may affect:* <br> Settings for lock screen, screen timeout, and screen saver don't apply for Surface Hub.
+
+### User logon
+
+Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without logging on. The system always runs as a local, auto logged-in, low-privilege user. It doesn't support logging in any additional users - including admin users.
+
+> [!NOTE]
+> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **I'm done**. 
+
+*Organization policies that this may affect:* <br> Generally, Surface Hub uses lockdown features rather than user access control to enforce security. Policies related to password requirements, interactive logon, user accounts, and access control don't apply for Surface Hub.
+
+### Saving and browsing files
+
+Users have access to a limited set of directories on the Surface Hub:
+- Music
+- Videos
+- Documents
+- Pictures
+- Downloads
+
+Files saved locally in these directories are deleted when users press **I'm done**. To save content created during a meeting, users should save files to a USB drive or to OneDrive.
+
+*Organization policies that this may affect:* <br> Policies related to access permissions and ownership of files and folders don't apply for Surface Hub. Users can't browse and save files to system directories and network folders.
+
+## Applications
+
+### Default applications
+
+With few exceptions, the default Universal Windows Platform (UWP) apps on Surface Hub are also available on Windows 10 PCs.
+
+UWP apps pre-installed on Surface Hub:
+- Alarms & Clock
+- Calculator
+- Connect
+- Excel Mobile
+- Feedback Hub
+- File Explorer*
+- Get Started
+- Maps
+- Microsoft Edge
+- Microsoft Power BI
+- OneDrive
+- Photos
+- PowerPoint Mobile
+- Settings*
+- Skype for Business*
+- Store
+- Whiteboard*
+- Word Mobile
+
+*Apps with an asterisk (&ast;) are unique to Surface Hub*
+
+*Organization policies that this may affect:* <br> Use guidelines for Windows 10 Enterprise to determine the features and network requirements for default apps on the Surface Hub.
+
+### Installing apps, drivers, and services
+
+To help preserve the appliance-like nature of the device, Surface Hub only supports installing Universal Windows Platform (UWP) apps, and does not support installing classic Win32 apps, services and drivers. Furthermore, only admins have access to install UWP apps.
+
+*Organization policies that this may affect:* <br> Employees can only use the apps that have been installed by admins, helping mitigate against unintended use. Surface Hub doesn't support installing Win32 agents required by most traditional PC management and monitoring tools.
+
+## Security and lockdown
+
+For Surface Hub to be used in communal spaces, such as meeting rooms, its custom OS implements many of the security and lockdown features available in Windows 10.
+
+Surface Hub implements these Windows 10 security features:
+- [UEFI Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview)
+- [User Mode Code Integrity (UMCI) with Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies)
+- [Application restriction policies using AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview)
+- [BitLocker Drive Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview)
+- [Trusted Platform Module (TPM)](https://technet.microsoft.com/itpro/windows/keep-secure/trusted-platform-module-overview)
+- [Windows Defender](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10)
+- [User Account Control (UAC)](https://technet.microsoft.com/itpro/windows/keep-secure/user-account-control-overview) for access to the Settings app
+
+These Surface Hub features provide additional security:
+- Custom UEFI firmware
+- Custom shell and Start menu limits device to meeting functions
+- Custom File Explorer only grants access to files and folders under My Documents
+- Custom Settings app only allows admins to modify device settings
+- Downloading advanced Plug and Play drivers is disabled
+
+*Organization policies that this may affect:* <br> Consider these features when performing your security assessment for Surface Hub.
+
+## Management
+
+### Device settings
+
+Device settings can be configured through the Settings app. The Settings app is customized for Surface Hub, but also contains many familiar settings from Windows 10 Desktop. A User Accounts Control (UAC) prompt appears when opening up the Settings app to verify the admin's credentials, but this does not log in the admin.
+
+*Organization policies that this may affect:* <br> Employees can use the Surface Hub for meetings, but cannot modify any device settings. In addition to lockdown features, this ensures that employees only use the device for meeting functions.
+
+### Administrative features
+
+The administrative features in Windows 10 Enterprise, such as the Microsoft Management Console, Run, Command Prompt, PowerShell, registry editor, event viewer, and task manager are not supported on Surface Hub. The Settings app contains all of the administrative features locally available on Surface Hub.
+
+*Organization policies that this may affect:* <br> Surface Hubs are not managed like traditional PCs. Use MDM to configure settings and OMS to monitor your Surface Hub.
+
+### Remote management and monitoring
+
+Surface Hub supports remote management through mobile device management (MDM), and monitoring through Operations Management Suite (OMS).
+
+*Organization policies that this may affect:* <br> Surface Hub doesn't support installing Win32 agents required by most traditional PC management and monitoring tools, such as System Center Operations Manager.
+
+### Group policy
+
+Surface Hub does not support group policy, including auditing. Instead, use MDM to apply policies to your Surface Hub. For more information about MDM, see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md).
+
+*Organization policies that this may affect:* <br> Use MDM to manage Surface Hub rather than group policy.
+
+### Remote assistance
+
+Surface Hub does not support remote assistance.
+
+*Organization policies that this may affect:* <br> Policies related to remote assistance don't apply for Surface Hub.
+
+## Network
+
+### Domain join and Azure Active Directory (Azure AD) join 
+
+Surface Hub uses domain join and Azure AD join primarily to provide a directory-backed admin group. Users can't log in with a domain account. For more information, see [Admin group management](admin-group-management-for-surface-hub.md).
+
+*Organization policies that this may affect:* <br> Group policies are not applied when a Surface Hub is joined to your domain. Policies related to domain membership don't apply for Surface Hub.
+
+### Accessing domain resources
+
+Users can sign in to Microsoft Edge to access intranet sites and online resources (such as Office 365). If your Surface Hub is configured with a device account, the system uses it to access Exchange and Skype for Business. However, Surface Hub doesn't support accessing domain resources such as file shares and printers.
+
+*Organization policies that this may affect:* <br> Policies related to accessing domain objects don't apply for Surface Hub.
+
+<!--
+### Endpoints
+
+
+
+*Organization policies that this may affect:* <br> 
+-->
+
+### Telemetry
+
+The Surface Hub OS uses the Windows 10 Connected User Experience and Telemetry component to gather and transmit telemetry data. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization).
+
+*Organization policies that this may affect:* <br> Configure telemetry levels for Surface Hub in the same way as you do for Windows 10 Enterprise.

devices/surface-hub/first-run-program-surface-hub.md

@@ -425,7 +425,7 @@ This page will attempt to create a new admin account using the credentials that
 
 In order to get the latest features and fixes, you should update your Surface Hub as soon as you finish all of the preceding first-run steps.
 
-1.  Make sure the device has access to the Windows Update servers or to Windows Server Update Services (WSUS). To configure WSUS, see [Using WSUS](manage-windows-updates-for-surface-hub.md#using-wsus).
+1.  Make sure the device has access to the Windows Update servers or to Windows Server Update Services (WSUS). To configure WSUS, see [Using WSUS](manage-windows-updates-for-surface-hub.md#use-windows-server-update-services).
 2.  Open Settings, click **Update & security**, then **Windows Update**, and then click **Check for updates**.
 3.  If updates are available, they will be downloaded. Once downloading is complete, click the **Update now** button to install the updates.
 4.  Follow the onscreen prompts after the updates are installed. You may need to restart the device.

devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md

@@ -1,18 +1,18 @@
 ---
 title: Hybrid deployment (Surface Hub)
-description: A hybrid deployment requires special processing in order to set up a device account for your Microsoft Surface Hub.
+description: A hybrid deployment requires special processing to set up a device account for your Microsoft Surface Hub.
 ms.assetid: 7BFBB7BE-F587-422E-9CE4-C9DDF829E4F1
 keywords: hybrid deployment, device account for Surface Hub, Exchange hosted on-prem, Exchange hosted online
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
 # Hybrid deployment (Surface Hub)
-A hybrid deployment requires special processing in order to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#hybrid-exchange-on-prem), and [Exchange hosted online](#hybrid-exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)
+A hybrid deployment requires special processing to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#exchange-on-prem), [Exchange hosted online](#exchange-online), Skype for Business on-prem, Skype for Business online, and Skype for Business hybrid. Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)
 
 ## Exchange on-prem
 Use this procedure if you use Exchange on-prem.
@@ -52,26 +52,31 @@ Use this procedure if you use Exchange on-prem.
 
     ```ps1
     Set-ExecutionPolicy Unrestricted
-    $org='contoso.com'
-    $cred=Get-Credential $admin@$org
-    $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://outlook.office365.com/ps1-liveid/' -Credential $cred -Authentication Basic -AllowRedirection
+    $cred=Get-Credential -Message "Please use your Office 365 admin credentials"
+    $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.outlook.com/powershell' -Credential $cred -Authentication Basic -AllowRedirection
     Import-PSSession $sess
     ```
 
 5.  Create a new Exchange ActiveSync policy, or use a compatible existing policy.
 
+    After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy or use a compatible existing policy.
+    
     Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
 
-    If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
+    If you haven’t created a compatible policy yet, use the following cmdlet—-this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
 
     ```ps1
     $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
     ```
 
-    Once you have a compatible policy, then you will need to apply the policy to the device account.
+    Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not to resource mailboxes. You'll need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox; you may need to re-enable it and set the password again too.
 
     ```ps1
-    Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy
+    Set-Mailbox 'HUB01@contoso.com' -Type Regular
+    Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id
+    Set-Mailbox 'HUB01@contoso.com' -Type Room
+    $credNewAccount = Get-Credential -Message “Please provide the Surface Hub username and password”
+    Set-Mailbox 'HUB01@contoso.com' -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
     ```
 
 6.  Set Exchange properties.
@@ -105,18 +110,21 @@ Use this procedure if you use Exchange on-prem.
     Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense
     ```
 
-9.  Enable the device account with Skype for Business.
+Next, you enable the device account with [Skype for Business Online](#skype-for-business-online), [Skype for Business on-prem](#skype-for-business-on-prem), or [Skype for Business hybrid](#skype-for-business-hybrid).
 
-    In order to enable Skype for Business, your environment will need to meet the following prerequisites:
-    -   You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
-    
-    -   If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
-    
-    -   Your tenant users must have Exchange mailboxes.
-    
-    -   Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
+### Skype for Business Online
 
-    -   Start by creating a remote PowerShell session from a PC.
+To enable Skype for Business online, your environment will need to meet the following prerequisites:
+
+-   You need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
+    
+-   If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
+    
+-   Your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required).
+    
+-   Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
+
+1. Start by creating a remote PowerShell session from a PC to the Skype for Business online environment.
 
         ```ps1
         Import-Module LyncOnlineConnector  
@@ -124,22 +132,22 @@ Use this procedure if you use Exchange on-prem.
         Import-PSSession $cssess -AllowClobber
         ```
         
-    -   To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
+2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
 
         ```ps1
-        Enable-CsMeetingRoom -Identity $rm -RegistrarPool  
-        'sippoolbl20a04.infra.lync.com&' -SipAddressType EmailAddress
+        Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool 'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName
         ```
         
-        If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
+    If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
 
         ```ps1
-        Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool*
+        Get-CsOnlineUser -Identity ‘HUB01@contoso.com’| fl *registrarpool*
         ```
 
-10. Assign Skype for Business license to your Surface Hub account.
+2. Assign Skype for Business license to your Surface Hub account.
 
     Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device.
+    
     -   Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app.
     
     -   Click on **Users and Groups** and then **Add users, reset passwords, and more**.
@@ -152,9 +160,35 @@ Use this procedure if you use Exchange on-prem.
     
     -   Click **Save**.
 
-    >**Note** You can also use the Windows Azure Active Directory Module for Windows Powershell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
+    >[!NOTE]
+    >You can also use the Windows Azure Active Directory Module for Windows Powershell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
+
+For validation, you should be able to use any Skype for Business client (PC, Android, etc.) to sign in to this account.
+
+### Skype for Business on-prem
+
+To run this cmdlet, you will need to connect to one of the Skype front-ends. Open the Skype PowerShell and run:
+
+```
+Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool registrarpoolfqdn -SipAddressType UserPrincipalName 
+```
+
+### Skype for Business hybrid
+
+If your organization has set up [hybrid connectivity between Skype for Business Server and Skype for Business Online](https://technet.microsoft.com/library/jj205403.aspx), the guidance for creating accounts differs from a standard Surface Hub deployment.
+
+The Surface Hub requires a Skype account of the type `meetingroom`, while a normal user would use a user type account in Skype. If your Skype server is set up for hybrid where you might have users on the local Skype server as well as users hosted in Office 365, you might run into a few issues when trying to create a Surface Hub account.
+
+In a hybrid Skype environment, you have to create the user on-prem first, then move the user to the cloud. This means that your user is present in both environments (which makes SIP routing possible). The move from on-prem to online is done via the [Move-CsUser](https://technet.microsoft.com/library/gg398528.aspx) cmdlet which can only be used against user type accounts, not meetingroom type accounts. Because of this, you will not be able to move a Surface Hub account that has a meetingroom type of account. You might think of using the [Move-CsMeetingRoom](https://technet.microsoft.com/library/jj204889.aspx?f=255&mspperror=-2147217396) cmdlet, unfortunately this will not work between the on-prem Skype server and Office 365 - it only works across on-prem Skype pools.
+
+To have a functional Surface Hub account in a Skype hybrid configuration, create the Skype account as a normal user type account, instead of creating the account as a meetingroom. Enable the account on the on-prem Skype server first:
+
+```
+Enable-CsUser -Identity 'HUB01@contoso.com' -RegistrarPool "registrarpoolfqdn" -SipAddressType UserPrincipalName
+```
+
+After the Surface Hub account is enabled for Skype for Business on-premises, you can keep the account on-premises or you can move the Surface Hub account to Office 365, using the Move-CsUser cmdlet. [Learn more about moving a Skype user to Office 365.](https://technet.microsoft.com/library/jj204969.aspx)
 
-For validation, you should be able to use any Skype for Business client (PC, Android, etc) to log in to this account.
 
 ## Exchange online
 Use this procedure if you use Exchange online.
@@ -165,8 +199,7 @@ Use this procedure if you use Exchange online.
 
     ```ps1
     Set-ExecutionPolicy Unrestricted
-    $org='contoso.microsoft.com'
-    $cred=Get-Credential $admin@$org
+    $cred=Get-Credential -Message "Please use your Office 365 admin credentials"
     $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/ps1-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
     Import-PSSession $sess
     ```
@@ -202,9 +235,10 @@ Use this procedure if you use Exchange online.
     Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
 
     ```ps1
-    Set-Mailbox $acctUpn -Type Regular
-    Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy
+    Set-Mailbox 'HUB01@contoso.com' -Type Regular
+    Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id
     Set-Mailbox 'HUB01@contoso.com' -Type Room
+    $credNewAccount = Get-Credential -Message "Please provide the Surface Hub username and password"
     Set-Mailbox 'HUB01@contoso.com' -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
     ```
 
@@ -236,7 +270,7 @@ Use this procedure if you use Exchange online.
 
         ![Image with account name, logon name, and password options for new user.](images/hybriddeployment-03a.png)
 
-6.  Directory synchronization.
+6.  Run directory synchronization.
 
     After you've created the account, run a directory synchronization. When it's complete, go to the users page and verify that the two accounts created in the previous steps have merged.
 
@@ -262,44 +296,47 @@ Use this procedure if you use Exchange online.
     Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense
     ```
 
-9.  Enable the device account with Skype for Business.
+Next, you enable the device account with [Skype for Business Online](#sfb-online), [Skype for Business on-prem](#sfb-onprem), or [Skype for Business hybrid](#sfb-hybrid).
 
-    In order to enable Skype for Business, your environment will need to meet the following prerequisites:
-
-    - You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
+<span id="sfb-online"/>
+### Skype for Business Online    
     
-    - If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
+In order to enable Skype for Business, your environment will need to meet the following prerequisites:
+
+- You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
     
-    - Your tenant users must have Exchange mailboxes.
+- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
     
-    - Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
+- Your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required).
+    
+- Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
 
-     Start by creating a remote PowerShell session from a PC.
+1. Start by creating a remote PowerShell session to the Skype for Business online environment from a PC.
 
-        ```ps1
-        Import-Module LyncOnlineConnector  
-        $cssess=New-CsOnlineSession -Credential $cred  
-        Import-PSSession $cssess -AllowClobber
-        ```
+   ```
+   Import-Module LyncOnlineConnector  
+   $cssess=New-CsOnlineSession -Credential $cred  
+   Import-PSSession $cssess -AllowClobber
+   ```
 
-     To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
+2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
 
-        ```ps1
-        Enable-CsMeetingRoom -Identity $rm -RegistrarPool  
-        'sippoolbl20a04.infra.lync.com' -SipAddressType EmailAddress
-        ```
+   ```
+   Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool  
+   'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName
+   ```
 
-     If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
+   If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
 
-        ```ps1
-        Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool*
-        ```
+   ```
+   Get-CsOnlineUser -Identity 'HUB01@contoso.com'| fl *registrarpool*
+   ```
 
 10. Assign Skype for Business license to your Surface Hub account
 
     Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device.
 
-    - Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app.
+    - Sign in as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app.
     
     - Click on **Users and Groups** and then **Add users, reset passwords, and more**.
     
@@ -311,6 +348,34 @@ Use this procedure if you use Exchange online.
     
     - Click **Save**.
 
-        >**Note** You can also use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
+        >[!NOTE]
+        > You can also use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
+
+For validation, you should be able to use any Skype for Business client (PC, Android, etc) to sign in to this account.
+
+<span id="sfb-onprem"/>
+### Skype for Business on-prem
+
+To run this cmdlet, you will need to connect to one of the Skype front-ends. Open the Skype PowerShell and run:
+
+```
+Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool registrarpoolfqdn -SipAddressType UserPrincipalName 
+```
+
+<span id="sfb-hybrid"/>
+### Skype for Business hybrid
+
+If your organization has set up [hybrid connectivity between Skype for Business Server and Skype for Business Online](https://technet.microsoft.com/library/jj205403.aspx), the guidance for creating accounts differs from a standard Surface Hub deployment.
+
+The Surface Hub requires a Skype account of the type *meetingroom*, while a normal user would use a *user* type account in Skype. If your Skype server is set up for hybrid where you might have users on the local Skype server as well as users hosted in Office 365, you might run into a few issues when trying to create a Surface Hub account.
+ 
+In a hybrid Skype environment, you have to create the user on-prem first, then move the user to the cloud. This means that your user is present in both environments (which makes SIP routing possible). The move from on-prem to online is done via the [Move-CsUser](https://technet.microsoft.com/library/gg398528.aspx) cmdlet which can only be used against user type accounts, not meetingroom type accounts. Because of this, you will not be able to move a Surface Hub account that has a meetingroom type of account. You might think of using the [Move-CsMeetingRoom](https://technet.microsoft.com/library/jj204889.aspx?f=255&MSPPError=-2147217396) cmdlet, unfortunately this will not work between the on-prem Skype server and Office 365 - it only works across on-prem Skype pools.
+ 
+In order to have a functional Surface Hub account in a Skype hybrid configuration, create the Skype account as a normal user type account, instead of creating the account as a meetingroom. First follow the Exchange steps - either [online](#exchange-online) or [on-prem](#exchange-on-prem) - and, instead of enabling the user for Skype for Business Online as described, [enable the account](https://technet.microsoft.com/library/gg398711.aspx) on the on-prem Skype server:
+
+``` 
+Enable-CsUser -Identity 'HUB01@contoso.com' -RegistrarPool "registrarpoolfqdn" -SipAddressType UserPrincipalName
+```
+ 
+After the Surface Hub account is enabled for Skype for Business on-premises, you can keep the account on-premises or you can move the Surface Hub account to Office 365, using the Move-CsUser cmdlet. [Learn more about moving a Skype user to Office 365](https://technet.microsoft.com/library/jj204969.aspx).
 
-For validation, you should be able to use any Skype for Business client (PC, Android, etc) to log in to this account.

devices/surface-hub/index.md

@@ -13,7 +13,9 @@ localizationpriority: medium
 # Microsoft Surface Hub
 
 
-Documents related to the Microsoft Surface Hub.
+Documents related to deploying and managing the Microsoft Surface Hub in your organization.
+
+>[Looking for the user's guide for Surface Hub?](https://www.microsoft.com/surface/support/surface-hub)
 
 ## In this section
 
@@ -34,5 +36,8 @@ Documents related to the Microsoft Surface Hub.
 <td align="left"><p>[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)</p></td>
 <td align="left"><p>This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.</p></td>
 </tr>
+<tr><td>[Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)</td><td>This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise.</td></tr>
+<tr><td>[How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)</td><td>This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. </td></tr>
+<tr><td>[Change history for Surface Hub](change-history-surface-hub.md)</td><td>This topic lists new and updated topis in the Surface Hub documentation.</td></tr>
 </tbody>
 </table>

devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md

@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub, mobility
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
@@ -23,16 +23,17 @@ Surface Hub has been validated with Microsoft’s first-party MDM providers:
 You can also manage Surface Hubs using any third-party MDM provider that can communicate with Windows 10 using the MDM protocol.
 
 ## <a href="" id="enroll-into-mdm"></a>Enroll a Surface Hub into MDM
-You can enroll your Surface Hubs using automatic, bulk, or manual enrollment.
+You can enroll your Surface Hubs using bulk or manual enrollment.
 
 > [!NOTE]
-> You can join your Surface Hub to Azure Active Directory (Azure AD) to manage admin groups on the device. However, Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
-
-**To disable automatic enrollment for Microsoft Intune**
-1. In the [Azure classic portal](https://manage.windowsazure.com/), navigate to the **Active Directory** node and select your directory. 
-2. Click the **Applications** tab, then click **Microsoft Intune**.
-3. Under **Manage devices for these users**, click **Groups**. 
-4. Click **Select Groups**, then select the groups of users you want to automatically enroll into Intune. Do not include accounts that are used to enroll Surface Hubs into Intune. 5. Click the checkmark button, then click **Save**.
+> You can join your Surface Hub to Azure Active Directory (Azure AD) to manage admin groups on the device. However, Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD-joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
+>
+> **To enable automatic enrollment for Microsoft Intune**
+> 1. In the [Azure classic portal](https://manage.windowsazure.com/), navigate to the **Active Directory** node and select your directory. 
+> 2. Click the **Applications** tab, then click **Microsoft Intune**.
+> 3. Under **Manage devices for these users**, click **Groups**. 
+> 4. Click **Select Groups**, then select the groups of users you want to automatically enroll into Intune. **Do not include accounts that are used to enroll Surface Hubs into Intune.**
+> 5. Click the checkmark button, then click **Save**.
 
 ### Bulk enrollment
 **To configure bulk enrollment**
@@ -41,10 +42,8 @@ You can enroll your Surface Hubs using automatic, bulk, or manual enrollment.
 - If you have an on-premises System Center Configuration Manager infrastructure, see [How to bulk enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx).
 
 ### Manual enrollment
-You can manually enroll with an MDM using the **Settings** app on your Surface Hub. 
-
 **To configure manual enrollment**
-1. From your Surface Hub, open **Settings**.
+1. On your Surface Hub, open **Settings**.
 2. Type the device admin credentials when prompted.
 3. Select **This device**, and navigate to **Device management**.
 4. Under **Device management**, select **+ Device management**.
@@ -52,30 +51,127 @@ You can manually enroll with an MDM using the **Settings** app on your Surface H
 
 ## Manage Surface Hub settings with MDM
 
-You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings)<!---, and some [Windows 10 settings](#supported-windows-10-settings)-->. Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML.
+You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings), and some [Windows 10 settings](#supported-windows-10-settings). Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML.
 
 ### Supported Surface Hub CSP settings
 
-You can configure the Surface Hub settings in the following table using MDM. The table also tells if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.
+You can configure the Surface Hub settings in the following table using MDM. The table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.
 
-For more information, see [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). 
+For more information, see [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323). 
 
-| Setting              | Node in the SurfaceHub CSP         | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| Setting              | Node in the SurfaceHub CSP         | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
 | -------------------- | ---------------------------------- | ------------------------- | ---------------------------------------- | ------------------------- |
 | Maintenance hours | MaintenanceHoursSimple/Hours/StartTime <br> MaintenanceHoursSimple/Hours/Duration | Yes | Yes | Yes |
 | Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
 | Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
-| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.<br> Use a custom setting. | Yes |
+| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.<br> Use a custom setting. | Yes |
-| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID <br> MOMAgent/WorkspaceKey | Yes | Yes.<br> Use a custom setting. | Yes |
-| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.<br> Use a custom setting. | Yes |
-| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.<br> Use a custom setting. | Yes |
-| Friendly name for wireless projection | Properties/FriendlyName | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID <br> MOMAgent/WorkspaceKey | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Friendly name for wireless projection | Properties/FriendlyName | Yes. <br> [Use a custom policy.](#example-intune)) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Device account, including password rotation | DeviceAccount/*`<name_of_policy>`* <br> See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+
+### Supported Windows 10 settings
+
+In addition to Surface Hub-specific settings, there are numerous settings common to all Windows 10 devices. These settings are defined in the [Configuration service provider reference](https://msdn.microsoft.com/library/windows/hardware/dn920025.aspx). 
+
+The following tables include info on Windows 10 settings that have been validated with Surface Hub. There is a table with settings for these areas: security, browser, Windows Updates, Windows Defender, remote reboot, certificates, and logs. Each table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.
+
+#### Security settings
+| Setting  | Details  | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
+| -------- | -------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+
+#### Browser settings
+
+| Setting  | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
+| -------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages)  | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow developer tools  | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes. <br>  Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+
+#### Windows Update settings
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML*? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes|
+| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+
+#### Windows Defender settings
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br>  Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes |
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+
+#### Remote reboot
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes |
+| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+
+#### Install certificates
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Install trusted CA certificates | Use to deploy trusted root and intermediate CA certificates. |  [RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) | Yes. <br> See [Configure Intune certificate profiles](https://docs.microsoft.com/en-us/intune/deploy-use/configure-intune-certificate-profiles). | Yes. <br> See [How to create certificate profiles in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-certificate-profiles). | Yes |
+<!--
+| Install client certificates  | Use to deploy Personal Information Exchange (.pfx, .p12) certificates. | [ClientCertificateInstall CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023.aspx) | Yes. <br> See [How to Create and Deploy PFX Certificate Profiles in Intune Standalone](https://blogs.technet.microsoft.com/karanrustagi/2016/03/16/want-to-push-a-certificate-to-device-but-cant-use-ndes-continue-reading/). | Yes. <br> See [How to create PFX certificate profiles in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-pfx-certificate-profiles). | Yes |
+-->
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+
+#### Collect logs
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML*? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Collect ETW logs | Use to remotely collect ETW logs from Surface Hub. | [DiagnosticLog CSP](https://msdn.microsoft.com/library/windows/hardware/mt219118.aspx) | No | No | Yes |
+<!--
+| Collect security auditing logs | Use to remotely collect security auditing logs from Surface Hub. | SecurityAuditing node in [Reporting CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt608321.aspx) | No | No | Yes |-->
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+
+### Generate OMA URIs for settings 
+You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager.
+
+**To generate the OMA URI for any setting in the CSP documentation**
+1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like `./Vendor/MSFT/<name of CSP>` <br>
+*For example, the root node of the [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) is `./Vendor/MSFT/SurfaceHub`.*
+2. Identify the node path for the setting you want to use. <br>
+*For example, the node path for the setting to enable wireless projection is `InBoxApps/WirelessProjection/Enabled`.*
+3. Append the node path to the root node to generate the OMA URI. <br>
+*For example, the OMA URI for the setting to enable wireless projection is `./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled`.*
+
+The data type is also stated in the CSP documentation. The most common data types are:
+- char (String)
+- int (Integer)
+- bool (Boolean)
 
 
-
-## Example: Manage Surface Hub settings with Micosoft Intune
+<span id="example-intune">
+## Example: Manage Surface Hub settings with Microsoft Intune
 
 You can use Microsoft Intune to manage Surface Hub settings. 
 
@@ -87,23 +183,30 @@ You'll use the **Windows 10 Team general configuration policy** as the template.
 2. On the left-hand navigation menu, click **Policy**.
 3. In the Overview page, click **Add Policy**.
 4. On **Select a template for the new policy**, expand **Windows**, select **General Configuration (Windows 10 Team and later)**, and then click **Create Policy**.
+
+    ![template for Windows 10 Team](images/intune-template.png)
 5. Configure your policy, then click **Save Policy**
+   
+    ![save policy](images/intune-save-policy.png)
 6. When prompted, click **Yes** to deploy your new policy to a user or device group. For more information, see [Use groups to manage users and devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune).
 
 **To create a custom configuration policy**
 
-You’ll need to create a custom policy to manage settings that are not available in the template. 
+You’ll need to create a custom policy using the **Custom Configuration (Windows 10 Desktop and Mobile and later)** template to manage settings that are not available in the **Windows 10 Team general configuration policy** template. 
 
 1. On the [Intune management portal](https://manage.microsoft.com), sign in with your Intune administrator account.
 2. On the left-hand navigation menu, click **Policy**.
-3. In the Overview page, click **Add Policy**.
+3. On the Overview page, click **Add Policy**.
 4. On **Select a template for the new policy**, expand **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
 5. Type a name and optional description for the policy.
 6. Under OMA-URI Settings, click **Add**.
 7. Complete the form to create a new setting, and then click **OK**.
-8. Repeat Steps 6 and 7 for each setting you want to configure with this policy.
-9. Once you're done, click **Save Policy** and deploy it to a user or device group.
 
+    ![example of OMA URI form](images/oma-uri.png)
+8. Repeat Steps 6 and 7 for each setting you want to configure with this policy.
+9. After you're done, click **Save Policy** and deploy it to a user or device group. 
+
+<span id="example-sccm">
 ## Example: Manage Surface Hub settings with System Center Configuration Manager
 System Center Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use System Center Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs.
 
@@ -115,21 +218,32 @@ System Center Configuration Manager supports managing modern devices that do not
 1. On the **Assets and Compliance** workspace of the Configuration Manager console, click **Overview** > **Compliance Settings** > **Configuration Items**.
 2. On the **Home** tab, in the **Create** group, click **Create Configuration Item**.
 3. On the **General** page of the Create Configuration Item Wizard, specify a name and optional description for the configuration item.
-4. Under **Specify the type of configuration item that you want to create**, select **Windows 8.1 and Windows 10**.
-5. Click **Categories** if you create and assign categories to help you search and filter configuration items in the Configuration Manager console.
-6. On the **Supported Platforms** page, select **Windows 10** > **All Windows 10 Team and higher**. Unselect the other Windows platforms. 
+4. Under **Settings for devices managed without the Configuration Manager client**, select **Windows 8.1 and Windows 10**, and then click **Next**.
+
+    ![example of UI](images/sccm-create.png)
+5. On the **Supported Platforms** page, expand **Windows 10** and select **All Windows 10 Team and higher**. Unselect the other Windows platforms, and then click **Next**.
+
+    ![select platform](images/sccm-platform.png)
 7. On the **Device Settings** page, under **Device settings groups**, select **Windows 10 Team**.
+
+
 8. On the **Windows 10 Team** page, configure the settings you require.
+
+    ![Windows 10 Team](images/sccm-team.png)
 9. You'll need to create custom settings to manage settings that are not available in the Windows 10 Team page. On the **Device Settings** page, select the check box **Configure additional settings that are not in the default setting groups**.
+
+    ![additional settings](images/sccm-additional.png)
 10. On the **Additional Settings** page, click **Add**.
-11. On the **Browse Settings** dialog, click **Create Setting**.
-12. On the **Create Setting** dialog, under the **General** tab, specify a name and optional description for the custom setting.
+11. In the **Browse Settings** dialog, click **Create Setting**.
+12. In the **Create Setting** dialog, under the **General** tab, specify a name and optional description for the custom setting.
 13. Under **Setting type**, select **OMA URI**.
 14. Complete the form to create a new setting, and then click **OK**.
+
+    ![OMA URI setting](images/sccm-oma-uri.png)
 15. On the **Browse Settings** dialog, under **Available settings**, select the new setting you created, and then click **Select**.
 16. On the **Create Rule** dialog, complete the form to specify a rule for the setting, and then click **OK**.
-17. Repeat Steps 10 to 16 for each custom setting you want to add to the configuration item.
-18. Once you're done, on the **Browse Settings** dialog, click **Close**.
+17. Repeat steps 9 to 15 for each custom setting you want to add to the configuration item.
+18. When you're done, on the **Browse Settings** dialog, click **Close**.
 19. Complete the wizard. <br> You can view the new configuration item in the **Configuration Items** node of the **Assets and Compliance** workspace.
 
 For more information, see [Create configuration items for Windows 8.1 and Windows 10 devices managed without the System Center Configuration Manager client](https://docs.microsoft.com/sccm/compliance/deploy-use/create-configuration-items-for-windows-8.1-and-windows-10-devices-managed-without-the-client).

devices/surface-hub/manage-windows-updates-for-surface-hub.md

@@ -19,7 +19,7 @@ New releases of the Surface Hub operating system are published through Windows U
 
 You can also configure Surface Hub to receive updates from both Windows Update for Business and WSUS. See [Integrate Windows Update for Business with Windows Server Update Services](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-integrate-wufb#integrate-windows-update-for-business-with-windows-server-update-services) for details.
 
-| Capabilities | Windows Update for Business | Windows server Update Services (WSUS) |
+| Capabilities | Windows Update for Business | Windows Server Update Services (WSUS) |
 | ------------ | --------------------------- | ------------------------------------- |
 | Receive updates directly from Microsoft's Windows Update service, with no additional infrastructure required.  | Yes  | No  |
 | Defer updates to provide additional time for testing and evaluation. | Yes  | Yes  |
@@ -57,6 +57,7 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business
 2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates).
 
 > [!NOTE]
+
 > You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-wufb-intune)
 
 
@@ -92,9 +93,9 @@ Once you've determined deployment rings for your Surface Hubs, configure update
 > If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
 
 
-## Use Windows Server Update Services (WSUS)
+## Use Windows Server Update Services
 
-You can connect Surface Hub to your WSUS server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
+You can connect Surface Hub to your Windows Server Update Services (WSUS) server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
 
 **To manually connect a Surface Hub to a WSUS server:**
 1. Open **Settings** on your Surface Hub.
@@ -104,6 +105,14 @@ You can connect Surface Hub to your WSUS server to manage updates. Updates will
 
 To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy.
 
+**If you use a proxy server or other method to block URLs**
+
+If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”:
+- `http(s)://*.update.microsoft.com`
+- `http://download.windowsupdate.com` 
+- `http://windowsupdate.microsoft.com`
+
+Once the Windows 10 Team Anniversary Update is installed, you can remove these addresses to return your Surface Hub to its previous state.
 
 ## Maintenance window
 

devices/surface-hub/monitor-surface-hub.md

@@ -101,6 +101,9 @@ This table describes the sample queries in the Surface Hub solution:
 
 For Surface Hub to connect to and register with the OMS service, it must have access to the port number of your domains and the URLs. This table list the ports that OMS needs. For more information, see [Configure proxy and firewall settings in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-proxy-firewall/).
 
+>[!NOTE]
+>Surface Hub does not currently support the use of a proxy server to communicate with the OMS service.
+
 | Agent resource              | Ports | Bypass HTTPS inspection? |
 | --------------------------- | ----- | ------------------------ |
 | *.ods.opinsights.azure.com  | 443   | Yes |

devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md

@@ -1,5 +1,5 @@
 ---
-title: On-premises deployment (Surface Hub)
+title: On-premises deployment single forest (Surface Hub)
 description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
 ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
 keywords: single forest deployment, on prem deployment, device account, Surface Hub
@@ -11,12 +11,12 @@ author: TrudyHa
 localizationpriority: medium
 ---
 
-# On-premises deployment (Surface Hub)
+# On-premises deployment for Surface Hub in a single-forest environment
 
 
 This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
 
-If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section.
+If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, see [On-premises deployment for Surface Hub in a multi-forest environment](on-premises-deployment-surface-hub-multi-forest.md).
 
 1.  Start a remote PowerShell session from a PC and connect to Exchange.
 
@@ -99,7 +99,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013
 8.  OPTIONAL: You can also allow your Surface Hub to make and receive public switched telephone network (PSTN) phone calls by enabling Enterprise Voice for your account. Enterprise Voice isn't a requirement for Surface Hub, but if you want PSTN dialing functionality for the Surface Hub client, here's how to enable it:
 
     ```PowerShell
-    CsMeetingRoom HUB01 -DomainController DC-ND-001.contoso.com
+    Set-CsMeetingRoom HUB01 -DomainController DC-ND-001.contoso.com
      -LineURItel: +14255550555;ext=50555" Set-CsMeetingRoom -DomainController DC-ND-001.contoso.com
      -Identity HUB01 -EnterpriseVoiceEnabled $true
     ```

devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md

@@ -0,0 +1,105 @@
+---
+title: On-premises deployment multi-forest (Surface Hub)
+description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment.
+ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
+keywords: multi forest deployment, on prem deployment, device account, Surface Hub
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# On-premises deployment for Surface Hub in a multi-forest environment
+
+
+This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment.
+
+If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a single-forest deployment, see [On-premises deployment for Surface Hub in a single-forest environment](on-premises-deployment-surface-hub-device-accounts.md).
+
+1.  Start a remote PowerShell session from a PC and connect to Exchange.
+
+    Be sure you have the right permissions set to run the associated cmdlets.
+
+    Note here that `$strExchangeServer` is the fully qualified domain name (FQDN) of your Exchange server, and `$strLyncFQDN` is the FQDN of your Skype for Business server.
+
+    ```PowerShell
+    Set-ExecutionPolicy Unrestricted
+    $org='contoso.microsoft.com'
+    $cred=Get-Credential $admin@$org
+    $sessExchange = New-PSSession -ConfigurationName microsoft.exchange -Credential $cred -AllowRedirection -Authentication Kerberos -ConnectionUri "http://$strExchangeServer/powershell" -WarningAction SilentlyContinue
+    $sessLync = New-PSSession -Credential $cred -ConnectionURI "https://$strLyncFQDN/OcsPowershell" -AllowRedirection -WarningAction SilentlyContinue
+    Import-PSSession $sessExchange
+    Import-PSSession $sessLync
+    ```
+
+2.  After establishing a session, create a new mailbox in the Resource Forest. This will allow the account to authenticate into the Surface Hub.
+
+    If you're changing an existing resource mailbox:
+
+    ```PowerShell
+    New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01"
+    ```
+
+3.  After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
+
+    Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to **False**. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
+
+    If you haven’t created a compatible policy yet, use the following cmdlet-—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
+
+    ```PowerShell
+    $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
+    ```
+
+    Once you have a compatible policy, then you will need to apply the policy to the device account. 
+
+    ```PowerShell
+    Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy -ActiveSyncEnabled $true
+    Set-Mailbox $acctUpn -Type Room
+    ```
+
+4.  Various Exchange properties can be set on the device account to improve the meeting experience for people. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
+
+    ```PowerShell
+    Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
+    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
+    ```
+
+5.  If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information. This should be set in the User Forest.
+
+    ```PowerShell
+    Set-AdUser $acctUpn -PasswordNeverExpires $true
+    ```
+
+6.  Enable the account in Active Directory so it will authenticate to the Surface Hub. This should be set in the User Forest.
+
+    ```PowerShell
+    Set-AdUser $acctUpn -Enabled $true
+    ```
+
+6. You now need to change the room mailbox to a linked mailbox:
+
+    ```PowerShell
+    $cred=Get-Credential AuthForest\LinkedRoomTest1
+    Set-mailbox -Alias LinkedRoomTest1 -LinkedMasterAccount AuthForest\LinkedRoomTest1 -LinkedDomainController AuthForest-4939.AuthForest.extest.contoso.com -Name LinkedRoomTest1 -LinkedCredential $cred -Identity LinkedRoomTest1
+    ```
+
+7.  Enable the device account with Skype for Business by enabling your Surface Hub AD account on a Skype for Business Server pool:
+
+    ```PowerShell
+    Enable-CsMeetingRoom -SipAddress "sip:HUB01@contoso.com"
+     -DomainController DC-ND-001.contoso.com -RegistrarPool LYNCPool15.contoso.com
+     -Identity HUB01
+    ```
+
+    You'll need to use the Session Initiation Protocol (SIP) address and domain controller for the Surface Hub, along with your own Skype for Business Server pool identifier and user identity.
+
+
+
+ 
+
+
+
+
+

devices/surface-hub/online-deployment-surface-hub-device-accounts.md

@@ -54,20 +54,17 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
     $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
     ```
 
-    Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
+    Once you have a compatible policy, then you will need to apply the policy to the device account.
 
     ```PowerShell
-    Set-Mailbox $acctUpn -Type Regular
-    Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy.Id
-    Set-Mailbox $acctUpn -Type Room
-    Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
+    Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.Id
     ```
 
 4.  Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
 
     ```PowerShell
-    Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
-    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
+    Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
+    Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
     ```
 
 5.  Connect to Azure AD.
@@ -81,32 +78,26 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
 6.  If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
 
     ```PowerShell
-    Set-MsolUser -UserPrincipalName $acctUpn -PasswordNeverExpires $true
+    Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true
     ```
 
-7.  The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
+7.  Surface Hub requires a license for Skype for Business functionality.
+    - Your Surface Hub account requires a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
+    - You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
+    - If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).    
 
     Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
 
     Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).
 
     ```PowerShell
-    Set-MsolUser -UserPrincipalName $acctUpn -UsageLocation "US"
+    Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation "US"
     Get-MsolAccountSku
-    Set-MsolUserLicense -UserPrincipalName $acctUpn -AddLicenses $strLicense
+    Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense
     ```
 
 8.  Enable the device account with Skype for Business.
 
-    In order to enable Skype for Business, your environment will need to meet the following prerequisites:
-
-    -   You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
-    -   If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
-    -   Your tenant users must have Exchange mailboxes.
-    -   Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
-
-    <!-- -->
-
     -   Start by creating a remote PowerShell session from a PC.
 
         ```PowerShell
@@ -115,33 +106,25 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
         Import-PSSession $cssess -AllowClobber
         ```
 
-    -   To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
+   - Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, *alice@contoso.com*):
 
         ```PowerShell
-        Enable-CsMeetingRoom -Identity $rm -RegistrarPool  
-        "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
+        Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool*
         ```
-
-        If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
-
+        OR by setting a variable
         ```PowerShell
-        Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool*
+        $strRegistrarPool = (Get-CsOnlineUser -Identity ‘alice@contoso.com’).RegistrarPool
+        ```
+        
+    - Enable the Surface Hub account with the following cmdlet:
+      
+        ```PowerShell
+        Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool yourRegistrarPool -SipAddressType EmailAddress
+        OR using the $strRegistarPool variable from above
+        Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool $strRegistrarPool -SipAddressType EmailAddress
         ```
 
-9.  Assign Skype for Business license to your Surface Hub account.
-
-    Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device.
-
-    -   Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app.
-    -   Click on **Users and Groups** and then **Add users, reset passwords, and more**.
-    -   Select the Surface Hub account, and then click or tap the pen icon, which means edit.
-    -   Click on the **Licenses** option.
-    -   In the **Assign licenses** section, you need to select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and what you've decided in terms of needing Enterprise Voice. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub.
-    -   Click **Save** and you're done.
-
->**Note**: It's also possible to use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
-
-For validation, you should be able to use any Skype for Business client (PC, Android, etc) to log in to this account.
+For validation, you should be able to use any Skype for Business client (PC, Android, etc) to sign in to this account.
 
 
 

devices/surface-hub/save-bitlocker-key-surface-hub.md

@@ -24,7 +24,7 @@ There are several ways to manage your BitLocker key on the Surface Hub.
 
 2.  If you’ve joined the Surface Hub to Azure Active Directory (Azure AD), the BitLocker key will be stored under the account that was used to join the device.
 
-3.  If you’re using a local admin account to manage the device, you can save the BitLocker key by going to the **Settings** app and navigating to **Update & security** > **Recovery**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive.
+3.  If you’re using an admin account to manage the device, you can save the BitLocker key by going to the **Settings** app and navigating to **Update & security** > **Recovery**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive.
 
 
 ## Related topics

devices/surface-hub/surface-hub-administrators-guide.md

@@ -16,7 +16,7 @@ localizationpriority: medium
 
 This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.
 
-Before you power on Microsoft Surface Hub for the first time, make sure you've [completed the checklist](prepare-your-environment-for-surface-hub.md#prepare-checklist) at the end of the [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) section, and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct.
+Before you power on Microsoft Surface Hub for the first time, make sure you've [completed preparation items](prepare-your-environment-for-surface-hub.md), and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct.
 
 ## In this section
 

devices/surface-hub/surface-hub-wifi-direct.md

@@ -0,0 +1,121 @@
+---
+title: How Surface Hub addresses Wi-Fi Direct security issues
+description: This topic provides guidance on Wi-Fi Direct security risks.
+keywords: change history
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# How Surface Hub addresses Wi-Fi Direct security issues
+
+Microsoft Surface Hub is an all-in-one productivity device that enables teams to better brainstorm, collaborate, and share ideas. Surface Hub relies on Miracast for wireless projection by using Wi-Fi Direct.
+
+This topic provides guidance on Wi-Fi Direct security vulnerabilities, how Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. This hardening information will help customers with high security requirements understand how best to protect their Surface Hub connected networks and data in transit.
+
+The intended audiences for this topic include IT and network administrators interested in deploying Microsoft Surface Hub in their corporate environment with optimal security settings.
+
+## Overview
+
+Microsoft Surface Hub's security depends extensively on Wi-Fi Direct / Miracast and the associated 802.11, Wi-Fi Protected Access (WPA2), and Wireless Protected Setup (WPS) standards. Since the device only supports WPS (as opposed to WPA2 Pre-Shared Key (PSK) or WPA2 Enterprise), issues traditionally associated with 802.11 encryption are simplified by design. 
+
+It is important to note Surface Hub operates on par with the field of Miracast receivers, meaning that it is protected from, and vulnerable to, a similar set of exploits as all WPS-based wireless network devices. But Surface Hub’s implementation of WPS has extra precautions built in, and its internal architecture helps prevent an attacker – even after compromising the Wi-Fi Direct / Miracast layer – to move past the network interface onto other attack surfaces and connected enterprise networks see [Wi-Fi Direct vulnerabilities and how Surface Hub addresses them](#vulnerabilities).  
+
+## Wi-Fi Direct background
+
+Miracast is part of the Wi-Fi Display standard, which itself is supported by the Wi-Fi Direct protocol. These standards are supported in modern mobile devices for screen sharing and collaboration.
+
+Wi-Fi Direct or Wi-Fi "Peer to Peer" (P2P) is a standard released by the Wi-Fi Alliance for "Ad-Hoc" networks. This allows supported devices to communicate directly and create groups of networks without requiring a traditional Wi-Fi Access Point or an Internet connection.
+
+Security for Wi-Fi Direct is provided by WPA2 using the WPS standard.  Authentication mechanism for devices can be a numerical pin (WPS-PIN), a physical or virtual Push Button (WPS-PBC), or an out-of-band message such as Near Field Communication (WPS-OOO). The Microsoft Surface Hub supports both Push Button (which is the default) and PIN methods.
+
+In Wi-Fi Direct, groups are created as either "persistent," allowing for automatic reconnection using stored key material, or "temporary," where devices cannot re-authenticate without user intervention or action. Wi-Fi Direct groups will typically determine a Group Owner (GO) through a negotiation protocol, which mimics the "station" or "Access Point" functionality for the established Wi-Fi Direct Group. This Wi-Fi Direct GO provides authentication (via an “Internal Registrar”), and facilitate upstream network connections. For Surface Hub, this GO negotiation does not take place, as the network only operates in "autonomous" mode, where Surface Hub is always the Group Owner. Finally, Surface Hub does not and will not join other Wi-Fi Direct networks itself as a client.
+
+<span id="vulnerabilities" />
+## Wi-Fi Direct vulnerabilities and how Surface Hub addresses them
+
+**Vulnerabilities and attacks in the Wi-Fi Direct invitation, broadcast, and discovery process**: Wi-Fi Direct / Miracast attacks may target weaknesses in the group establishment, peer discovery, device broadcast, or invitation processes.
+
+|Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+| --- | --- |
+| The discovery process may remain active for an extended period of time, which could allow Invitations and connections to be established without the intent of the device owner.	| Surface Hub only operates as the Group Owner (GO), which does not perform the client Discovery or GO negotiation process. Broadcast can be turned off by fully disabling wireless projection. |
+| Invitation and discovery using PBC allows an unauthenticated attacker to perform repeated connection attempts or unauthenticated connections are automatically accepted.	| By requiring WPS PIN security, Administrators can reduce the potential for such unauthorized connections or "Invitation bombs" (where invitations are repeatedly sent until a user mistakenly accepts one). |
+
+**Wi-Fi Protected Setup (WPS) Push Button Connect (PBC) vs PIN Entry**: Public weaknesses have been demonstrated in WPS-PIN method design and implementation, other vulnerabilities exist within WPS-PBC involving active attacks against a protocol designed for one time use. 
+
+| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+| --- | --- |
+| WPS-PBC is vulnerable to active attackers. As stated within the WPS specification: "The PBC method has zero bits of entropy and only protects against passive eavesdropping attacks. PBC protects against eavesdropping attacks and takes measures to prevent a device from joining a network that was not selected by the device owner. The absence of authentication, however, means that PBC does not protect against active attack". Attackers can use selective wireless jamming or other potential denial-of-service vulnerabilities in order to trigger an unintended Wi-Fi Direct GO or connection. Additionally, an active attacker, with only physical proximity, can repeatedly teardown any Wi-Fi Direct group and attempt the described attack until it is successful. |Enable WPS-PIN security within Surface Hub’s configuration. As discussed within the Wi-Fi WPS specification: "The PBC method should only be used if no PIN-capable Registrar is available and the WLAN user is willing to accept the risks associated with PBC". |
+| WPS-PIN implementations can be brute-forced using a Vulnerability within the WPS standard. Due to the design of split PIN verification, a number of implementation vulnerabilities occurred in the past several years across a wide range of Wi-Fi hardware manufacturers. In 2011 two researchers (Stefan Viehböck and Craig Heffner) released information on this vulnerability and tools such as "Reaver" as a proof of concept. |	The Microsoft implementation of WPS within Surface Hub changes the pin every 30 seconds. In order to crack the pin, an attacker must work through the entire exploit in less than 30 seconds. Given the current state of tools and research in this area, a brute-force pin-cracking attack through WPS is unlikely. |
+| WPS-PIN can be cracked using an offline attack due to weak initial key (E-S1,E S2) entropy. In 2014, Dominique Bongard discussed a "Pixie Dust" attack where poor initial randomness for the pseudo random number generator (PRNG) within the wireless device lead to the ability to perform an offline brute-force attack. | The Microsoft implementation of WPS within Surface Hub is not susceptible to this offline PIN brute-force attack. The WPS-PIN is randomized for each connection. |
+
+**Unintended exposure of network services**: Network daemons intended for Ethernet or WLAN services may be accidentally exposed due to misconfiguration (such as binding to “all”/0.0.0.0 interfaces), a poorly configured device firewall, or missing firewall rules altogether.
+
+| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+| --- | --- |
+| Misconfiguration binds a vulnerable or unauthenticated network service to "all" interfaces, which includes the Wi-Fi Direct interface. This potentially exposes services not intended to be accessible to Wi-Fi Direct clients, which may be weakly or automatically authenticated. | Within Surface Hub, the default firewall rules only permit the required TCP and UDP network ports and by default deny all inbound connections. Strong authentication can be configured by enabling the WPS-PIN mode. |
+
+**Bridging Wi-Fi Direct and other wired or wireless networks**: While network bridging between WLAN or Ethernet networks is a violation of the Wi-Fi Direct specification, such a bridge or misconfiguration may effectively lower or remove wireless access controls for the internal corporate network.
+
+| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+| --- | --- |
+| Wi-Fi Direct devices could allow unauthenticated or poorly authenticated access to bridged network connections. This may allow Wi-Fi Direct networks to route traffic to internal Ethernet LAN or other infrastructure or enterprise WLAN networks in violation of existing IT security protocols. |	Surface Hub cannot be configured to bridge Wireless interfaces or allow routing between disparate networks. The default firewall rules add defense in depth to any such routing or bridge connections. |
+
+**The use of Wi-Fi Direct “legacy” mode**: Exposure to unintended networks or devices when operating in “legacy” mode may present a risk. Device spoofing or unintended connections could occur if WPS-PIN is not enabled.
+
+
+| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+| --- | --- |
+| By supporting both Wi-Fi Direct and 802.11 infrastructure clients, the system is operating in a "legacy" support mode. This may expose the connection setup phase indefinitely, allowing for groups to be joined or devices invited to connect well after their intended setup phase terminates. |	Surface Hub does not support Wi-Fi Direct legacy clients. Only Wi-Fi Direct connections can be made to Surface Hub even when WPS-PIN mode is enabled. |
+
+**Wi-Fi Direct GO negotiation during connection setup**: The Group Owner within Wi-Fi Direct is analogous to the “Access Point” in a traditional 802.11 wireless network. The negotiation can be gamed by a malicious device. 
+
+|Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+| --- | --- |
+| If groups are dynamically established or if the Wi-Fi Direct device can be made to join new groups, the Group Owner (GO) negotiation can be won by a malicious device that always specifies the max Group Owner "intent" value of 15. (Unless such device is configured to always be a Group Owner, in which case the connection fails.)	| Surface Hub takes advantage of Wi-Fi Direct "Autonomous mode", which skips the GO negotiation phase of the connection setup. Surface Hub is always the Group Owner. |
+
+**Unintended or malicious Wi-Fi deauthentication**: Wi-Fi deauthentication is an age-old attack that can be used by a physically local attacker to expedite information leaks against the connection setup process, trigger new four-way handshakes, target Wi-Fi Direct WPS-PBC for active attack, or create denial-of-service attacks.
+
+| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+| --- | --- |
+| Deauthentication packets can be sent by an unauthenticated attacker to cause the station to re-authenticate and sniff the resulting handshake. Cryptographic or brute-force attacks can be attempted on the resulting handshake. Mitigations for these attack include:  enforcing length and complexity policies for pre-shared keys; configuring the Access Point (if applicable) to detect malicious levels of deauthentication packets; and using WPS to automatically generate strong keys. In PBC mode the user is interacting with a physical or virtual button to allow arbitrary device association. This process should happen only at setup within a small window, once the button is automatically "pushed", the device will accept any station associating via a canonical PIN value (all zeros). Deauthentication can force a repeated setup process. |	The current Surface Hub design uses WPS in PIN or PBC mode. No PSK configuration is permitted, helping enforce the generation of strong keys. It is recommended to enable WPS-PIN. |
+| Beyond denial-of-service attacks, deauthentication packets can also be used to trigger a reconnect which re-opens the window of opportunity for active attacks against WPS-PBC. |	Enable WPS-PIN security within Surface Hub’s configuration. |
+
+**Basic wireless information disclosure**: Wireless networks, 802.11 or otherwise, are inherently sources of information disclosure. Although the information is largely connection or device metadata, it remains an accepted risk for any 802.11 administrator. Wi-Fi Direct with device authentication via WPS-PIN effectively reveals the same information as a PSK or Enterprise 802.11 network.
+
+| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+| --- | --- |
+| During broadcast, connection setup, or even with already encrypted connections, basic information about the devices and packet sizes is wirelessly transmitted. At a basic level, a local attacker within wireless range can determine the names of wireless devices, the MAC addresses of communicating equipment, and possibly other details such as the version of the wireless stack, packet sizes, or the configured Access Point or Group Owner options by examining the relevant 802.11 Information Elements.	| The Wi-Fi Direct network employed by Surface Hub cannot be further protected from metadata leaks, in the same way 802.11 Enterprise or PSK wireless networks also leak such metadata. Physical security and removing potential threats from the wireless proximity can be used to reduce any potential information leaks. |
+
+**Wireless evil twin or spoofing attacks**:  Spoofing the wireless name is a trivial and known exploit for a physically local attacker in order to lure unsuspecting or mistaken users to connect.
+
+| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+| --- | --- |
+| By spoofing or cloning the wireless name or "SSID" of the target network, an attacker may trick the user into connecting to fake malicious network. By supporting unauthenticated, auto-join Miracast an attacker could capture the intended display materials or attempt to perform network attacks on the connecting device. |	While no specific protections against joining a spoofed Surface Hub are in place, this attack is partially mitigated in two ways. First, any potential attack must be physically within Wi-Fi range. Second, this attack is only possible during the very first connection. Subsequent connections use a persistent Wi-Fi Direct group and Windows will remember and prioritize this prior connection during future Hub use. (Note: Spoofing the MAC address, Wi-Fi channel and SSID simultaneously was not considered for this report and may result in inconsistent Wi-Fi behavior.) Overall this weakness is a fundamental problem for any 802.11 wireless network not using Enterprise WPA2 protocols such as EAP-TLS or EAP-PWD, which are not supported in Wi-Fi Direct. |
+
+## Surface Hub hardening guidelines
+
+Surface Hub is designed to facilitate collaboration and allow users to start or join meetings quickly and efficiently. As such, the default Wi-Fi Direct settings for Surface Hub are optimized for this scenario.
+
+For users who require additional security around the wireless interface, we recommend Surface Hub users enable the WPS-PIN security setting. This disables WPS-PBC mode and offers client authentication, and provides the strongest level of protection by preventing any unauthorized connections to Surface Hub.
+
+If concerns remain around authentication and authorization of a Surface Hub, we recommend users connect the device to a separate network, either Wi-Fi (such as a "guest" Wi-Fi network) or using separate Ethernet network (preferably an entirely different physical network, but a VLAN can also provide some added security). Of course, this approach may preclude connections to internal network resources or services, and may require additional network configurations to regain access.
+
+Also recommended: 
+- [Install regular system updates.](manage-windows-updates-for-surface-hub.md) 
+- Update the Miracast settings to disable auto-present mode.
+
+## Learn more
+
+- [Wi-Fi Direct specifications](http://www.wi-fi.org/discover-wi-fi/wi-fi-direct)
+- [Wireless Protected Setup (WPS) specification](http://www.wi-fi.org/discover-wi-fi/wi-fi-protected-setup)
+
+
+
+
+
+
+

devices/surface-hub/use-room-control-system-with-surface-hub.md

@@ -184,7 +184,7 @@ In Replacement PC mode, the power states are only Ready and Off and only change
 </tr>
 <tr class="even">
 <td align="left"><p>5</p></td>
-<td align="left"><p>50</p></td>
+<td align="left"><p>S0</p></td>
 <td align="left"><p>Ready</p></td>
 </tr>
 </tbody>

devices/surface/TOC.md

@@ -1,5 +1,6 @@
 # [Surface](index.md)
 ## [Deploy Surface devices](deploy.md)
+### [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md)
 ### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
 ### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)
 ### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
@@ -12,6 +13,8 @@
 ### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
 ### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
 ### [Surface Dock Updater](surface-dock-updater.md)
+### [Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md)
+## [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md)
 ## [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)
 ## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)
 ## [Manage Surface UEFI settings](manage-surface-uefi-settings.md)
@@ -19,7 +22,9 @@
 ## [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
 ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
 ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
+### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
 ## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
 ## [Surface Data Eraser](microsoft-surface-data-eraser.md)
+## [Change history for Surface documentation](change-history-for-surface.md)
 
 

devices/surface/advanced-uefi-security-features-for-surface-pro-3.md

@@ -21,14 +21,15 @@ To address more granular control over the security of Surface devices, the v3.11
 ## Manually install the UEFI update
 
 
-Before you can configure the advanced security features of your Surface device, you must first install the v3.11.760.0 UEFI update. This update is installed automatically if you receive your updates from Windows Update. For more information about how to configure Windows to update automatically by using Windows Update, see [How to configure and use Automatic Updates in Windows]( https://go.microsoft.com/fwlink/p/?LinkID=618030).
+Before you can configure the advanced security features of your Surface device, you must first install the v3.11.760.0 UEFI update. This update is installed automatically if you receive your updates from Windows Update. For more information about how to configure Windows to update automatically by using Windows Update, see [How to configure and use Automatic Updates in Windows](https://support.microsoft.com/en-us/kb/306525).
 
 To update the UEFI on Surface Pro 3, you can download and install the Surface UEFI updates as part of the Surface Pro 3 Firmware and Driver Pack. These firmware and driver packs are available from the [Surface Pro 3 page](https://www.microsoft.com/download/details.aspx?id=38826) on the Microsoft Download Center. You can find out more about the firmware and driver packs at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). The firmware and driver packs are available as both self-contained Windows Installer (.msi) and archive (.zip) formats. You can find out more about these two formats and how you can use them to update your drivers at [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates).
 
 ## Manually configure additional security settings
 
 
->**Note:**  To enter firmware setup on a Surface device, begin with the device powered off, press and hold the **Volume Up** button, then press and release the **Power** button, then release the **Volume Up** button after the device has begun to boot.
+>[!NOTE]
+>To enter firmware setup on a Surface device, begin with the device powered off, press and hold the **Volume Up** button, then press and release the **Power** button, then release the **Volume Up** button after the device has begun to boot.
 
 After the v3.11.760.0 UEFI update is installed on a Surface device, an additional UEFI menu named **Advanced Device Security** becomes available. If you click this menu, the following options are displayed:
 
@@ -55,7 +56,7 @@ As an IT professional with administrative privileges, you can automate the confi
 
 -   The sample scripts below leverage the previously mentioned extension and therefore assume that the tool has been installed on the device being managed.
 -   The scripts must be run with administrative privilege.
--   The Windows PowerShell command [**Set-ExecutionPolicy Unrestricted**](https://go.microsoft.com/fwlink/p/?LinkID=618039) must be called prior to running sample scripts if they are not digitally signed.
+-   The Windows PowerShell command [**Set-ExecutionPolicy Unrestricted**](https://technet.microsoft.com/library/ee176961.aspx) must be called prior to running sample scripts if they are not digitally signed.
 
 **Sample scripts**
 

devices/surface/change-history-for-surface.md

@@ -0,0 +1,45 @@
+---
+title: Change history for Surface documentation (Windows 10)
+description: This topic lists new and updated topics in the Surface documentation library.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Change history for Surface documentation
+
+This topic lists new and updated topics in the Surface documentation library.
+
+## January 2017
+
+|New or changed topic | Description |
+| --- | --- |
+|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | New |
+
+## December 2016
+
+|New or changed topic | Description |
+| --- | --- |
+|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)  | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)|
+
+## November 2016
+
+|New or changed topic | Description |
+| --- | --- |
+|[Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | Added procedure for viewing certificate thumbprint. |
+|[Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) | New |
+
+
+
+## October 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) | New |
+| [Long-term servicing branch for Surface devices](ltsb-for-surface.md) | New |
+
+
+
+
+ 

devices/surface/considerations-for-surface-and-system-center-configuration-manager.md

@@ -0,0 +1,76 @@
+---
+title: Considerations for Surface and System Center Configuration Manager (Surface)
+description: The management and deployment of Surface devices with Configuration Manager is fundamentally the same as any other PC; this article describes scenarios that may require additional considerations.
+keywords: manage, deployment, updates, driver, firmware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: Scottmca
+---
+
+# Considerations for Surface and System Center Configuration Manager
+
+Fundamentally, management and deployment of Surface devices with System Center Configuration Manager is the same as the management and deployment of any other PC. Like any other PC, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client – to publish apps, settings, and policies, you use the same process that you would use for any other device.
+
+You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for System Center Configuration Manager](https://docs.microsoft.com/sccm/index) article in the TechNet Library.
+
+Although the deployment and management of Surface devices is fundamentally the same as any other PC, there are some scenarios that may require additional considerations or steps. This article provides descriptions and guidance for these scenarios; the solutions documented in this article may apply to other devices and manufacturers as well.
+
+>[!NOTE]
+>For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
+
+## Updating Surface device drivers and firmware
+
+For devices that receive updates through Windows Update, drivers for Surface components – and even firmware updates – are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS), the option to install drivers and firmware through Windows Update is not available. For these managed devices, the recommended driver management process is the deployment of driver and firmware updates using the Windows Installer (.msi) files, which are provided through the Microsoft Download Center. You can find a list of these downloads at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
+
+As .msi files, deployment of driver and firmware updates is performed in the same manner as deployment of an application. Instead of installing an application as would normally happen when an .msi file is run, the Surface driver and firmware .msi will apply the driver and firmware updates to the device. The single .msi file contains the driver and firmware updates required by each component of the Surface device. The updates for firmware are applied the next time the device reboots. You can read more about the .msi installation method for Surface drivers and firmware in [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates). For more information about how to deploy applications with Configuration Manager, see [Packages and programs in System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs).
+
+>[!NOTE]
+>Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A workaround is available for Configuration Manager environments running on Windows Server 2008 R2 – for more information see [Can't import drivers into System Center Configuration Manager (KB3025419)](https://support.microsoft.com/kb/3025419).
+
+## Surface Ethernet adapters and Configuration Manager deployment
+
+The default mechanism that Configuration Manager uses to identify devices during deployment is the Media Access Control (MAC) address. Because the MAC address is associated with the Ethernet controller, an Ethernet adapter shared among multiple devices will cause Configuration Manager to identify each of the devices as only a single device. This can cause a Configuration Manager deployment of Windows to not be applied to intended devices.
+
+To ensure that Surface devices using the same Ethernet adapter are identified as unique devices during deployment, you can instruct Configuration Manager to identify devices using another method. This other method could be the MAC address of the wireless network adapter or the System Universal Unique Identifier (System UUID). You can specify that Configuration Manager use other identification methods with the following options:
+
+* Add an exclusion for the MAC addresses of Surface Ethernet adapters, which forces Configuration Manager to overlook the MAC address in preference of the System UUID, as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
+
+* Prestage devices by System UUID as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
+
+* Use a script to identify a newly deployed Surface device by the MAC address of its wireless adapter, as documented in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post.
+
+Another consideration for the Surface Ethernet adapter during deployments with Configuration Manager is the driver for the Ethernet controller. Beginning in Windows 10, version 1511, the driver for the Surface Ethernet adapter is included by default in Windows. For organizations that want to deploy the latest version of Windows 10 and use the latest version of WinPE, use of the Surface Ethernet adapter requires no additional actions.
+
+For versions of Windows prior to Windows 10, version 1511 (including Windows 10 RTM and Windows 8.1), you may still need to install the Surface Ethernet adapter driver and include the driver in your WinPE boot media. With its inclusion in Windows 10, the driver is no longer available for download from the Microsoft Download Center. To download the Surface Ethernet adapter driver, download it from the Microsoft Update Catalog as documented in the [Surface Ethernet Drivers](https://blogs.technet.microsoft.com/askcore/2016/08/18/surface-ethernet-drivers/) blog post from the Ask The Core Team blog.
+
+## Deploy Surface app with Configuration Manager
+
+With the release of Windows Store for Business, Surface app is no longer available as a driver and firmware download. Organizations that want to deploy Surface app to managed Surface devices or during deployment with the use of Configuration Manager, must acquire Surface app through Windows Store for Business and then deploy Surface app with PowerShell. You can find the PowerShell commands for deployment of Surface app, instructions to download Surface app, and prerequisite frameworks from Windows Store for Business in the [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article in the TechNet Library.
+
+## Use prestaged media with Surface clients
+
+If your organization uses prestaged media to pre-load deployment resources on to machines prior to deployment with Configuration Manager, the nature of Surface devices as UEFI devices may require you to take additional steps. Specifically, a native UEFI environment requires that you create multiple partitions on the boot disk of the system. If you are following along with the [documentation for prestaged media](https://technet.microsoft.com/library/79465d90-4831-4872-96c2-2062d80f5583?f=255&MSPPError=-2147217396#BKMK_CreatePrestagedMedia), the instructions provide for only single partition boot disks and therefore will fail when applied to Surface devices.
+
+Instructions for applying prestaged media to UEFI devices, such as Surface devices, can be found in the [How to apply Task Sequence Prestaged Media on multi-partitioned disks for BIOS or UEFI PCs in System Center Configuration Manager](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2014/04/02/how-to-apply-task-sequence-prestaged-media-on-multi-partitioned-disks-for-bios-or-uefi-pcs-in-system-center-configuration-manager/) blog post.
+
+## Licensing conflicts with OEM Activation 3.0
+
+Surface devices come preinstalled with a licensed copy of Windows. For example, Surface Pro 4 is preinstalled with Windows 10 Professional. The license key for this preinstalled copy of Windows is embedded in the firmware of the device with OEM Activation 3.0 (OA 3.0). When you run Windows installation media on a device with an OA 3.0 key, Windows setup automatically reads the license key and uses it to install and activate Windows. In most situations, this simplifies the reinstallation of Windows, because the user does not have to find or enter a license key.
+
+When you reimage a device by using Windows Enterprise, this embedded license key does not cause a conflict. This is because the installation media for Windows Enterprise is configured to install only an Enterprise edition of Windows and therefore is incompatible with the license key embedded in the system firmware. If a product key is not specified (such as when you intend to activate with Key Management Services (KMS) or Active Directory Based Activation), a Generic Volume License Key (GVLK) is used until Windows is activated by one of those technologies.
+
+However, issues may arise when organizations intend to use versions of Windows that are compatible with the firmware embedded key. For example, an organization that wants to install Windows 10 Professional on a Surface 3 device that originally shipped with Windows 10 Home edition may encounter difficulty when Windows setup automatically reads the Home edition key during installation and installs as Home edition rather than Professional. To avoid this conflict, you can use the Ei.cfg or Pid.txt file (see [Windows Setup Edition Configuration and Product ID Files](https://technet.microsoft.com/library/hh824952.aspx)) to explicitly instruct Windows setup to prompt for a product key, or you can enter a specific product key in the deployment task sequence. If you do not have a specific key, you can use the default product keys for Windows, which you can find in [Customize and deploy a Windows 10 operating system](https://dpcenter.microsoft.com/en/Windows/Build/cp-Windows-10-build) on the Device Partner Center.
+
+## Apply an asset tag during deployment
+
+Surface Studio, Surface Book, Surface Pro 4, Surface Pro 3, and Surface 3 devices all support the application of an asset tag in UEFI. This asset tag can be used to identify the device from UEFI even if the operating system fails, and it can also be queried from within the operating system. To read more about the Surface Asset Tag function, see the [Asset Tag Tool for Surface Pro 3](https://blogs.technet.microsoft.com/askcore/2014/10/20/asset-tag-tool-for-surface-pro-3/) blog post.
+
+To apply an asset tag using the [Surface Asset Tag CLI Utility](https://www.microsoft.com/download/details.aspx?id=44076) during a Configuration Manager deployment task sequence, use the script and instructions found in the [Set Surface Asset Tag During a Configuration Manager Task Sequence](https://blogs.technet.microsoft.com/jchalfant/set-surface-pro-3-asset-tag-during-a-configuration-manager-task-sequence/) blog post.
+
+## Configure push-button reset
+
+When you deploy Windows to a Surface device, the push-button reset functionality of Windows is configured by default to revert the system back to a state where the environment is not yet configured. When the reset function is used, the system discards any installed applications and settings. Although in some situations it can be beneficial to restore the system to a state without applications and settings, in a professional environment this effectively renders the system unusable to the end user.
+
+Push-button reset can be configured, however, to restore the system configuration to a state where it is ready for use by the end user. Follow the process outlined in [Deploy push-button reset features](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/deploy-push-button-reset-features) to customize the push-button reset experience for your devices.

devices/surface/customize-the-oobe-for-surface-deployments.md

@@ -18,16 +18,17 @@ This article walks you through the process of customizing the Surface out-of-box
 
 It is common practice in a Windows deployment to customize the user experience for the first startup of deployed computers — the out-of-box experience, or OOBE.
 
->**Note:**  OOBE is also often used to describe the phase, or configuration pass, of Windows setup during which the user experience is displayed. For more information about the OOBE phase of setup, see [How Configuration Passes Work](http://msdn.microsoft.com/library/windows/hardware/dn898581.aspx).
+>[!NOTE]
+>OOBE is also often used to describe the phase, or configuration pass, of Windows setup during which the user experience is displayed. For more information about the OOBE phase of setup, see [How Configuration Passes Work](http://msdn.microsoft.com/library/windows/hardware/dn898581.aspx).
 
 In some scenarios, you may want to provide complete automation to ensure that at the end of a deployment, computers are ready for use without any interaction from the user. In other scenarios, you may want to leave key elements of the experience for users to perform necessary actions or select between important choices. For administrators deploying to Surface devices, each of these scenarios presents a unique challenge to overcome.
 
-This article provides a summary of the scenarios where a deployment might require additional steps. It also provides the required information to ensure that the desired experience is achieved on any newly deployed Surface device. This article is intended for administrators who are familiar with the deployment process, as well as concepts such as answer files and [reference images](https://go.microsoft.com/fwlink/p/?LinkID=618042).
+This article provides a summary of the scenarios where a deployment might require additional steps. It also provides the required information to ensure that the desired experience is achieved on any newly deployed Surface device. This article is intended for administrators who are familiar with the deployment process, as well as concepts such as answer files and [reference images](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image).
 
->**Note:**&nbsp;&nbsp;Although the OOBE phase of setup is still run during a deployment with an automated deployment solution such as the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117) or System Center Configuration Manager Operating System Deployment (OSD), it is automated by the settings supplied in the Deployment Wizard and task sequence. For more information see:<br/>
-- [Deploy Windows 10 with the Microsoft Deployment Toolkit](http://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit)
-<br/>
-- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](http://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager)
+>[!NOTE]
+>Although the OOBE phase of setup is still run during a deployment with an automated deployment solution such as the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117) or System Center Configuration Manager Operating System Deployment (OSD), it is automated by the settings supplied in the Deployment Wizard and task sequence. For more information see:<br/>
+>- [Deploy Windows 10 with the Microsoft Deployment Toolkit](http://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit)
+>- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](http://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager)
 
  
 
@@ -36,12 +37,12 @@ This article provides a summary of the scenarios where a deployment might requir
 
 When a wireless network adapter is present during OOBE, the **Join a wireless network** page is displayed, which prompts a user to connect to a wireless network. This page is not automatically hidden by deployment technologies, including MDT 2013, and therefore will be displayed even when a deployment is configured for complete automation.
 
-To ensure that an automated deployment is not stopped by this page, the page must be hidden by configuring an additional setting in the answer file, **HideWirelessSetupInOOBE**. You can find additional information about the **HideWirelessSetupInOOBE** setting in [Unattended Windows Setup Reference](https://go.microsoft.com/fwlink/p/?LinkID=618044).
+To ensure that an automated deployment is not stopped by this page, the page must be hidden by configuring an additional setting in the answer file, **HideWirelessSetupInOOBE**. You can find additional information about the **HideWirelessSetupInOOBE** setting in [Unattended Windows Setup Reference](https://technet.microsoft.com/library/ff716213.aspx).
 
 ## Scenario 2: Surface Pen pairing in OOBE
 
 
-When you first take a Surface Pro 3, Surface Pro 4, or Surface Book out of the package and start it up, the first-run experience of the factory image includes a prompt that asks you to pair the included Surface Pen to the device. This prompt is only provided by the factory image that ships with the device and is not included in other images used for deployment, such as the Windows Enterprise installation media downloaded from the Volume Licensing Service Center. Because pairing the Bluetooth Surface Pen outside of this experience requires that you enter the Control Panel or PC Settings and manually pair a Bluetooth device, you may want to have users or a technician use this prompt to perform the pairing operation.
+When you first take a Surface Pro 3, Surface Pro 4, Surface Book, or Surface Studio out of the package and start it up, the first-run experience of the factory image includes a prompt that asks you to pair the included Surface Pen to the device. This prompt is only provided by the factory image that ships with the device and is not included in other images used for deployment, such as the Windows Enterprise installation media downloaded from the Volume Licensing Service Center. Because pairing the Bluetooth Surface Pen outside of this experience requires that you enter the Control Panel or PC Settings and manually pair a Bluetooth device, you may want to have users or a technician use this prompt to perform the pairing operation.
 
 To provide the factory Surface Pen pairing experience in OOBE, you must copy four files from the factory Surface image into the reference image. You can copy these files into the reference environment before you capture the reference image, or you can add them later by using Deployment Image Servicing and Management (DISM) to mount the image. The four required files are:
 
@@ -50,11 +51,12 @@ To provide the factory Surface Pen pairing experience in OOBE, you must copy fou
 -   %windir%\\system32\\oobe\\info\\default\\1033\\PenError\_en-US.png
 -   %windir%\\system32\\oobe\\info\\default\\1033\\PenSuccess\_en-US.png
 
->**Note:**&nbsp;&nbsp;You should copy the files from a factory image for the same model Surface device that you intend to deploy to. For example, you should use the files from a Surface Pro 3 to deploy to Surface Pro 3, and the files from Surface Book to deploy Surface Book, but you should not use the files from a Surface Pro 3 to deploy Surface Book or Surface Pro 4.
+>[!NOTE]
+>You should copy the files from a factory image for the same model Surface device that you intend to deploy to. For example, you should use the files from a Surface Pro 3 to deploy to Surface Pro 3, and the files from Surface Book to deploy Surface Book, but you should not use the files from a Surface Pro 3 to deploy Surface Book or Surface Pro 4.
 
  
 
-The step-by-step process for adding these required files to an image is described in [Deploying Surface Pro 3 Pen and OneNote Tips](https://go.microsoft.com/fwlink/p/?LinkID=618045). This blog post also includes tips to ensure that the necessary updates for the Surface Pen Quick Note-Taking Experience are installed, which allows users to send notes to OneNote with a single click.
+The step-by-step process for adding these required files to an image is described in [Deploying Surface Pro 3 Pen and OneNote Tips](https://blogs.technet.microsoft.com/askcore/2014/07/15/deploying-surface-pro-3-pen-and-onenote-tips/). This blog post also includes tips to ensure that the necessary updates for the Surface Pen Quick Note-Taking Experience are installed, which allows users to send notes to OneNote with a single click.
 
  
 

devices/surface/deploy-surface-app-with-windows-store-for-business.md

@@ -11,6 +11,14 @@ author: miladCA
 
 #Deploy Surface app with Windows Store for Business
 
+**Applies to**
+* Surface Pro 4
+* Surface Book
+* Surface 3
+
+>[!NOTE]
+>The Surface app ships in Surface Studio.
+
 The Surface app is a lightweight Windows Store app that provides control of many Surface-specific settings and options, including: 
 
 * Enable or disable the Windows button on the Surface device 
@@ -25,15 +33,15 @@ The Surface app is a lightweight Windows Store app that provides control of many
 
 If your organization is preparing images that will be deployed to your Surface devices, you may want to include the Surface app (formerly called the Surface Hub) in your imaging and deployment process instead of requiring users of each individual device to download and install the app from the Windows Store or your Windows Store for Business. 
 
-####Surface app overview
+##Surface app overview
 
-The Surface app is available as a free download from the [Windows Store](https://www.microsoft.com/en-us/store/apps/Surface/9WZDNCRFJB8P). Users can download and install it from the Windows Store, but if your organization uses Windows Store for Business instead, you will need to add it to your store’s inventory and possibly include the app as part of your Windows deployment process. These processes are discussed throughout this article. For more information about Windows Store for Business, see [Windows Store for Business](https://technet.microsoft.com/en-us/windows/store-for-business) in the Windows TechCenter. 
+The Surface app is available as a free download from the [Windows Store](https://www.microsoft.com/store/apps/Surface/9WZDNCRFJB8P). Users can download and install it from the Windows Store, but if your organization uses Windows Store for Business instead, you will need to add it to your store’s inventory and possibly include the app as part of your Windows deployment process. These processes are discussed throughout this article. For more information about Windows Store for Business, see [Windows Store for Business](https://technet.microsoft.com/windows/store-for-business) in the Windows TechCenter. 
 
 ##Add Surface app to a Windows Store for Business account 
 
 Before users can install or deploy an app from a company’s Windows Store for Business account, the desired app(s) must first be made available and licensed to the users of a business. 
 
-1. If you have not already done so, create a [Windows Store for Business account](https://www.microsoft.com/en-us/business-store). 
+1. If you have not already done so, create a [Windows Store for Business account](https://www.microsoft.com/business-store). 
 
 2. Log on to the portal. 
 
@@ -73,7 +81,8 @@ After you add an app to the Windows Store for Business account in Offline mode,
 6. Click either the **Encoded license** or **Unencoded license** option. Use the Encoded license option with management tools like System Center Configuration Manager or when you use Windows Imaging and Configuration Designer (Windows ICD). Select the Unencoded license option when you use Deployment Image Servicing and Management (DISM) or deployment solutions based on imaging, including the Microsoft Deployment Toolkit (MDT).
 7. Click **Generate** to generate and download the license for the app. Make sure you note the path of the license file because you’ll need that later in this article.
 
->**Note:**  When you download an app for offline use, such as the Surface app, you may notice a section at the bottom of the page labeled **Required frameworks**. Your target computers must have the frameworks installed for the app to run, so you may need to repeat the download process for each of the required frameworks for your architecture (either x86 or x64) and also include them as part of your Windows deployment discussed later in this article.
+>[!NOTE]
+>When you download an app for offline use, such as the Surface app, you may notice a section at the bottom of the page labeled **Required frameworks**. Your target computers must have the frameworks installed for the app to run, so you may need to repeat the download process for each of the required frameworks for your architecture (either x86 or x64) and also include them as part of your Windows deployment discussed later in this article.
 
 Figure 5 shows the required frameworks for the Surface app.
 
@@ -81,17 +90,19 @@ Figure 5 shows the required frameworks for the Surface app.
 
 *Figure 5. Required frameworks for the Surface app*
 
->**Note:**  The version numbers of the Surface app and required frameworks will change as the apps are updated. Check for the latest version of Surface app and each framework in Windows Store for Business. Always use the Surface app and recommended framework versions as provided by Windows Store for Business. Using outdated frameworks or the incorrect versions may result in errors or application crashes.
+>[!NOTE]
+>The version numbers of the Surface app and required frameworks will change as the apps are updated. Check for the latest version of Surface app and each framework in Windows Store for Business. Always use the Surface app and recommended framework versions as provided by Windows Store for Business. Using outdated frameworks or the incorrect versions may result in errors or application crashes.
 
 To download the required frameworks for the Surface app, follow these steps:
 1.	Click the **Download** button under **Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe**. This downloads the Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe.Appx file to your specified folder.
 2.	Click the **Download** button under **Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe**. This downloads the Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe.Appx file to your specified folder.
 
->**Note:**  Only the 64-bit (x64) version of each framework is required for Surface devices. Surface devices are native 64-bit UEFI devices and are not compatible with 32-bit (x86) versions of Windows that would require 32-bit frameworks. 
+>[!NOTE]
+>Only the 64-bit (x64) version of each framework is required for Surface devices. Surface devices are native 64-bit UEFI devices and are not compatible with 32-bit (x86) versions of Windows that would require 32-bit frameworks. 
 
 ##Install Surface app on your computer with PowerShell
 The following procedure provisions the Surface app onto your computer and makes it available for any user accounts created on the computer afterwards.
-1.	Using the procedure described in the [How to download Surface app from a Windows Store for Business account](#how-to-download-surface-app-from-a-windows-store-for-business-account) section of this article, download the Surface app AppxBundle and license file. 
+1.	Using the procedure described in the [How to download Surface app from a Windows Store for Business account](#download-surface-app-from-a-windows-store-for-business-account) section of this article, download the Surface app AppxBundle and license file. 
 2.	Begin an elevated PowerShell session.
 >**Note:**  If you don’t run PowerShell as an Administrator, the session won’t have the required permissions to install the app.
 3.	In the elevated PowerShell session, copy and paste the following command:
@@ -119,7 +130,7 @@ Before the Surface app is functional on the computer where it has been provision
 
 ##Install Surface app with MDT
 The following procedure uses MDT to automate installation of the Surface app at the time of deployment. The application is provisioned automatically by MDT during deployment and thus you can use this process with existing images. This is the recommended process to deploy the Surface app as part of a Windows deployment to Surface devices because it does not reduce the cross platform compatibility of the Windows image.
-1.	Using the procedure described [earlier in this article](#how-to-download-surface-app-from-a-windows-store-for-business-account), download the Surface app AppxBundle and license file. 
+1.	Using the procedure described [earlier in this article](#download-surface-app-from-a-windows-store-for-business-account), download the Surface app AppxBundle and license file. 
 2.	Using the New Application Wizard in the MDT Deployment Workbench, import the downloaded files as a new **Application with source files**.
 3.	On the **Command Details** page of the New Application Wizard, specify the default **Working Directory** and for the **Command** specify the file name of the AppxBundle, as follows:
 
@@ -144,4 +155,4 @@ After import, the Surface app will be available for selection in the **Applicati
 2.	Add a new **Install Application** task in the **State Restore** section of deployment.
 3.	Select **Install a single application** and specify the **Surface App** as the **Application to be installed**.
 
-For more information about including apps into your Windows deployments, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit).
+For more information about including apps into your Windows deployments, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit).

devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md

@@ -28,132 +28,137 @@ Driver and firmware updates for Surface devices are released in one of two ways:
 
 Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices and are detailed here in this article.
 
->**Note:**  To simplify the process of locating drivers for your device, downloads for Surface devices have been reorganized to separate pages for each model. Bookmark the Microsoft Download Center page for your device from the links provided on this page. Many of the filenames contain a placeholder denoted with *xxxxxx*, which identifies the current version number or date of the file.
+>[!NOTE]
+>To simplify the process of locating drivers for your device, downloads for Surface devices have been reorganized to separate pages for each model. Bookmark the Microsoft Download Center page for your device from the links provided on this page. Many of the filenames contain a placeholder denoted with *xxxxxx*, which identifies the current version number or date of the file.
  
 
 Recent additions to the downloads for Surface devices provide you with options to install Windows 10 on your Surface devices and update LTE devices with the latest Windows 10 drivers and firmware.
 
->**Note:**  A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information.
 
- 
+
+>[!NOTE]
+>A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information.
+
+
+
+## Surface Studio
+
+Download the following updates for [Surface Studio from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=54311).
+
+* SurfaceStudio_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+
 
 ## Surface Book
 
 
-Download the following updates [for Surface Book from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=691691).
+Download the following updates [for Surface Book from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49497).
 
--   SurfaceBook\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+-   SurfaceBook_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+
+-	SurfaceBook_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
 ## Surface Pro 4
 
 
-Download the following updates for [Surface Pro 4 from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=691692).
+Download the following updates for [Surface Pro 4 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49498).
 
--   SurfacePro4\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+-   SurfacePro4_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+
+-	SurfacePro4_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
 ## <a href="" id="surface-pro-3-"></a>Surface Pro 3
 
 
-Download the following updates [for Surface Pro 3 from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=690288).
+Download the following updates [for Surface Pro 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=38826).
 
--   SurfacePro3\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+-   SurfacePro3_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
 
--   SurfacePro3\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
+-   SurfacePro3_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
 
--   SurfacePro3\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro
+-   SurfacePro3_Win8x_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro
 
--   SurfacePro3\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
+-   SurfacePro3_Win8x_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
 
 -   Surface Firmware Tool.msi – Firmware tools for UEFI management
 
--   Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
-
--   Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
-
 -   Surface Pro 3 AssetTag.zip – UEFI Asset Tag management tool
 
--   Surface Pro 3 Driver Set.ppkg – Deployment Asset Provisioning Package for Windows 10
-
 -   Surface Pro 3 KB2978002.zip – Update for Quick Note-Taking Experience feature in Windows 8.1
 
+-   Windows8.1-KB2969817-x64.msu – Fixes an issue that causes Surface devices to reboot twice after firmware updates are installed on all supported x64-based versions of Windows 8.1
+
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
 ## Surface 3
 
 
-Download the following updates [for Surface 3 from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=690289).
+Download the following updates [for Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49040).
 
--   Surface3\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
+-  Surface3_WiFi_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10  
 
--   Surface3\_Win8x\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro
+-   Surface3_WiFi_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
 
--   Surface3\_Win8x\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
+-   Surface3_WiFi_Win8x_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro
 
--   Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
+-   Surface3_WiFi_Win8x_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
 
--   Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+-   Surface 3 AssetTag.zip – UEFI Asset Tag management tool
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
 ## Surface 3 LTE
 
 
-Download the following updates [for AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=690290).
+Download the following updates [for AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49039).
 
--   Surface3\_US1\_Win10\_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10
+-   Surface3_4GLTE-ATT_Win10_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10
 
--   Surface3\_US1\_Win10\_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10
+-   Surface3_4GLTE-ATT_Win10_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10
 
--   Surface3\_US1\_Win8x\_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
+-   Surface3_4GLTE-ATT_Win8x_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
 
--   Surface3\_US1\_Win8x\_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
+-   Surface3_4GLTE-ATT_Win8x_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
 
--   Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
-
--   Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+-   Surface 3 AssetTag.zip – UEFI Asset Tag management tool
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
-Download the following updates [for non-AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=690291).
+Download the following updates [for non-AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49037).
 
--   Surface3\_NAG\_Win10\_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10
+-   Surface3_4GLTE-NorthAmericaUnlocked_Win10_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10
 
--   Surface3\_NAG\_Win10\_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10
+-   Surface3_4GLTE-NorthAmericaUnlocked_Win10_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10
 
--   Surface3\_NAG\_Win8x\_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro
+-   Surface3_4GLTE-NorthAmericaUnlocked_Win8x_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro
 
--   Surface3\_NAG\_Win8x\_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro
+-   Surface3_4GLTE-NorthAmericaUnlocked_Win8x_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro
 
--   Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
-
--   Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+-   Surface 3 AssetTag.zip – UEFI Asset Tag management tool
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
-Download the following updates [for 4G LTE Surface 3 versions for regions outside North America from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=690292).
+Download the following updates [for 4G LTE Surface 3 versions for regions outside North America from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49041).
 
--   Surface3\_ROW\_Win10\_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10
+-   Surface3_4GLTE-RestOfTheWorld_Win10_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10
 
--   Surface3\_ROW\_Win10\_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10
+-   Surface3_4GLTE-RestOfTheWorld_Win10_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10
 
--   Surface3\_ROW\_Win8x\_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro
+-   Surface3_4GLTE-RestOfTheWorld_Win8x_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro
 
--   Surface3\_ROW\_Win8x\_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro
+-   Surface3_4GLTE-RestOfTheWorld_Win8x_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro
 
--   Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
-
--   Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+-   Surface 3 AssetTag.zip – UEFI Asset Tag management tool
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
 ## Surface Pro 2
 
 
-Download the following updates [for Surface Pro 2 from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=690293).
+Download the following updates [for Surface Pro 2 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49042).
 
 -   SurfacePro2\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
 
@@ -168,7 +173,7 @@ Download the following updates [for Surface Pro 2 from the Microsoft Download Ce
 ## Surface Pro
 
 
-Download the following updates [for Surface Pro from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=690294).
+Download the following updates [for Surface Pro from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49038).
 
 -   SurfacePro\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
 
@@ -185,7 +190,7 @@ Download the following updates [for Surface Pro from the Microsoft Download Cent
 
 There are no downloadable firmware or driver updates available for Surface RT. Updates can only be applied using Windows Update.
 
-If you have additional questions on the driver pack and updates, please contact [Microsoft Surface support for business](https://go.microsoft.com/fwlink/p/?LinkId=618107).
+If you have additional questions on the driver pack and updates, please contact [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business).
 
  
 

devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md

@@ -11,7 +11,8 @@ author: Scottmca
 
 # Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit
 
-#### Applies to
+**Applies to**
+- Surface Studio
 * Surface Pro 4
 * Surface Book
 * Surface 3
@@ -29,31 +30,37 @@ By automating each aspect of the deployment process, you not only greatly decrea
 
 ## Deployment tools
 
-The deployment process described in this article leverages a number of Microsoft deployment tools and technologies. Some of these tools and technologies are included in Windows client and Windows Server, such as Hyper-V and Windows Deployment Services (WDS), while others are available as free downloads from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/windows.aspx).
+The deployment process described in this article leverages a number of Microsoft deployment tools and technologies. Some of these tools and technologies are included in Windows client and Windows Server, such as Hyper-V and Windows Deployment Services (WDS), while others are available as free downloads from the [Microsoft Download Center](https://www.microsoft.com/download/windows.aspx).
 
 #### Microsoft Deployment Toolkit
 
 The Microsoft Deployment Toolkit (MDT) is the primary component of a Windows deployment. It serves as a unified interface for most of the Microsoft deployment tools and technologies, such as the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), User State Migration Tool (USMT), and many other tools and technologies. Each of these is discussed throughout this article. The unified interface, called the *Deployment Workbench*, facilitates automation of the deployment process through a series of stored deployment procedures, known as a *task sequence*. Along with these task sequences and the many scripts and tools that MDT provides, the resources for a Windows deployment (driver files, application installation files, and image files) are stored in a network share known as the *deployment share*. 
 
-You can download and find out more about MDT at [Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/windows/dn475741).
+You can download and find out more about MDT at [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741).
 
 #### Windows Assessment and Deployment Kit
 
 Although MDT is the tool you will interact with most during the deployment process, the deployment tools found in the Windows ADK perform most of the deployment tasks during the deployment process. The resources for deployment are held within the MDT deployment share, but it is the collection of tools included in Windows ADK that access the image files, stage drivers and Windows updates, run the deployment experience, provide instructions to Windows Setup, and back up and restore user data.
 
-You can download and find out more about the Windows ADK at [Download the Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit#windowsadk).
+You can download and find out more about the Windows ADK at [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#windowsadk).
 
 #### Windows 10 installation media
 
 Before you can perform a deployment with MDT, you must first supply a set of operating system installation files and an operating system image. These files and image can be found on the physical installation media (DVD) for Windows 10. You can also find these files in the disk image (ISO file) for Windows 10, which you can download from the [Volume Licensing Service Center (VLSC)](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
 
->**Note:**  The installation media generated from the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT.
+
+>[!NOTE]
+>The installation media generated from the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT.
+
 
 #### Windows Server
 
 Although MDT can be installed on a Windows client, to take full advantage of Windows Deployment Services’ ability to network boot, a full Windows Server environment is recommended. To provide network boot for UEFI devices like Surface with WDS, you will need Windows Server 2008 R2 or later.
 
->**Note:**  To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter).
+
+>[!NOTE]
+>To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter).
+
 
 #### Windows Deployment Services
 
@@ -63,32 +70,38 @@ Windows Deployment Services (WDS) is leveraged to facilitate network boot capabi
 
 The process of creating a reference image should always be performed in a virtual environment. When you use a virtual machine as the platform to build your reference image, you eliminate the need for installation of additional drivers. The drivers for a Hyper-V virtual machine are included by default in the factory Windows 10 image. When you avoid the installation of additional drivers – especially complex drivers that include application components like control panel applications – you ensure that the image created by your reference image process will be as universally compatible as possible.
 
->**Note:**  A Generation 1 virtual machine is recommended for the preparation of a reference image in a Hyper-V virtual environment.
+>[!NOTE]
+>A Generation 1 virtual machine is recommended for the preparation of a reference image in a Hyper-V virtual environment.
 
 Because customizations are performed by MDT at the time of deployment, the goal of reference image creation is not to perform customization but to increase performance during deployment by reducing the number of actions that need to occur on each deployed device. The biggest action that can slow down an MDT deployment is the installation of Windows updates. When MDT performs this step during the deployment process, it downloads the updates on each deployed device and installs them. By installing Windows updates in your reference image, the updates are already installed when the image is deployed to the device and the MDT update process only needs to install updates that are new since the image was created or are applicable to products other than Windows (for example, Microsoft Office updates).
 
->**Note:**  Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library.  Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center.
+
+>[!NOTE]
+>Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library.  Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center.
+
 
 #### Surface firmware and drivers
 
 For your deployed Windows environment to function correctly on your Surface devices, you will need to install the drivers used by Windows to communicate with the components of your device. These drivers are available for download in the Microsoft Download Center for each Surface device. You can find the correct Microsoft Download Center page for your device at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
 
-When you browse to the specific Microsoft Download Center page for your device, you will notice that there are two files available for download. One file is a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. The other file is an archive (.zip) file. This file contains the individual driver files that are used during deployment, or for manual installation with Device Manager. The file that you will need to download is the .zip archive file. You can read more about the difference between the firmware and driver pack file types at [Manage Surface driver and firmware updates](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-pro-3-firmware-updates).
+When you browse to the specific Microsoft Download Center page for your device, you will notice that there are two files available for download. One file is a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. The other file is an archive (.zip) file. This file contains the individual driver files that are used during deployment, or for manual installation with Device Manager. The file that you will need to download is the .zip archive file. You can read more about the difference between the firmware and driver pack file types at [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates).
 
 
 In addition to the driver files that help Windows communicate with the hardware components of the Surface device, the .zip file you download will also contain firmware updates. These firmware updates will update the instructions used by the device hardware to communicate between components and Windows. The firmware of Surface device components is updated by installation of specific driver files and thus is installed along with the other drivers during deployment. The firmware of an out-of-date Surface device is thus updated when the device reboots during and after the Windows deployment process.
 
->**Note:**  Beginning in Windows 10, the drivers for Surface devices are included in the Windows Preinstallation Environment (WinPE). In earlier versions of Windows, specific drivers (like network drivers) had to be imported and configured in MDT for use in WinPE to successfully deploy to Surface devices.
+>[!NOTE]
+>Beginning in Windows 10, the drivers for Surface devices are included in the Windows Preinstallation Environment (WinPE). In earlier versions of Windows, specific drivers (like network drivers) had to be imported and configured in MDT for use in WinPE to successfully deploy to Surface devices.
 
 #### Application installation files
 
 In addition to the drivers that are used by Windows to communicate with the Surface device’s hardware and components, you will also need to provide the installation files for any applications that you want to install on your deployed Surface devices. To automate the deployment of an application, you will also need to determine the command-line instructions for that application to perform a silent installation. In this article, the Surface app and Microsoft Office 365 will be installed as examples of application installation. The application installation process can be used with any application with installation files that can be launched from command line.
 
->**Note:**  If the application files for your application are stored on your organization’s network and will be accessible from your Surface devices during the deployment process, you can deploy that application directly from that network location. To use installation files from a network location, use the **Install Application Without Source Files or Elsewhere on the Network** option in the MDT New Application Wizard, which is described in the [Import applications](#import-applications) section later in this article.
+>[!NOTE]
+>If the application files for your application are stored on your organization’s network and will be accessible from your Surface devices during the deployment process, you can deploy that application directly from that network location. To use installation files from a network location, use the **Install Application Without Source Files or Elsewhere on the Network** option in the MDT New Application Wizard, which is described in the [Import applications](#import-applications) section later in this article.
 
 #### Microsoft Surface Deployment Accelerator
 
-If you want to deploy only to Surface devices or you want an accelerated method to perform deployment to Surface devices, you can use the Microsoft Surface Deployment Accelerator to generate an MDT deployment share complete with Surface device drivers, Surface apps, and pre-configured task sequences to create a reference image and perform deployment to Surface devices. Microsoft Surface Deployment Accelerator can automatically import boot images into WDS and prepare WDS for network boot (PXE). You can download the Microsoft Surface Deployment Accelerator from the [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703) page in the Microsoft Download Center.
+If you want to deploy only to Surface devices or you want an accelerated method to perform deployment to Surface devices, you can use the Microsoft Surface Deployment Accelerator to generate an MDT deployment share complete with Surface device drivers, Surface apps, and pre-configured task sequences to create a reference image and perform deployment to Surface devices. Microsoft Surface Deployment Accelerator can automatically import boot images into WDS and prepare WDS for network boot (PXE). You can download the Microsoft Surface Deployment Accelerator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
 
 ### Install the deployment tools
 
@@ -96,7 +109,8 @@ Before you can configure the deployment environment with Windows images, drivers
 
 To boot from the network with either your reference virtual machines or your Surface devices, your deployment environment must include a Windows Server environment. The Windows Server environment is required to install WDS and the WDS PXE server. Without PXE support, you will be required to create physical boot media, such as a USB stick to perform your deployment – MDT and Windows ADK will still be required, but Windows Server is not required. Both MDT and Windows ADK can be installed on a Windows client and perform a Windows deployment.
 
->**Note:**  To download deployment tools directly to Windows Server, you must disable [Internet Explorer Enhanced Security Configuration](https://technet.microsoft.com/library/dd883248). On Windows Server 2012 R2, this can be performed directly through the **Server Manager** option on the **Local Server** tab. In the **Properties** section, **IE Enhanced Security Configuration** can be found on the right side. You may also need to enable the **File Download** option for the **Internet** zone through the **Security** tab of **Internet Options**.
+>[!NOTE]
+>To download deployment tools directly to Windows Server, you must disable [Internet Explorer Enhanced Security Configuration](https://technet.microsoft.com/library/dd883248). On Windows Server 2012 R2, this can be performed directly through the **Server Manager** option on the **Local Server** tab. In the **Properties** section, **IE Enhanced Security Configuration** can be found on the right side. You may also need to enable the **File Download** option for the **Internet** zone through the **Security** tab of **Internet Options**.
 
 #### Install Windows Deployment Services
 
@@ -112,17 +126,20 @@ After the WDS role is installed, you need to configure WDS. You can begin the co
 
 *Figure 2. Configure PXE response for Windows Deployment Services*
 
->**Note:**  Before you configure WDS make sure you have a local NTFS volume that is not your system drive (C:) available for use with WDS. This volume is used to store WDS boot images, deployment images, and configuration.
+>[!NOTE]
+>Before you configure WDS make sure you have a local NTFS volume that is not your system drive (C:) available for use with WDS. This volume is used to store WDS boot images, deployment images, and configuration.
 
 Using the Windows Deployment Services Configuration Wizard, configure WDS to fit the needs of your organization. You can find detailed instructions for the installation and configuration of WDS at [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426). On the **PXE Server Initial Settings** page, be sure to configure WDS so that it will respond to your Surface devices when they attempt to boot from the network. If you have already installed WDS or need to change your PXE server response settings, you can do so on the **PXE Response** tab of the **Properties** of your server in the Windows Deployment Services Management Console.
 
->**Note:**  You will add boot images to WDS when you update your boot images in MDT. You do not need to add boot images or Windows images to WDS when you configure the role.
+>[!NOTE]
+>You will add boot images to WDS when you update your boot images in MDT. You do not need to add boot images or Windows images to WDS when you configure the role.
 
 #### Install Windows Assessment and Deployment Kit
 
-To install Windows ADK, run the Adksetup.exe file that you downloaded from [Download the Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit#adkwin10). Windows ADK must be installed before MDT. You should always download and use the most recent version of Windows ADK. A new version is usually released corresponding with each new version of Windows.
+To install Windows ADK, run the Adksetup.exe file that you downloaded from [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#adkwin10). Windows ADK must be installed before MDT. You should always download and use the most recent version of Windows ADK. A new version is usually released corresponding with each new version of Windows.
 
->**Note:**  You can also use the Adksetup.exe file to download the Windows ADK installation files locally for use on other devices.
+>[!NOTE]
+>You can also use the Adksetup.exe file to download the Windows ADK installation files locally for use on other devices.
 
 When you get to the **Select the features you want to install** page, you only need to select the **Deployment Tools** and **Windows Preinstallation Environment (Windows PE)** check boxes to deploy Windows 10 using MDT, as shown in Figure 3. 
 
@@ -170,13 +187,16 @@ To create the deployment share, follow these steps:
 
   * **Path** – Specify a local folder where the deployment share will reside, and then click **Next**.
 
-      >**Note:**  Like the WDS remote installation folder, it is recommended that you put this folder on an NTFS volume that is not your system volume.
+      >[!NOTE]
+      >Like the WDS remote installation folder, it is recommended that you put this folder on an NTFS volume that is not your system volume.
 
   * **Share** – Specify a name for the network share under which the local folder specified on the **Path** page will be shared, and then click **Next**.
 
-      >**Note:**  The share name cannot contain spaces.
+      >[!NOTE]
+      >The share name cannot contain spaces.
 
-      >**Note:**  You can use a Dollar Sign (**$**) to hide your network share so that it will not be displayed when users browse the available network shares on the server in File Explorer.
+      >[!NOTE]
+      >You can use a Dollar Sign (**$**) to hide your network share so that it will not be displayed when users browse the available network shares on the server in File Explorer.
 
   * **Descriptive Name** – Enter a descriptive name for the network share (this descriptive name can contain spaces), and then click **Next**. The descriptive name will be the name of the folder as it appears in the Deployment Workbench.
   * **Options** – You can accept the default options on this page. Click **Next**.
@@ -189,7 +209,8 @@ To create the deployment share, follow these steps:
 
 To secure the deployment share and prevent unauthorized access to the deployment resources, you can create a local user on the deployment share host and configure permissions for that user to have read-only access to the deployment share only. It is especially important to secure access to the deployment share if you intend to automate the logon to the deployment share during the deployment boot process. By automating the logon to the deployment share during the boot of deployment media, the credentials for that logon are stored in plaintext in the bootstrap.ini file on the boot media.
 
->**Note:**  If you intend to capture images (such as the reference image) with this user, the user must also have write permission on the Captures folder in the MDT deployment share.
+>[!NOTE]
+>If you intend to capture images (such as the reference image) with this user, the user must also have write permission on the Captures folder in the MDT deployment share.
 
 You now have an empty deployment share that is ready for you to add the resources that will be required for reference image creation and deployment to Surface devices.
 
@@ -197,7 +218,8 @@ You now have an empty deployment share that is ready for you to add the resource
 
 The first resources that are required to perform a deployment of Windows are the installation files from Windows 10 installation media. Even if you have an already prepared reference image, you still need to supply the unaltered installation files from your installation media. The source of these files can be a physical disk, or it can be an ISO file like the download from the Volume Licensing Service Center (VLSC).
 
->**Note:**  A 64-bit operating system is required for compatibility with Surface Pro 4, Surface Book, Surface Pro 3, and Surface 3.
+>[!NOTE]
+>A 64-bit operating system is required for compatibility with Surface Studio, Surface Pro 4, Surface Book, Surface Pro 3, and Surface 3.
 
 To import Windows 10 installation files, follow these steps:
 
@@ -234,7 +256,8 @@ Now that you’ve imported the installation files from the installation media, y
 
 As described in the [Deployment tools](#deployment-tools) section of this article, the goal of creating a reference image is to keep the Windows environment as simple as possible while performing tasks that would be common to all devices being deployed. You should now have a basic MDT deployment share configured with default options and a set of unaltered, factory installation files for Windows 10. This simple configuration is perfect for reference image creation because the deployment share contains no applications or drivers to interfere with the process.
 
->**Note:**  For some organizations keeping a simple deployment share without applications or drivers is the simplest solution for creation of reference images. You can easily connect to more than one deployment share from a single Deployment Workbench and copy images from a simple, reference-image-only deployment share to a production deployment share complete with drivers and applications.
+>[!NOTE]
+>For some organizations keeping a simple deployment share without applications or drivers is the simplest solution for creation of reference images. You can easily connect to more than one deployment share from a single Deployment Workbench and copy images from a simple, reference-image-only deployment share to a production deployment share complete with drivers and applications.
 
 To create the reference image task sequence, follow these steps:
 
@@ -246,13 +269,15 @@ To create the reference image task sequence, follow these steps:
 
 2. The New Task Sequence Wizard presents a series of steps, as follows:
   * **General Settings** – Enter an identifier for the reference image task sequence in the **Task Sequence ID** field, a name for the reference image task sequence in the **Task Sequence Name** field, and any comments for the reference image task sequence in the **Task Sequence Comments** field, and then click **Next**.
-  >**Note:**  The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
+  >[!NOTE]
+  >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
   * **Select Template** – Select **Standard Client Task Sequence** from the drop-down menu, and then click **Next**.
   * **Select OS** – Navigate to and select the Windows 10 image you imported with the Windows 10 installation files, and then click **Next**.
   * **Specify Product Key** – Click **Do Not Specify a Product Key at This Time**, and then click **Next**.
   * **OS Settings** – Enter a name, organization, and home page URL in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
   * **Admin Password** – Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**.
-  >**Note:**  During creation of a reference image, any specified Administrator password will be automatically removed when the image is prepared for capture with Sysprep. During reference image creation, a password is not necessary, but is recommended to remain in line with best practices for production deployment environments.
+  >[!NOTE]
+  >During creation of a reference image, any specified Administrator password will be automatically removed when the image is prepared for capture with Sysprep. During reference image creation, a password is not necessary, but is recommended to remain in line with best practices for production deployment environments.
   * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
   * **Progress** – While the task sequence is created, a progress bar is displayed on this page.
   * **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard.
@@ -282,7 +307,8 @@ To update the MDT boot media, follow these steps:
 
 2. Use the Update Deployment Share Wizard to create boot images with the following process:
   * **Options** – Click **Completely Regenerate the Boot Images**, and then click **Next**.
-  >**Note:**  Because this is the first time the newly created deployment share has been updated, new boot images will be generated regardless of which option you select on the **Options** page.
+  >[!NOTE]
+  >Because this is the first time the newly created deployment share has been updated, new boot images will be generated regardless of which option you select on the **Options** page.
   * **Summary** – Review the specified options on this page before you click **Next** to begin generation of boot images.
   * **Progress** – While the boot images are being generated, a progress bar is displayed on this page.
   * **Confirmation** – When the boot images have been generated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard.
@@ -319,17 +345,20 @@ To import the MDT boot media into WDS for PXE boot, follow these steps:
   * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**.
   * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard.
 
->**Note:**  Only the 32-bit boot image, LiteTouchPE_x86.wim, is required to boot from BIOS devices, including Generation 1 Hyper-V virtual machines like the reference virtual machine.
+>[!NOTE]
+>Only the 32-bit boot image, LiteTouchPE_x86.wim, is required to boot from BIOS devices, including Generation 1 Hyper-V virtual machines like the reference virtual machine.
 
 If your WDS configuration is properly set up to respond to PXE clients, you should now be able to boot from the network with any device with a network adapter properly configured for network boot (PXE).
 
->**Note:**  If your WDS server resides on the same server as DHCP or in a different subnet than the devices you are attempting to boot, additional configuration may be required. For more information, see [Managing Network Boot Programs](https://technet.microsoft.com/library/cc732351).
+>[!NOTE]
+>If your WDS server resides on the same server as DHCP or in a different subnet than the devices you are attempting to boot, additional configuration may be required. For more information, see [Managing Network Boot Programs](https://technet.microsoft.com/library/cc732351).
 
 ### Deploy and capture a reference image
 
 Your deployment environment is now set up to create a reference image for Windows 10 complete with Windows Updates.
 
->**Note:**&nbsp;&nbsp;You cannot install version updates (such as Windows 10, Version 1511) in a reference image. To create a reference image with a new version of Windows, you must use installation files from that version of Windows. When  you install a version update in Windows, it effectively performs an upgrade to a new version of Windows, and upgraded installations of Windows cannot be prepared for deployment with Sysprep.<br/><br/>
+>[!NOTE]
+>You cannot install version updates (such as Windows 10, Version 1511) in a reference image. To create a reference image with a new version of Windows, you must use installation files from that version of Windows. When  you install a version update in Windows, it effectively performs an upgrade to a new version of Windows, and upgraded installations of Windows cannot be prepared for deployment with Sysprep.<br/><br/>
 By using a fully automated task sequence in an MDT deployment share dedicated to reference image creation, you can greatly reduce the time and effort required to create new reference images and it is the best way to ensure that your organization is ready for feature updates and new versions of Windows 10.
 
 You can now boot from the network with a virtual machine to run the prepared task sequence and generate a reference image. When you prepare your virtual machine in Hyper-V for reference image creation, consider the following:
@@ -376,7 +405,8 @@ As the task sequence processes the deployment, it will automatically perform the
 * Reboot into WinPE
 * Capture an image of the Windows 10 environment and store it in the Captures folder in the MDT deployment share
 
->**Note:**&nbsp;&nbsp;The Windows Update process can take some time to complete as it searches the Internet for updates, downloads those updates, and then installs them. By performing this process now, in the reference environment, you eliminate the need to perform these tasks on each deployed device and significantly reduce the amount of time and bandwidth required to perform your deployment. 
+>[!NOTE]
+>The Windows Update process can take some time to complete as it searches the Internet for updates, downloads those updates, and then installs them. By performing this process now, in the reference environment, you eliminate the need to perform these tasks on each deployed device and significantly reduce the amount of time and bandwidth required to perform your deployment. 
 
 When the task sequence completes, your virtual machine will be off and a new reference image complete with updates will be ready in your MDT deployment share for you to import it and prepare your deployment environment for deployment to Surface devices.
 
@@ -401,7 +431,8 @@ To import the reference image for deployment, use the following steps:
   * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Operating System Wizard.
 3.	Expand the folder in which you imported the image to verify that the import completed successfully.
 
->**Note:**&nbsp;&nbsp;You can import the reference image into the same deployment share that you used to create your reference image, or you could import the reference image into a new deployment share for deployment to your Surface devices. If you chose to create a new deployment share for deployment of your reference image, remember that you still need to import a full set of installation files from installation media.
+>[!NOTE]
+>You can import the reference image into the same deployment share that you used to create your reference image, or you could import the reference image into a new deployment share for deployment to your Surface devices. If you chose to create a new deployment share for deployment of your reference image, remember that you still need to import a full set of installation files from installation media.
 
 Now that your updated reference image is imported, it is time to prepare your deployment environment for deployment to Surface devices complete with drivers, applications, and automation.
 
@@ -409,7 +440,7 @@ Now that your updated reference image is imported, it is time to prepare your de
 
 Before you can deploy your updated reference image to Surface devices, or any physical environment, you need to supply MDT with the drivers that Windows will use to communicate with that physical environment. For Surface devices you can download all of the drivers required by Windows in a single archive (.zip) file in a format that is ready for deployment. In addition to the drivers that are used by Windows to communicate with the hardware and components, Surface firmware and driver packs also include updates for the firmware of those components. By installing the Surface firmware and driver pack, you will also bring your device’s firmware up to date. If you have not done so already, download the drivers for your Surface device listed at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
 
-Many devices require that you import drivers specifically for WinPE in order for the MDT boot media to communicate with the deployment share and to boot properly on that device. Even Surface Pro 3 required that network drivers be imported specifically for WinPE for deployment of Windows 8.1. Fortunately, for Windows 10 deployments to Surface devices, all of the required drivers for operation of WinPE are contained within the out-of-box drivers that are built into Windows 10. It is still a good idea to prepare your environment with folder structure and selection profiles that allow you to specify drivers for use in WinPE. You can read more about that folder structure in **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec05).
+Many devices require that you import drivers specifically for WinPE in order for the MDT boot media to communicate with the deployment share and to boot properly on that device. Even Surface Pro 3 required that network drivers be imported specifically for WinPE for deployment of Windows 8.1. Fortunately, for Windows 10 deployments to Surface devices, all of the required drivers for operation of WinPE are contained within the out-of-box drivers that are built into Windows 10. It is still a good idea to prepare your environment with folder structure and selection profiles that allow you to specify drivers for use in WinPE. You can read more about that folder structure in **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec05).
 
 To import the Surface drivers (in this example, Surface Pro 4) into MDT, follow these steps:
 
@@ -445,7 +476,7 @@ To import the Surface drivers (in this example, Surface Pro 4) into MDT, follow
 
 ### Import applications
 
-You can import any number of applications into MDT for installation on your devices during the deployment process. You can configure your applications and task sequences to prompt you during deployment to pick and choose which applications are installed, or you can use your task sequence to explicitly define which applications are installed. For more information, see **Step 4: Add an application** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec04).
+You can import any number of applications into MDT for installation on your devices during the deployment process. You can configure your applications and task sequences to prompt you during deployment to pick and choose which applications are installed, or you can use your task sequence to explicitly define which applications are installed. For more information, see **Step 4: Add an application** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec04).
 
 #### Import Microsoft Office 365 Installer
 
@@ -499,9 +530,9 @@ Now that the installation and configuration files are prepared, the application
 
 #### Import Surface app installer
 
-The Surface app is a Windows Store app that provides the user with greater control over specific Surface device functions and capabilities (for example, control over the sensitivity of the Surface Pen). It is a highly recommended app for Surface devices to provide end users with the best experience and greatest control over their device. Find out more about the Surface app at [Install and use the Surface app](https://www.microsoft.com/surface/en-us/support/apps-and-windows-store/surface-app?os=windows-10).
+The Surface app is a Windows Store app that provides the user with greater control over specific Surface device functions and capabilities (for example, control over the sensitivity of the Surface Pen). It is a highly recommended app for Surface devices to provide end users with the best experience and greatest control over their device. Find out more about the Surface app at [Install and use the Surface app](https://www.microsoft.com/surface/support/apps-and-windows-store/surface-app?os=windows-10).
 
-To perform a deployment of the Surface app, you will need to download the app files through Windows Store for Business. You can find detailed instructions on how to download the Surface app through Windows Store for Business at [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/en-us/itpro/surface/deploy-surface-app-with-windows-store-for-business).
+To perform a deployment of the Surface app, you will need to download the app files through Windows Store for Business. You can find detailed instructions on how to download the Surface app through Windows Store for Business at [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business).
 
 After you have downloaded the installation files for Surface app, including the AppxBundle and license files, you can import these files into the deployment share through the same process as a desktop application like Microsoft Office. Both the AppxBundle and license files must be together in the same folder for the import process to complete successfully. Use the following command on the **Command Details** page to install the Surface app:
    ```
@@ -516,7 +547,8 @@ To create the deployment task sequence, follow these steps:
 1. In the Deployment Workbench, under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard.
 2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard:
   * **General Settings** – Enter an identifier for the deployment task sequence in the **Task Sequence ID** field, a name for the deployment task sequence in the **Task Sequence Name** field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, then click **Next**.
-  >**Note:**&nbsp;&nbsp;The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
+  >[!NOTE]
+  >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
   * **Select Template** – Click **Standard Client Task Sequence** from the drop-down menu, and then click **Next**.
   * **Select OS** – Navigate to and select the reference image that you imported, and then click **Next**.
   * **Specify Product Key** – Select the product key entry that fits your organization's licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**.
@@ -553,7 +585,7 @@ After the task sequence is created it can be modified for increased automation,
 
    ![Configure a new Set Task Sequence Variable step in the deployment task sequence](images\surface-deploymdt-fig22.png "Configure a new Set Task Sequence Variable step in the deployment task sequence")
 
-   Figure 22. Configure a new Set Task Sequence Variable step in the deployment task sequence
+   *Figure 22. Configure a new Set Task Sequence Variable step in the deployment task sequence*
 
 15.	Select the **Inject Drivers** step, the next step in the task sequence.
 16.	On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 23), configure the following options:
@@ -727,13 +759,15 @@ To import the updated MDT boot media into WDS for PXE boot, follow these steps:
   * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**.
   * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard.
 
->**Note:**&nbsp;&nbsp;Although it is a best practice to replace and update the boot images in WDS whenever the MDT deployment share is updated, for deployment to Surface devices the 32-bit boot image, LiteTouchPE_x86.wim, is not required. Only the 64-bit boot image is required for 64-bit UEFI devices.
+>[!NOTE]
+>Although it is a best practice to replace and update the boot images in WDS whenever the MDT deployment share is updated, for deployment to Surface devices the 32-bit boot image, LiteTouchPE_x86.wim, is not required. Only the 64-bit boot image is required for 64-bit UEFI devices.
 
 ### Deploy Windows to Surface
 
 With all of the automation provided by the deployment share rules and task sequence, performing the deployment on each Surface device becomes as easy as a single touch.
 
->**Note:**&nbsp;&nbsp;For the deployment to require only a single touch, the Surface devices must be connected to a keyboard, connected to the network with a Microsoft Surface USB Ethernet Adapter or Surface Dock, and configured with PXE boot as the first boot option, as shown in Figure 25.
+>[!NOTE]
+>For the deployment to require only a single touch, the Surface devices must be connected to a keyboard, connected to the network with a Microsoft Surface USB Ethernet Adapter or Surface Dock, and configured with PXE boot as the first boot option, as shown in Figure 25.
 
 ![Set boot priority for PXE boot](images\surface-deploymdt-fig25.png "Set boot priority for PXE boot")
 
@@ -750,7 +784,8 @@ On a properly configured Surface device, simply turn on the device and press Ent
 * Windows Update will run, installing any new Windows Updates or updates for installed applications, like Microsoft Office
 * The task sequence will complete silently and log out of the device
 
->**Note:**&nbsp;&nbsp;For Surface devices not configured to boot to the network as the first boot option, you can hold Volume Down and press Power to boot the system immediately to a USB or network device.
+>[!NOTE]
+>For Surface devices not configured to boot to the network as the first boot option, you can hold Volume Down and press Power to boot the system immediately to a USB or network device.
 
 The resulting configuration is a Surface device that is logged out and ready for an end user to enter their credentials, log on, and get right to work. The applications and drivers they need are already installed and up to date.
 

devices/surface/deploy.md

@@ -16,6 +16,7 @@ Get deployment guidance for your Surface devices including information about MDT
 
 | Topic | Description |
 | --- | --- |
+| [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md) | Explains that LTSB is not supported for general-purpose Surface devices and should be used for specialized devices only. | 
 | [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) | Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.|
 | [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)| Find out how to perform a Windows 10 upgrade deployment to your Surface devices. |
 | [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.|

devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md

@@ -16,14 +16,14 @@ author: miladCA
 
 Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.
 
-If you use PEAP, EAP-FAST, or Cisco LEAP in your enterprise network, you probably already know that these three wireless authentication protocols are not supported by Surface devices out of the box. Some users may discover this when they attempt to connect to your wireless network; others may discover it when they are unable to gain access to resources inside the network, like file shares and internal sites. For more information, see [Extensible Authentication Protocol](https://go.microsoft.com/fwlink/p/?LinkId=716899).
+If you use PEAP, EAP-FAST, or Cisco LEAP in your enterprise network, you probably already know that these three wireless authentication protocols are not supported by Surface devices out of the box. Some users may discover this when they attempt to connect to your wireless network; others may discover it when they are unable to gain access to resources inside the network, like file shares and internal sites. For more information, see [Extensible Authentication Protocol](https://technet.microsoft.com/network/bb643147).
 
 You can add support for each protocol by executing a small MSI package from a USB stick or from a file share. For organizations that want to enable EAP support on their Surface devices, the MSI package format supports deployment with many management and deployment tools, like the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager.
 
 ## <a href="" id="download-peap--eap-fast--or-cisco-leap-installation-files--"></a>Download PEAP, EAP-FAST, or Cisco LEAP installation files
 
 
-You can download the MSI installation files for PEAP, EAP-FAST, or Cisco LEAP in a single zip archive file from the Microsoft Download Center. To download this file, go to the [Surface Tools for IT](https://go.microsoft.com/fwlink/p/?LinkId=618121) page on the Microsoft Download Center, click **Download**, and then select the **Cisco EAP-Supplicant Installer.zip** file.
+You can download the MSI installation files for PEAP, EAP-FAST, or Cisco LEAP in a single zip archive file from the Microsoft Download Center. To download this file, go to the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page on the Microsoft Download Center, click **Download**, and then select the **Cisco EAP-Supplicant Installer.zip** file.
 
 ## Deploy PEAP, EAP-FAST, or Cisco LEAP with MDT
 
@@ -79,7 +79,7 @@ To specify the protocol(s) explicitly, follow these steps:
 
 For organizations that manage Surface devices with Configuration Manager, it is even easier to deploy PEAP, EAP-FAST, or Cisco LEAP support to Surface devices. Simply import each MSI file as an application from the Software Library and configure a deployment to your Surface device collection.
 
-For more information on how to deploy applications with Configuration Manager see [How to Create Applications in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=761079) and [How to Deploy Applications in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=761080).
+For more information on how to deploy applications with Configuration Manager see [How to Create Applications in Configuration Manager](https://technet.microsoft.com/library/gg682159.aspx) and [How to Deploy Applications in Configuration Manager](https://technet.microsoft.com/library/gg682082.aspx).
 
  
 

devices/surface/enroll-and-configure-surface-devices-with-semm.md

@@ -13,17 +13,18 @@ author: jobotto
 
 With Microsoft Surface Enterprise Management Mode (SEMM), you can securely configure the settings of Surface UEFI on a Surface device and manage those settings on Surface devices in your organization. When a Surface device is managed by SEMM, that device is considered to be *enrolled* (sometimes referred to as activated). This article shows you how to create a Surface UEFI configuration package that will not only control the settings of Surface UEFI, but will also enroll a Surface device in SEMM.
 
-For a more high-level overview of SEMM, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode).
+For a more high-level overview of SEMM, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/itpro/surface/surface-enterprise-management-mode).
 
 #### Download and install Microsoft Surface UEFI Configurator
-The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703) page in the Microsoft Download Center.
+The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
 Run the Microsoft Surface UEFI Configurator Windows Installer (.msi) file to start the installation of the tool. When the installer completes, find Microsoft Surface UEFI Configurator in the All Apps section of your Start menu.
 
->**Note**:  Microsoft Surface UEFI Configurator is supported only on Windows 10.
+>[!NOTE]
+>Microsoft Surface UEFI Configurator is supported only on Windows 10.
 
 ## Create a Surface UEFI configuration package
 
-The Surface UEFI configuration package performs both the role of applying a new configuration of Surface UEFI settings to a Surface device managed with SEMM and the role of enrolling Surface devices in SEMM. The creation of a configuration package requires you to have a signing certificate to be used with SEMM to secure the configuration of UEFI settings on each Surface device. For more information about the requirements for the SEMM certificate, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode).
+The Surface UEFI configuration package performs both the role of applying a new configuration of Surface UEFI settings to a Surface device managed with SEMM and the role of enrolling Surface devices in SEMM. The creation of a configuration package requires you to have a signing certificate to be used with SEMM to secure the configuration of UEFI settings on each Surface device. For more information about the requirements for the SEMM certificate, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/itpro/surface/surface-enterprise-management-mode).
 
 To create a Surface UEFI configuration package, follow these steps:
 
@@ -58,7 +59,7 @@ To create a Surface UEFI configuration package, follow these steps:
    *Figure 4. Disable or enable individual Surface components*
 
 11.	Click **Next**.
-12.	To enable or disable advanced options in Surface UEFI or the display of Surface UEFI pages, on the **Choose the advanced settings for your devices** page, click the slider beside the desired setting to configure that option to **On** or **Off** (shown in Figure 5). In the **UEFI Front Page** section, you can use the sliders for **Security**, **Devices**, and **Boot** to control what pages are available to users who boot into Surface UEFI. (For more information about Surface UEFI settings, see [Manage Surface UEFI settings](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-uefi-settings).) Click **Build** when you have finished selecting options to generate and save the package.
+12.	To enable or disable advanced options in Surface UEFI or the display of Surface UEFI pages, on the **Choose the advanced settings for your devices** page, click the slider beside the desired setting to configure that option to **On** or **Off** (shown in Figure 5). In the **UEFI Front Page** section, you can use the sliders for **Security**, **Devices**, and **Boot** to control what pages are available to users who boot into Surface UEFI. (For more information about Surface UEFI settings, see [Manage Surface UEFI settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).) Click **Build** when you have finished selecting options to generate and save the package.
 
    ![Control advanced Surface UEFI settings and Surface UEFI pages](images\surface-semm-enroll-fig5.png "Control advanced Surface UEFI settings and Surface UEFI pages")
 
@@ -67,7 +68,8 @@ To create a Surface UEFI configuration package, follow these steps:
 13.	In the **Save As** dialog box, specify a name for the Surface UEFI configuration package, browse to the location where you would like to save the file, and then click **Save**.
 14.	When the package is created and saved, the **Successful** page is displayed.
 
->**Note**:  Record the certificate thumbprint characters that are displayed on this page, as shown in Figure 6. You will need these characters to confirm enrollment of new Surface devices in SEMM. Click **End** to complete package creation and close Microsoft Surface UEFI Configurator.
+>[!NOTE]
+>Record the certificate thumbprint characters that are displayed on this page, as shown in Figure 6. You will need these characters to confirm enrollment of new Surface devices in SEMM. Click **End** to complete package creation and close Microsoft Surface UEFI Configurator.
 
 ![Display of certificate thumbprint characters](images\surface-semm-enroll-fig6.png "Display of certificate thumbprint characters")
 
@@ -75,7 +77,8 @@ To create a Surface UEFI configuration package, follow these steps:
 
 Now that you have created your Surface UEFI configuration package, you can enroll or configure Surface devices.
 
->**Note**:  When a Surface UEFI configuration package is created, a log file is created on the desktop with details of the configuration package settings and options.
+>[!NOTE]
+>When a Surface UEFI configuration package is created, a log file is created on the desktop with details of the configuration package settings and options.
 
 ## Enroll a Surface device in SEMM
 When the Surface UEFI configuration package is executed, the SEMM certificate and Surface UEFI configuration files are staged in the firmware storage of the Surface device. When the Surface device reboots, Surface UEFI processes these files and begins the process of applying the Surface UEFI configuration or enrolling the Surface device in SEMM, as shown in Figure 7.

devices/surface/ethernet-adapters-and-surface-device-deployment.md

@@ -25,7 +25,7 @@ Before you can address the concerns of how you will boot to your deployment envi
 
 The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using System Center Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. See the [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) section of this article for more information on potential conflicts with shared adapters.
 
-Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](https://go.microsoft.com/fwlink/p/?LinkId=722364) use a chipset that is compatible with the Surface firmware.
+Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](https://www.microsoft.com/surface/accessories/surface-dock) use a chipset that is compatible with the Surface firmware.
 
 The following Ethernet devices are supported for network boot with Surface devices:
 
@@ -55,7 +55,8 @@ To boot a Surface device from an alternative boot device, follow these steps:
 3.  Press and release the **Power** button.
 4.  After the system begins to boot from the USB stick or Ethernet adapter, release the **Volume Down** button.
 
->**Note:**  In addition to an Ethernet adapter, a keyboard must also be connected to the Surface device to enter the preinstallation environment and navigate the deployment wizard.
+>[!NOTE]
+>In addition to an Ethernet adapter, a keyboard must also be connected to the Surface device to enter the preinstallation environment and navigate the deployment wizard.
 
  
 For Windows 10, version 1511 and later – including the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10, version 1511 – the drivers for Microsoft Surface Ethernet Adapters are present by default. If you are using a deployment solution that uses Windows Preinstallation Environment (WinPE), like the Microsoft Deployment Toolkit, and booting from the network with PXE, ensure that your deployment solution is using the latest version of the Windows ADK.
@@ -67,7 +68,7 @@ Another consideration for administrators performing Windows deployment over the
 
 The simplest solution to avoid MAC address conflicts is to provide a dedicated removable Ethernet adapter for each Surface device. This can make sense in many scenarios where the Ethernet adapter or the additional functionality of the docking station will be used regularly. However, not all scenarios call for the additional connectivity of a docking station or support for wired networks.
 
-Another potential solution to avoid conflict when adapters are shared is to use the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117) to perform deployment to Surface devices. MDT does not use the MAC address to identify individual computers and thus is not subject to this limitation. However, MDT does use Windows Deployment Services to provide PXE boot functionality, and is subject to the limitations regarding pre-staged clients which is covered later in this section.
+Another potential solution to avoid conflict when adapters are shared is to use the [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/windows/dn475741) to perform deployment to Surface devices. MDT does not use the MAC address to identify individual computers and thus is not subject to this limitation. However, MDT does use Windows Deployment Services to provide PXE boot functionality, and is subject to the limitations regarding pre-staged clients which is covered later in this section.
 
 When you use a shared adapter for deployment, the solution for affected deployment technologies is to use another means to identify unique systems. For Configuration Manager and WDS, both of which can be affected by this issue, the solution is to use the System Universal Unique Identifier (System UUID) that is embedded in the computer firmware by the computer manufacturer. For Surface devices, you can see this entry in the computer firmware under **Device Information**.
 
@@ -78,9 +79,9 @@ To access the firmware of a Surface device, follow these steps:
 3.  Press and release the **Power** button.
 4.  After the device begins to boot, release the **Volume Up** button.
 
-When deploying with WDS, the MAC address is only used to identify a computer when the deployment server is configured to respond only to known, pre-staged clients. When pre-staging a client, an administrator creates a computer account in Active Directory and defines that computer by the MAC address or the System UUID. To avoid the identity conflicts caused by shared Ethernet adapters, you should use [System UUID to define pre-staged clients](https://go.microsoft.com/fwlink/p/?LinkId=618118). Alternatively, you can configure WDS to respond to unknown clients that do not require definition by either MAC address or System UUID by selecting the **Respond to all client computers (known and unknown)** option on the [**PXE Response** tab](https://go.microsoft.com/fwlink/p/?LinkId=618119) in **Windows Deployment Server Properties**.
+When deploying with WDS, the MAC address is only used to identify a computer when the deployment server is configured to respond only to known, pre-staged clients. When pre-staging a client, an administrator creates a computer account in Active Directory and defines that computer by the MAC address or the System UUID. To avoid the identity conflicts caused by shared Ethernet adapters, you should use [System UUID to define pre-staged clients](https://technet.microsoft.com/library/cc742034). Alternatively, you can configure WDS to respond to unknown clients that do not require definition by either MAC address or System UUID by selecting the **Respond to all client computers (known and unknown)** option on the [**PXE Response** tab](https://technet.microsoft.com/library/cc732360) in **Windows Deployment Server Properties**.
 
-The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://go.microsoft.com/fwlink/p/?LinkId=618120) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog.
+The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog.
 
  
 

devices/surface/index.md

@@ -13,7 +13,7 @@ author: heatherpoulsen
 # Surface
 
 
-This library provides guidance to help you deploy Windows on Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization.
+This library provides guidance to help you deploy Windows on Microsoft Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization.
 
 For more information on planning for, deploying, and managing Surface devices in your organization, see the [Surface TechCenter](https://technet.microsoft.com/en-us/windows/surface).
 
@@ -23,15 +23,19 @@ For more information on planning for, deploying, and managing Surface devices in
 | --- | --- |
 | [Deploy Surface devices](deploy.md) | Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator. |
 | [Surface firmware and driver updates](update.md) | Find out how to download and manage the latest firmware and driver updates for your Surface device. |
+| [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) | Get guidance on how to deploy and manage Surface devices with System Center Configuration Manager. |
 | [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md) | Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT. |
 | [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) | Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. |
 | [Manage Surface UEFI settings](manage-surface-uefi-settings.md) | Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. |
 | [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. |
 | [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) | Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. |
 | [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. |
+| [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. |
 
 
+## Learn more
 
+[Certifying Surface Pro 4 and Surface Book as standard devices at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/849/Certifying-Surface-Pro-4-and-Surface-Book-as-standard-devices-at-Microsoft)
 
 
 

devices/surface/ltsb-for-surface.md

@@ -0,0 +1,44 @@
+---
+title: Long-Term Servicing Branch for Surface devices (Surface)
+description: LTSB is not supported for general-purpose Surface devices and should be used for specialized devices only.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Long-Term Servicing Branch (LTSB) for Surface devices
+
+
+General-purpose Surface devices running Long-Term Servicing Branch (LTSB) are not supported. As a general guideline, if a Surface device runs productivity software, such as Microsoft Office, it is a general-purpose device that does not qualify for LTSB and should instead run Current Branch (CB) or Current Branch for Business (CBB). 
+
+>[!NOTE]
+>For more information about the servicing branches, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
+
+LTSB prevents Surface devices from receiving critical Windows 10 feature updates and certain non-security servicing updates. Customers with poor experiences using Surface devices in the LTSB configuration will be instructed to upgrade to CB or CBB. Furthermore, the Windows 10 Enterprise LTSB edition removes core features of Surface devices, including seamless inking and touch-friendly applications. It does not contain key in-box applications including Microsoft Edge, OneNote, Calendar or Camera. Therefore, productivity is impacted and functionality is limited. LTSB is not supported as a suitable servicing solution for general-purpose Surface devices. 
+
+General-purpose Surface devices are intended to run CB or CBB to receive full servicing and firmware updates and forward compatibility with the introduction of new Surface features. With CB, feature updates are available as soon as Microsoft releases them. Customers in the CBB servicing model receive the same build of Windows 10 as those in CB, at a later date.
+
+Surface devices in specialized scenarios–such as PCs that control medical equipment, point-of-sale systems, and ATMs–may consider the use of LTSB. These special-purpose systems typically perform a single task and do not require feature updates as frequently as other devices in the organization. 
+
+
+
+
+
+## Related topics
+
+- [Surface TechCenter](https://technet.microsoft.com/windows/surface)
+
+- [Surface for IT pros blog](http://blogs.technet.com/b/surface/)
+
+ 
+
+ 
+
+ 
+
+
+
+
+

devices/surface/manage-surface-dock-firmware-updates.md

@@ -20,9 +20,12 @@ The Surface Dock provides external connectivity to Surface devices through a sin
 
 Like the firmware for Surface devices, firmware for Surface Dock is also contained within a downloaded driver that is visible in Device Manager. This driver stages the firmware update files on the Surface device. When a Surface Dock is connected and the driver is loaded, the newer version of the firmware staged by the driver is detected and firmware files are copied to the Surface Dock. The Surface Dock then begins a two-phase process to apply the firmware internally. Each phase requires the Surface Dock to be disconnected from the Surface device before the firmware is applied. The driver copies the firmware into the dock, but only applies it when the user disconnects the Surface device from the Surface Dock. This ensures that there are no disruptions because the firmware is only applied when the user leaves their desk with the device.
 
->**Note:**&nbsp;&nbsp;You can learn more about the firmware update process for Surface devices and how firmware is updated through driver installation at the following links:<br/>
-- [How to manage and update Surface drivers and firmware](https://technet.microsoft.com/mt697551) from Microsoft Mechanics
-- [Windows Update Makes Surface Better](https://go.microsoft.com/fwlink/p/?LinkId=785354) on the Microsoft Devices Blog
+
+>[!NOTE]
+>You can learn more about the firmware update process for Surface devices and how firmware is updated through driver installation at the following links:
+>- [How to manage and update Surface drivers and firmware](https://technet.microsoft.com/mt697551) from Microsoft Mechanics
+>- [Windows Update Makes Surface Better](https://go.microsoft.com/fwlink/p/?LinkId=785354) on the Microsoft Devices Blog
+
 
  
 
@@ -70,7 +73,8 @@ There are three methods you can use to update the firmware of the Surface Dock:
 
 Windows Update is the method that most users will use. The drivers for the Surface Dock are downloaded automatically from Windows Update and the dock update process is initiated without additional user interaction. The two-phase dock update process described earlier occurs in the background as the user connects and disconnects the Surface Dock during normal use.
 
->**Note:**&nbsp;&nbsp;The driver version that is displayed in Device Manager may be different from the firmware version that the Surface Dock is using.
+>[!NOTE]
+>The driver version that is displayed in Device Manager may be different from the firmware version that the Surface Dock is using.
 
  
 
@@ -79,10 +83,11 @@ Windows Update is the method that most users will use. The drivers for the Surfa
 
 This method is used mostly in environments where Surface device drivers and firmware are managed separately from Windows Update. See [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) for more information about the different methods to manage Surface device driver and firmware updates. Updating the Surface Dock firmware through this method involves downloading and deploying an MSI package to the Surface device that contains the updated Surface Dock drivers and firmware. This is the same method recommended for updating all other Surface drivers and firmware. The two-phase firmware update process occurs in the background each time the Surface Dock is disconnected, just like it does with the Windows Update method.
 
-For more information about how to deploy MSI packages see [Create and deploy an application with System Center Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=785355).
+For more information about how to deploy MSI packages see [Create and deploy an application with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/get-started/create-and-deploy-an-application).
 
->**Note:**&nbsp;&nbsp;When drivers are installed through Windows Update or the MSI package, registry keys are added that indicate the version of firmware installed on the Surface Dock and contained within the Surface Dock driver. These registry keys can be found in:<br/><br/>
-  **HLKM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WUDF\\Services\\SurfaceDockFwUpdate\\Parameters**
+>[!NOTE]
+>When drivers are installed through Windows Update or the MSI package, registry keys are added that indicate the version of firmware installed on the Surface Dock and contained within the Surface Dock driver. These registry keys can be found in:
+> **HLKM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WUDF\\Services\\SurfaceDockFwUpdate\\Parameters**
 
 Firmware status is displayed for both the main chipset (displayed as **Component10**) and the DisplayPort chipset (displayed as **Component20**). For each chipset there are four keys, where *xx* is **10** or **20** corresponding to each chipset:
 
@@ -94,7 +99,8 @@ Firmware status is displayed for both the main chipset (displayed as **Component
 
 -   **Component*xx*FirmwareUpdateStatusRejectReason** – This key changes as the firmware update is processed. It should result in 0 after the successful installation of Surface Dock firmware.
 
->**Note:**&nbsp;&nbsp;These registry keys are not present unless you have installed updated Surface Dock drivers through Windows Update or MSI deployment.
+>[!NOTE]
+>These registry keys are not present unless you have installed updated Surface Dock drivers through Windows Update or MSI deployment.
 
  
 
@@ -103,7 +109,7 @@ Firmware status is displayed for both the main chipset (displayed as **Component
 
 The manual method using the Microsoft Surface Dock Updater tool to update the Surface Dock is used mostly in environments where IT prepares Surface Docks prior to delivery to the end user, or for troubleshooting of a Surface Dock. Microsoft Surface Dock Updater is a tool that you can run from any Surface device that is compatible with the Surface Dock, and will walk you through the process of performing the Surface Dock firmware update in the least possible amount of time. You can also use this tool to verify the firmware status of a connected Surface Dock.
 
-For more information about how to use the Microsoft Surface Dock Updater tool, please see [Microsoft Surface Dock Updater](surface-dock-updater.md). You can download the Microsoft Surface Dock Updater tool from the [Surface Tools for IT page](https://go.microsoft.com/fwlink/p/?LinkId=618121) on the Microsoft Download Center.
+For more information about how to use the Microsoft Surface Dock Updater tool, please see [Microsoft Surface Dock Updater](surface-dock-updater.md). You can download the Microsoft Surface Dock Updater tool from the [Surface Tools for IT page](https://www.microsoft.com/download/details.aspx?id=46703) on the Microsoft Download Center.
 
  
 

devices/surface/manage-surface-pro-3-firmware-updates.md

@@ -31,26 +31,26 @@ The simplest solution to ensure that firmware on Surface devices in your organiz
 
 Although this solution ensures that firmware will be updated as new releases are made available to Windows Update, it does present potential drawbacks. Each Surface device that receives Windows Updates directly will separately download each update rather than accessing a central location, which increases demand on Internet connectivity and bandwidth. Updates are also provided automatically to devices, without being subjected to testing or review by administrators.
 
-For details about Group Policy for client configuration of WSUS or Windows Update, see [Step 5: Configure Group Policy Settings for Automatic Updates](https://go.microsoft.com/fwlink/p/?LinkId=618172).
+For details about Group Policy for client configuration of WSUS or Windows Update, see [Step 5: Configure Group Policy Settings for Automatic Updates](https://technet.microsoft.com/library/dn595129).
 
 **Windows Installer Package**
 
-The firmware and driver downloads for Surface devices now include Windows Installer files for firmware and driver updates. These Windows Installer packages can be deployed with utilities that support application deployment, including the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. This solution allows for centralized deployment and for administrators to test and review firmware updates before they are deployed. For more information about the Windows Installer package delivery method for firmware and driver updates, including details on what drivers are updated by the package and why certain drivers and firmware are not updated by the Windows Installer package, see the [Surface Pro 3 MSI Now Available](https://go.microsoft.com/fwlink/p/?LinkId=618173) blog post.
+The firmware and driver downloads for Surface devices now include Windows Installer files for firmware and driver updates. These Windows Installer packages can be deployed with utilities that support application deployment, including the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. This solution allows for centralized deployment and for administrators to test and review firmware updates before they are deployed. For more information about the Windows Installer package delivery method for firmware and driver updates, including details on what drivers are updated by the package and why certain drivers and firmware are not updated by the Windows Installer package, see the [Surface Pro 3 MSI Now Available](https://blogs.technet.microsoft.com/surface/2015/03/04/surface-pro-3-msi-now-available/) blog post.
 
-For instructions on how to deploy with System Center Configuration Manager, refer to [How to Deploy Applications in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=618175). For deployment of applications with MDT, see [Step 4: Add an application in the Deploy a Windows 8.1 Image Using MDT 2013](https://go.microsoft.com/fwlink/p/?LinkId=618176). Note that you can deploy applications separately from an operating system deployment through MDT by using a Post OS Installation task sequence.
+For instructions on how to deploy with System Center Configuration Manager, refer to [How to Deploy Applications in Configuration Manager](https://technet.microsoft.com/library/gg682082). For deployment of applications with MDT, see [Step 4: Add an application in the Deploy a Windows 8.1 Image Using MDT 2013](https://technet.microsoft.com/library/dn744279#sec04). Note that you can deploy applications separately from an operating system deployment through MDT by using a Post OS Installation task sequence.
 
 **Provisioning packages**
 
-New in Windows 10, provisioning packages (PPKG files) provide a simple method to apply a configuration to a destination device. You can find out more about provisioning packages, including instructions for how to create your own, in [Provisioning packages](https://go.microsoft.com/fwlink/p/?LinkId=761075). For easy application of a complete set of drivers and firmware to devices running Windows 10, a provisioning package is supplied for Surface Pro 3 devices. This file contains all of the instructions and required assets to update a Surface Pro 3 device with Windows 10 to the latest drivers and firmware.
+New in Windows 10, provisioning packages (PPKG files) provide a simple method to apply a configuration to a destination device. You can find out more about provisioning packages, including instructions for how to create your own, in [Provisioning packages](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages). For easy application of a complete set of drivers and firmware to devices running Windows 10, a provisioning package is supplied for Surface Pro 3 devices. This file contains all of the instructions and required assets to update a Surface Pro 3 device with Windows 10 to the latest drivers and firmware.
 
 **Windows PowerShell**
 
-Another method you can use to update the firmware when Windows Updates are managed in the organization is to install the firmware from the firmware and driver pack by using PowerShell. This method allows for a similar deployment experience to the Windows Installer package and can similarly be deployed as a package by using System Center Configuration Manager. You can find the PowerShell script and details on how to perform the firmware deployment in the [Deploying Drivers and Firmware to Surface Pro](https://go.microsoft.com/fwlink/p/?LinkId=618177) blog post.
+Another method you can use to update the firmware when Windows Updates are managed in the organization is to install the firmware from the firmware and driver pack by using PowerShell. This method allows for a similar deployment experience to the Windows Installer package and can similarly be deployed as a package by using System Center Configuration Manager. You can find the PowerShell script and details on how to perform the firmware deployment in the [Deploying Drivers and Firmware to Surface Pro](https://blogs.technet.microsoft.com/deploymentguys/2013/05/16/deploying-drivers-and-firmware-to-surface-pro/) blog post.
 
 ## Operating system deployment considerations
 
 
-The deployment of firmware updates during an operating system deployment is a straightforward process. The firmware and driver pack can be imported into either System Center Configuration Manager or MDT, and are used to deploy a fully updated environment, complete with firmware, to a target Surface device. For a complete step-by-step guide for deployment to Surface Pro 3 using either Configuration Manager or MDT, download the [Deployment and Administration Guide for Surface Pro 3](https://go.microsoft.com/fwlink/p/?LinkId=618178) from the Microsoft Download Center.
+The deployment of firmware updates during an operating system deployment is a straightforward process. The firmware and driver pack can be imported into either System Center Configuration Manager or MDT, and are used to deploy a fully updated environment, complete with firmware, to a target Surface device. For a complete step-by-step guide for deployment to Surface Pro 3 using either Configuration Manager or MDT, download the [Deployment and Administration Guide for Surface Pro 3](https://www.microsoft.com/download/details.aspx?id=45292) from the Microsoft Download Center.
 
 The individual driver files are also made available in the Microsoft Download Center if you are using deployment tools. The driver files are available in the ZIP archive file in the list of available downloads for your device.
 
@@ -60,7 +60,7 @@ A best practice for deployment with any solution that uses the Windows Preinstal
 
 **Update Surface Pro 3 firmware offline through USB**
 
-In some early versions of Surface Pro 3 firmware, PXE boot performance can be quite slow. This has been resolved with updated firmware, but for organizations where firmware will be updated through operating system deployment, this issue is encountered before the updates can be deployed to the device. In this scenario, you can deploy updated firmware through a USB drive to ensure that when the operating system deployment is initiated, the network boot is quick, and deployment can complete in a timely fashion. To create a USB drive to update Surface Pro 3 firmware, see [How to Update the Surface Pro 3 Firmware Offline using a USB Drive](https://go.microsoft.com/fwlink/p/?LinkId=618189) on the Ask Premier Field Engineering (PFE) Platforms TechNet Blog.
+In some early versions of Surface Pro 3 firmware, PXE boot performance can be quite slow. This has been resolved with updated firmware, but for organizations where firmware will be updated through operating system deployment, this issue is encountered before the updates can be deployed to the device. In this scenario, you can deploy updated firmware through a USB drive to ensure that when the operating system deployment is initiated, the network boot is quick, and deployment can complete in a timely fashion. To create a USB drive to update Surface Pro 3 firmware, see [How to Update the Surface Pro 3 Firmware Offline using a USB Drive](https://blogs.technet.microsoft.com/askpfeplat/2014/10/19/how-to-update-the-surface-pro-3-firmware-offline-using-a-usb-drive/) on the Ask Premier Field Engineering (PFE) Platforms TechNet Blog.