Merge remote-tracking branch 'refs/remotes/origin/master' into dh-servicing-sandbox

.openpublishing.publish.config.json

@@ -374,6 +374,22 @@
       "build_entry_point": "docs",
       "template_folder": "_themes",
       "version": 0
+    },
+    {
+      "docset_name": "bcs",
+      "build_source_folder": "bcs",
+      "build_output_subfolder": "bcs",
+      "locale": "en-us",
+      "monikers": [],
+      "open_to_public_contributors": false,
+      "type_mapping": {
+        "Conceptual": "Content",
+        "ManagedReference": "Content",
+        "RestApi": "Content"
+      },
+      "build_entry_point": "docs",
+      "template_folder": "_themes",
+      "version": 0
     }
   ],
   "notification_subscribers": [
@@ -386,7 +402,6 @@
   "git_repository_branch_open_to_public_contributors": "master",
   "skip_source_output_uploading": false,
   "need_preview_pull_request": true,
-  "enable_incremental_build": true,
   "dependent_repositories": [
     {
       "path_to_root": "_themes.pdf",
@@ -402,9 +417,15 @@
     }
   ],
   "branch_target_mapping": {
-    "live": ["Publish","Pdf"],
-    "master": ["Publish", "Pdf"]
-  }, 
+    "live": [
+      "Publish",
+      "Pdf"
+    ],
+    "master": [
+      "Publish",
+      "Pdf"
+    ]
+  },
   "need_generate_pdf_url_template": true,
   "Targets": {
     "Pdf": {

.openpublishing.redirection.json

@@ -487,17 +487,17 @@
 },
 {
 "source_path": "windows/deploy/upgrade-analytics-prepare-your-environment.md",
-"redirect_url": "/windows/deployment/upgrade/upgrade-analytics-identify-apps",
+"redirect_url": "/windows/deployment/upgrade/upgrade-readiness-identify-apps",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/deploy/upgrade-analytics-release-notes.md",
-"redirect_url": "/windows/deployment/upgrade/upgrade-analytics-requirements",
+"redirect_url": "/windows/deployment/upgrade/upgrade-readiness-requirements",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/deploy/upgrade-analytics-review-site-discovery.md",
-"redirect_url": "/windows/deployment/upgrade/upgrade-analytics-additional-insights",
+"redirect_url": "/windows/deployment/upgrade/upgrade-readiness-additional-insights",
 "redirect_document_id": true
 },
 {

bcs/TOC.md

@@ -0,0 +1 @@
+# [Index](index.md)

bcs/docfx.json

@@ -0,0 +1,37 @@
+{
+  "build": {
+    "content": [
+      {
+        "files": [
+          "**/*.md"
+        ],
+        "exclude": [
+          "**/obj/**",
+          "**/includes/**",
+          "README.md",
+          "LICENSE",
+          "LICENSE-CODE",
+          "ThirdPartyNotices"
+        ]
+      }
+    ],
+    "resource": [
+      {
+        "files": [
+          "**/*.png",
+          "**/*.jpg"
+        ],
+        "exclude": [
+          "**/obj/**",
+          "**/includes/**"
+        ]
+      }
+    ],
+    "overwrite": [],
+    "externalReference": [],
+    "globalMetadata": {},
+    "fileMetadata": {},
+    "template": [],
+    "dest": "bcs"
+  }
+}

bcs/index.md

@@ -0,0 +1 @@
+# Placeholder

devices/hololens/TOC.md

@@ -1,5 +1,5 @@
 # [Microsoft HoloLens](index.md)
-## [HoloLens in the enterprise: requirements](hololens-requirements.md)
+## [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md)
 ## [Set up HoloLens](hololens-setup.md)
 ## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) 
 ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)

devices/hololens/change-history-hololens.md

@@ -14,6 +14,12 @@ localizationpriority: medium
 
 This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
 
+## May 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Microsoft HoloLens in the enterprise: requirements](hololens-requirements.md) | Changed title to **Microsoft HoloLens in the enterprise: requirements and FAQ**, added questions and answers in new [FAQ section](hololens-requirements.md#faq-for-hololens) |
+
 ## January 2017
 
 | New or changed topic | Description |

devices/hololens/hololens-enroll-mdm.md

@@ -11,10 +11,10 @@ localizationpriority: medium
 
 # Enroll HoloLens in MDM
 
-You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft Intune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
+You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft Intune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need. See the [configuration service providers (CSPs) that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens) and the [policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies).
 
 >[!NOTE]
->Mobile device management (MDM) for the Development edition of HoloLens does not include VPN, BitLocker, or kiosk mode. Those features are only available when you [upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
+>Mobile device management (MDM), including the VPN, Bitlocker, and kiosk mode features, is only available when you [upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
 
 
 ## Requirements

devices/hololens/hololens-provisioning.md

@@ -111,7 +111,7 @@ In Windows ICD, when you create a provisioning package for Windows Holographic,
 | **Certificates** | Deploy a certificate to HoloLens.  |
 | **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens.   |
 | **EditionUpgrade** | [Upgrade to Windows Holographic for Business.](hololens-upgrade-enterprise.md)  |
-| **Policies** | Allow or prevent developer mode on HoloLens.  |
+| **Policies** | Allow or prevent developer mode on HoloLens. [Policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies) |
 
 >[!NOTE]
 >App installation (**UniversalAppInstall**) using a provisioning package is not currently supported for HoloLens.
@@ -119,3 +119,6 @@ In Windows ICD, when you create a provisioning package for Windows Holographic,
 
 
 
+
+
+

devices/hololens/hololens-requirements.md

@@ -1,6 +1,6 @@
 ---
-title: HoloLens in the enterprise requirements (HoloLens)
-description: Requirements for general use, Wi-Fi, and device management for HoloLens in the enterprise.
+title: HoloLens in the enterprise requirements and FAQ (HoloLens)
+description: Requirements and FAQ for general use, Wi-Fi, and device management for HoloLens in the enterprise.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
@@ -9,11 +9,13 @@ author: jdeckerMS
 localizationpriority: medium
 ---
 
-# Microsoft HoloLens in the enterprise: requirements
+# Microsoft HoloLens in the enterprise: requirements and FAQ
 
 When you develop for HoloLens, there are [system requirements and tools](https://developer.microsoft.com/windows/mixed-reality/install_the_tools) that you need. In an enterprise environment, there are also a few requirements to use and manage HoloLens which are listed below.
 
-## General use
+## Requirements
+
+### General use
 - Microsoft account or Azure Active Directory (Azure AD) account
 - Wi-Fi network to set up HoloLens
 
@@ -21,7 +23,7 @@ When you develop for HoloLens, there are [system requirements and tools](https:/
 >After you set up HoloLens, you can use it offline [with some limitations](https://support.microsoft.com/help/12645/hololens-use-hololens-offline).
 
 
-## Supported wireless network EAP methods 
+### Supported wireless network EAP methods 
 - PEAP-MS-CHAPv2
 - PEAP-TLS
 - TLS 
@@ -31,16 +33,36 @@ When you develop for HoloLens, there are [system requirements and tools](https:/
 - TTLS-PAP
 - TTLS-TLS
 
-## Device management 
+### Device management 
    - Users have Azure AD accounts with [Intune license assigned](https://docs.microsoft.com/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4)
    - Wi-Fi network
    - Intune or a 3rd party mobile device management (MDM) provider that uses Microsoft MDM APIs
    
-## Upgrade to Windows Holographic for Business 
+### Upgrade to Windows Holographic for Business 
 - HoloLens Enterprise license XML file
 
 
+## FAQ for HoloLens
 
+#### Is Windows Hello for Business supported on HoloLens?
+
+Hello for Business (using a PIN to sign in) is supported for HoloLens. It must be configured [using MDM](hololens-enroll-mdm.md).
+
+#### Does the type of account change the sign-in behavior?
+
+Yes, the behavior for the type of account impacts the sign-in behavior. If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type.
+
+- Microsoft account: signs in automatically
+- Local account: always asks for password, not configurable by Settings
+- Azure AD: asks for password by default; configurable by Settings to no longer ask for password. 
+
+>[!NOTE]
+>Inactivity timers are currently not supported, which means that the **AllowIdleReturnWithoutPassword** policy is respected only when the device goes into StandBy. 
+
+
+#### How do I remove a HoloLens device from the Intune dashboard?
+
+You cannot [unenroll](https://docs.microsoft.com/intune-user-help/unenroll-your-device-from-intune-windows) HoloLens from Intune remotely. If the administrator unenrolls the device using MDM, the device will age out of the Intune dashboard.
 
 
 ## Related resources

education/get-started/get-started-with-microsoft-education.md

@@ -50,6 +50,8 @@ In this walkthrough, we'll show you the basics on how to:
 
 This diagram shows a high-level view of what we cover in this walkthrough. The numbers correspond to the sections in the walkthrough and roughly correspond to the flow of the overall process; but, note that not all sections in this walkthrough are shown in the diagram.
 
+**Figure 1** - Microsoft Education IT administrator workflow
+
 ![Deploy and manage a full cloud IT solution using Microsoft Education](images/microsoft-education-get-started-workflow.png)
 
 ## Prerequisites
@@ -109,7 +111,7 @@ Already have an Office 365 for Education verified tenant? Just sign in with your
 1. Click <a href="https://aka.ms/intuneforedupreviewtrial" target="_blank">https://aka.ms/intuneforedupreviewtrial</a> to get started.
 2. In the **Intune for Education Trial** page, click **Sign in**.
 
-  **Figure 1** - Intune for Education trial sign in page
+  **Figure 2** - Intune for Education trial sign in page
 
   ![Intune for Education trial sign in page](images/i4e_trialsigninpage.png)
 
@@ -125,7 +127,7 @@ Don't have an Office 365 for Education verified tenant or just starting out? Fol
 1. Go to the <a href="https://signup.microsoft.com/Signup?OfferId=03ee83a5-5cb4-4545-aca9-33ead43f222a,d764709a-7763-45ef-a2a8-db5b8b6ae704&DL=ENTERPRISEPREMIUM_FACULTY" target="_blank">Office 365 for Education sign up page</a> to sign up for a free subscription for your school.
 2. Create an account and a user ID and password to use to sign into your account. 
 
-  **Figure 2** - Office 365 account creation
+  **Figure 3** - Office 365 account creation
 
   ![Create an Office 365 account](images/o365_createaccount.png)
 
@@ -151,7 +153,7 @@ Follow all the steps in this section to use SDS and sample CSV files in a trial
 1. Go to the <a href="https://aka.ms/sdsscripts" target="_blank">O365-EDU-Tools GitHub site</a>.
 2. Click the green **Clone or download** button to download the SDS sample files.
 
-  **Figure 3** - Download the SDS sample files from GitHub
+  **Figure 4** - Download the SDS sample files from GitHub
 
   ![Download the SDS sample files from GitHub](images/sds_github_downloadsample.png)
 
@@ -159,7 +161,7 @@ Follow all the steps in this section to use SDS and sample CSV files in a trial
 4. Go to the folder where you saved the .zip and unzip the files.
 5. Open the **O365-EDU-Tools-master** folder and then open the **CSV Samples** subfolder. Confirm that you can see the following sample CSV files.
 
-  **Figure 4** - Sample CSV files
+  **Figure 5** - Sample CSV files
 
   ![Use the sample CSV files](images/sds_sample_csv_files_us_uk.png)
 
@@ -170,12 +172,25 @@ Follow all the steps in this section to use SDS and sample CSV files in a trial
 
 To learn more about the CSV files that are required and the info you need to include in each file, see <a href="https://aka.ms/sdscsvattributes" target="_blank">CSV files for School Data Sync</a>. If you run into any issues, see <a href="https://aka.ms/sdserrors" target="_blank">School Data Sync errors and troubleshooting</a>.
 
+**<a name="assignclassroom"></a>Assign Classroom license**
+
+The Classroom application is retired, but you will need to assign the Classroom Preview license to yourself and other global admins so that you can access the services. The single license will allow global admins to access both Classroom Preview and School Data Sync.
+
+1. In the <a href="https://portal.office.com/adminportal" target="_blank">Office 365 admin center</a>, select **Users > Active users**.
+2. Select the checkbox for your global admin account.
+3. In the account details window, under **Product licenses**, click **Edit**.
+4. In the **Product licenses** page, turn on **Microsoft Classroom** and then click **Save**.
+5. Confirm that you can access SDS. To do this, log in to <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
+
+  > [!NOTE]
+  > Only global admins can access SDS.
+
 **<a name="usesdstoimportdata"></a>Use SDS to import student data**
 
-1. Go to the <a href="http://sds.microsoft.com" target="_blank">Microsoft School Data Sync site</a>.
+1. If you haven't done so already, To do this, go to <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
 2. Click **Sign in**. You will see the **Settings** option for **Manage School Data Sync**.
 
-  **Figure 5** - Settings for managing SDS
+  **Figure 6** - Settings for managing SDS
 
   ![Settings for managing SDS](images/sds_sds_and_classroom_off.png)
 
@@ -183,7 +198,7 @@ To learn more about the CSV files that are required and the info you need to inc
 
   New menu options will appear on the left of the SDS portal.
 
-  **Figure 6** - New menu options appear after SDS is turned on
+  **Figure 7** - New menu options appear after SDS is turned on
 
   ![New menu options appear after SDS is turned on](images/sds_sds_on_newmenu_items.png)
 
@@ -191,7 +206,7 @@ To learn more about the CSV files that are required and the info you need to inc
 
   This opens up the new profile setup wizard within the main page.
 
-  **Figure 7** - New SDS profile setup wizard
+  **Figure 8** - New SDS profile setup wizard
 
   ![New SDS profile setup wizard](images/sds_updated_addnewprofile.png)
 
@@ -221,7 +236,7 @@ To learn more about the CSV files that are required and the info you need to inc
   5. In the **License Options** section, check the box to select the option.
   6. Click **Next**.
 
-    **Figure 8** - Sync options for the new profile
+    **Figure 9** - Sync options for the new profile
 
     ![Specify sync options for the new SDS profile](images/sds_addnewprofile_syncoptions.png)
 
@@ -231,7 +246,7 @@ To learn more about the CSV files that are required and the info you need to inc
   3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For this walkthrough, choose **STANDARDWOFFPACK_FACULTY**.
   4. Click **Next**.
 
-    **Figure 9** - Specify options for teacher mapping
+    **Figure 10** - Specify options for teacher mapping
 
     ![Specify options for teacher mapping](images/sds_addnewprofile_teacheroptions.png)
 
@@ -241,7 +256,7 @@ To learn more about the CSV files that are required and the info you need to inc
   3. In the **Student licenses** section, choose the SKU to assign licenses for students. For this walkthrough, choose **STANDARDWOFFPACK_STUDENT**.
   4. Click **Next**.
 
-    **Figure 10** - Specify options for student mapping
+    **Figure 11** - Specify options for student mapping
 
     ![Specify options for student mapping](images/sds_addnewprofile_studentoptions.png)
 
@@ -251,7 +266,7 @@ To learn more about the CSV files that are required and the info you need to inc
 
 11. You will see a page for your profile. The status might indicate that it's still being set up. 
 
-  **Figure 11** - SDS profile page
+  **Figure 12** - SDS profile page
 
   ![SDS profile page](images/sds_profilepage.png)
 
@@ -259,7 +274,7 @@ To learn more about the CSV files that are required and the info you need to inc
 
   If the status still indicates that the profile is being set up, try refreshing the page until you see the status change to **Ready to sync**.
 
-  **Figure 12** - New profile is ready to sync
+  **Figure 13** - New profile is ready to sync
 
   ![Confirm that the new profile is ready](images/sds_profile_readytosync.png)
 
@@ -288,20 +303,20 @@ You'll need to configure Microsoft Store for Education to accept the services ag
 
   This will take you to the Microsoft Store for Education portal.
 
-  **Figure 13** - Microsoft Store for Education portal
+  **Figure 14** - Microsoft Store for Education portal
 
   ![Microsoft Store for Education portal](images/msfe_store_portal.png)
 
 3. In the Microsoft Store portal, click **Manage** to go to the Microsoft Store **Overview** page.
 4. Find the **Overview** page, find the **Store settings** tile and click **Management tools**.
 
-  **Figure 14** - Select management tools from the list of Store settings options
+  **Figure 15** - Select management tools from the list of Store settings options
 
   ![Select management tools from list of Store settings options](images/msfe_storesettings_select_managementtools.png)
 
 4. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education.
 
-  **Figure 15** - Activate Intune for Education as the management tool
+  **Figure 16** - Activate Intune for Education as the management tool
 
   ![Activate Intune for Education as the management tool](images/msfe_managementtools_activateintune.png) 
 
@@ -335,20 +350,20 @@ Intune for Education provides an **Express configuration** option so you can get
 
 1. Log into the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>. You will see the Intune for Education dashboard once you're logged in.
 
-  **Figure 16** - Intune for Education dashboard
+  **Figure 17** - Intune for Education dashboard
 
   ![Intune for Education dashboard](images/i4e_portal.png)
 
 2. On the dashboard, click **Launch Express Configuration**, or select the **Express configuration** option on the menu on the left.
 3. In the **Welcome to Intune for Education** screen, click **Get started**.
   
-  **Figure 17** - Click Get started to set up Intune for Education
+  **Figure 18** - Click Get started to set up Intune for Education
 
   ![Click Get Started to configure groups, apps, and settings](images/i4e_expressconfiguration_welcome.png)
 
 4. In the **Get school information (optional)** screen, it should indicate that SDS is already configured. Click **Next**.
 
-  **Figure 18** - SDS is configured
+  **Figure 19** - SDS is configured
 
   ![SDS is already configured](images/i4e_expressconfiguration_sdsconfigured.png)
 
@@ -361,7 +376,7 @@ Intune for Education provides an **Express configuration** option so you can get
   > [!TIP]
   > At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it!
   >
-  > **Figure 19** - Click on the buttons to go back to that step
+  > **Figure 20** - Click on the buttons to go back to that step
   >
   > ![Click on the buttons to back to that step](images/i4e_expressconfiguration_choosebuttontogoback.png)
 
@@ -374,7 +389,7 @@ Intune for Education provides an **Express configuration** option so you can get
     > [!TIP]
     > Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**.
 
-  **Figure 20** - Choose the apps that you want to install for the group
+  **Figure 21** - Choose the apps that you want to install for the group
 
   ![Choose apps to install for the group](images/i4e_expressconfiguration_chooseapps_selected_cropped.png)
 
@@ -384,7 +399,7 @@ Intune for Education provides an **Express configuration** option so you can get
 
 8. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group.
 
-  **Figure 21** - Expand the settings group to get more details
+  **Figure 22** - Expand the settings group to get more details
 
   ![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped.png)
 
@@ -392,20 +407,20 @@ Intune for Education provides an **Express configuration** option so you can get
   - In the **Internet browser settings** group, change the **Send Do Not Track requests to help protect users' privacy** setting to **Block**.
   - In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Private Microsoft Store for Business apps** to **Allow**.
 
-  **Figure 22** - Set some additional settings
+  **Figure 23** - Set some additional settings
 
   ![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettingsconfigured_cropped.png)
 
 10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
 
-  **Figure 23** - Review the group, apps, and settings you configured
+  **Figure 24** - Review the group, apps, and settings you configured
 
   ![Review the group, apps, and settings you configured](images/i4e_expressconfiguration_review.png)
 
 11. Click **Save** to end express configuration.
 12. You will see the **You're done!** screen which lets you choose one of two options. 
 
-  **Figure 24** - All done with Intune for Education express configuration
+  **Figure 25** - All done with Intune for Education express configuration
 
   ![Done with Intune for Education express configuration](images/i4e_expressconfiguration_alldone.png)
 
@@ -422,13 +437,13 @@ Intune for Education provides an **Express configuration** option so you can get
 
   1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click **Apps** from the menu on the left.
 
-    **Figure 25** - Click on **Apps** to see the list of apps for your tenant
+    **Figure 26** - Click on **Apps** to see the list of apps for your tenant
 
     ![Click Apps to see the list of apps for your tenant](images/i4e_dashboard_clickapps.png)
 
   2. In the **Store apps** section, click **+ New app**. This will take you to the Microsoft Store for Education portal and you will already be signed in.
 
-    **Figure 26** - Select the option to add a new Store app
+    **Figure 27** - Select the option to add a new Store app
 
     ![Select the option to add a new Store app](images/i4e_apps_newstoreapp_selected.png)
 
@@ -447,7 +462,7 @@ Intune for Education provides an **Express configuration** option so you can get
 
     For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
 
-    **Figure 27** - Apps inventory in Microsoft Store for Education
+    **Figure 28** - Apps inventory in Microsoft Store for Education
 
     ![Apps inventory in Store for Business](images/msfe_manageapps_inventory_grouped.png)
 
@@ -462,32 +477,32 @@ Now that you've bought the apps, use Intune for Education to specify the group t
 
 1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click the **Groups** option from the menu on the left.
 
-  **Figure 28** - Groups page in Intune for Education
+  **Figure 29** - Groups page in Intune for Education
 
   ![Groups page in Intune for Education](images/i4e_groupspage.png)
 
 2. In the **Groups** page, select **All Users** from the list of groups on the left, and then click **Users** in the taskbar at the top of the **All Users** page. 
 
-  **Figure 29** - List of all users in the tenant
+  **Figure 30** - List of all users in the tenant
 
   ![List of all users in the tenant](images/i4e_groups_allusers_users_steps.png)
 
 3. In the taskbar at the top, select **Apps** and then click **Edit apps** to see a list of available apps.
 
-  **Figure 30** - Edit apps to assign them to users
+  **Figure 31** - Edit apps to assign them to users
 
   ![Edit apps to assign them to users](images/i4e_groups_allusers_appspage_editapps.png)
 
 4. Select the apps to deploy to the group. A blue checkmark will appear next to the apps you select. 
 
-  **Figure 31** - Select the apps to deploy to the group
+  **Figure 32** - Select the apps to deploy to the group
 
   ![Select the apps to deploy to the group](images/i4e_groups_allusers_selectappstodeploy.png)
 
 5. Once you're done, click **Save** at the bottom of the page to deploy the selected apps to the group.
 6. You'll be notified that app assignments are being updated. The updated **All Users** groups page now include the apps you selected. 
 
-  **Figure 32** - Updated list of assigned apps
+  **Figure 33** - Updated list of assigned apps
 
   ![Updated list of assigned apps](images/i4e_groups_allusers_updatedappslist.png)
 
@@ -511,13 +526,13 @@ We recommend using the latest build of Windows 10, version 1703 on your educatio
 1. If you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired or Ethernet connection.
 2. Go through the Windows device setup experience. On a new or reset device, this starts with the **Let's start with region. Is this right?** screen.
 
-  **Figure 33** - Let's start with region
+  **Figure 34** - Let's start with region
 
   ![Let's start with region](images/win10_letsstartwithregion.png)
 
 3. Continue with setup. In the **How would you like to set up?** screen, select **Set up for an organization**.
 
-  **Figure 34** - Select setup for an organization
+  **Figure 35** - Select setup for an organization
 
   ![Select setup for an organization](images/win10_setupforanorg.png)
 
@@ -536,7 +551,7 @@ Verify that the device is set up correctly and boots without any issues.
   > [!NOTE]  
   > It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user.
 
-  **Figure 35** - Sample list of apps for a user
+  **Figure 36** - Sample list of apps for a user
 
   ![Apps list contains the apps provisioned for the user](images/win10_start_checkapps.png)
 
@@ -548,7 +563,7 @@ Let's now verify that the device is joined to your organization's Azure AD and s
 2. Select **Groups** and select **All Devices**.
 3. In the **All Devices** page, see the list of devices and verify that the device you're signed into appears on the list.
 
-  **Figure 36** - List of all managed devices
+  **Figure 37** - List of all managed devices
 
   ![Verify that the device is managed in Intune for Education](images/i4e_groups_alldevices_listofaadjdevices.png)
 
@@ -556,7 +571,7 @@ Let's now verify that the device is joined to your organization's Azure AD and s
 5. Select **Accounts > Access work or school**.
 6. In the **Access work or school** page, confirm that the device is connected to the organization's Azure AD.
 
-  **Figure 37** - Confirm that the Windows 10 device is joined to Azure AD
+  **Figure 38** - Confirm that the Windows 10 device is joined to Azure AD
 
   ![Confirm that the Windows 10 device is joined to Azure AD](images/win10_confirmaadj.png)
 
@@ -572,7 +587,7 @@ If you need to make changes or updates to any of the apps or settings for the gr
 2. Click **Groups** and then choose **Settings** in the taskbar at the top of the page.
 3. You will see the same settings groups that you saw in express setup for Intune for Education as well as other settings categories such as **Windows Defender settings**, **Device sharing**, **Edition upgrade**, and so on.
 
-  **Figure 38** - See the list of available settings in Intune for Education
+  **Figure 39** - See the list of available settings in Intune for Education
 
   ![See the list of available settings in Intune for Education](images/i4e_groups_settingslist_full.png)
 
@@ -594,7 +609,7 @@ Follow the steps in this section to enable a single person to add many devices t
 2. Click **Admin centers** and select **Azure AD** to go to the Azure portal.
 3. Configure the device settings for the school's Active Directory. From the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>, select **Azure Active Directory > Users and groups > Device settings**.
 
-  **Figure 39** - Device settings in the new Azure portal
+  **Figure 40** - Device settings in the new Azure portal
 
   ![Configure device settings in the new Azure portal](images/azure_newportal_usersandgroups_devicesettings.png)
 
@@ -611,7 +626,7 @@ Follow the steps in this section to ensure that settings for the each user follo
 3. Configure the device settings for the school's Active Directory. From the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>, select **Azure Active Directory > Users and groups > Device settings**.
 4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**.
 
-  **Figure 40** - Enable settings to roam with users
+  **Figure 41** - Enable settings to roam with users
 
   ![Enable settings to roam with users](images/azure_usersandgroups_devicesettings_ers.png)
 
@@ -639,7 +654,7 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
 
   For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information.
 
-  **Figure 41** - Device is now managed by Intune for Education
+  **Figure 42** - Device is now managed by Intune for Education
 
   ![Device is managed by Intune for Education](images/byob_aad_enrollment_intune.png)
 
@@ -649,7 +664,7 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
 
 5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources.
 
-  **Figure 42** - Device is connected to organization's MDM
+  **Figure 43** - Device is connected to organization's MDM
 
   ![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png)
 

education/windows/use-set-up-school-pcs-app.md

@@ -17,7 +17,7 @@ author: CelesteDG
 
 IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
 
-![Set up School PCs app](images/suspc_getstarted_resized.png)
+![Set up School PCs app](images/suspc_getstarted_050817.png)
 
 ## What does this app do?
 
@@ -61,7 +61,7 @@ A student PC that's set up using the Set up School PCs provisioning package is t
 * **Network tips**
   * You cannot use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. You can only connect to an open network, or one with a basic password. 
   * If you need to set up a lot of devices over Wi-Fi, make sure that your network configuration can support it.
-    - We recommend configuring your DHCP so you have a good set of IP addresses available (about 100-200). These IP addresses will expire after a short amount of time (about 30 minutes). This allows you set up many devices simultaneously, and the IP addresses will be freed up quick so you can continue to set up devices without risk of crashing your network.
+    - We recommend configuring your DHCP so at least 200 IP addresses are available for the devices you are setting up. Configure your IP addresses to expire after a short time (about 30 minutes). This ensures that you can set up many devices simultaneously, and IP addresses will free up quickly so you can continue to set up devices without hitting network issues.
 
 * **Apply to new student PCs**
   * The provisioning package that the Set up School PCs app creates should be used on new PCs that haven't been set up for accounts yet. If you apply the provisioning package to a student PC that has already been set up, existing accounts and data might be lost.
@@ -112,7 +112,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
   **Figure 1** - Launch the Set up School PCs app
 
-  ![Launch the Set up School PCs app](images/suspc_getstarted_resized.png)
+  ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png)
 
 2. Click **Get started**.
 3. To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page:
@@ -170,7 +170,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
     **Figure 3** - Configure student PC settings
 
-    ![Configure student PC settings](images/suspc_choosesettings_settings_updated.png)
+    ![Configure student PC settings](images/suspc_createpackage_settingspage.png)
 
  When you're doing configuring the student PC settings, click **Next**.
 
@@ -182,7 +182,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
     **Figure 4** - Configure the Take a Test app
 
-    ![Configure the Take a Test app](images/suspc_choosesettings_setuptakeatest.png)
+    ![Configure the Take a Test app](images/suspc_createpackage_takeatestpage.png)
 
   3. Click **Next** or **Skip** depending on whether you want to set up Take a Test.
 
@@ -202,7 +202,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
       **Figure 5** - Review your settings and change them as needed
 
-      ![Review your settings and change them as needed](images/suspc_choosesettings_summary.png)
+      ![Review your settings and change them as needed](images/suspc_createpackage_summary.png)
 
   2. Click **Accept**.
 
@@ -213,19 +213,19 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
       **Figure 6** - Select the USB drive and save the provisioning package
 
-      ![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb.png)
+      ![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb_050817.png)
 
 10. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
 
   **Figure 7** - Provisioning package is ready
 
-  ![Provisioning package is ready](images/suspc_ppkg_isready.png)
+  ![Provisioning package is ready](images/suspc_ppkgisready_050817.png)
 
 12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs. 
 
   **Figure 8** - Line up the student PCs and get them ready for setup
 
-  ![Line up the student PCs and get them ready for setup](images/suspc_getpcsready_getpcsready.png)
+  ![Line up the student PCs and get them ready for setup](images/suspc_runpackage_getpcsready.png)
 
 13. Click **Next**.
 14. In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs. 
@@ -234,7 +234,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
   **Figure 9** - Install the provisioning package on the student PCs
 
-  ![Install the provisioning package on the student PCs](images/suspc_getpcsready_installpackage.png)
+  ![Install the provisioning package on the student PCs](images/suspc_runpackage_installpackage.png)
 
 
 ### Apply the provisioning package to the student PCs

windows/access-protection/TOC.md

@@ -47,7 +47,6 @@
 #### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md)
 #### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md)
 
-### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md)
 ### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md)
 #### [Understanding and Evaluating Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md)
 ##### [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-cards\virtual-smart-card-get-started.md)

windows/access-protection/credential-guard/credential-guard-known-issues.md

@@ -26,26 +26,29 @@ See also Knowledge Base articles [KB4015219](https://support.microsoft.com/en-us
 [KB4015221](https://support.microsoft.com/en-us/help/4015221/windows-10-update-kb4015221)
 
 The following issue is under investigation. For available workarounds, see the following Knowledge Base article:
--	[Installing AppSense Environment Manager on Windows 10 machines causes LsaIso.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) *
+-	[Installing AppSense Environment Manager on Windows 10 machines causes LSAiso.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) * <sup>[1]</sup>
 
-    *Registration required to access this article. 
+    *Registration required to access this article.
+    
+    <sup>[1]</sup> For further technical information on LSAiso.exe, see this MSDN article: [Isolated User Mode (IUM) Processes](https://msdn.microsoft.com/library/windows/desktop/mt809132(v=vs.85).aspx)
+    
+The following issue affects Cisco AnyConnect Secure Mobility Client:
 
 -	[Blue screen on Windows 10 computers running Device Guard and Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692)**
 
-    **Registration required to access this article. 
+**Registration required to access this article. 
 
-Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 clients to exhibit high CPU usage. For further information, see the following Knowledge Base articles:
+Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 clients to exhibit high CPU usage. For further information, see the following Knowledge Base article:
 
 -	KB88869: [Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869)
 
+The following issue is under investigation:
 
 -	 Windows 10 machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled.
 
-     Microsoft is currently working with Citrix to investigate this issue.
-
-
 ## Vendor support
 
+See the following article on Citrix support for Secure Boot:
 -	[Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
 
 Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:

windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -287,15 +287,19 @@ You can prevent Windows from setting the time automatically.
 
     -or-
 
+-   Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
+
+After that, configure the following:
+
 -   Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Configure Windows NTP Client**
+    
+    > [!NOTE]  
+    > This is only available on Windows 10, version 1703 and later.
 
     -or -
 
--  Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** to 0 (zero).
+-  Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** and set it to 0 (zero).
 
-    -or-
-
--   Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
 
 ### <a href="" id="bkmk-devinst"></a>4. Device metadata retrieval
 
@@ -392,7 +396,6 @@ Use Group Policy to manage settings for Internet Explorer.  You can find the Int
 | Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites. <br /> Default: Enabled <br /> You can also turn this off in the UI by clearing the **Internet Options** &gt; **Advanced** &gt; **Enable Suggested Sites** check box.|
 | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar. <br /> Default: Enabled|
 | Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar. <br /> Default: Disabled </br> You can also turn this off in the UI by clearing the <strong>Internet Options</strong> &gt; **Advanced** &gt; **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
-| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version. <br /> Default: Enabled |
 | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer. <br /> Default: Disabled|
 | Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer. <br /> Default: Disabled |
 
@@ -403,7 +406,6 @@ Alternatively, you could use the registry to set the Group Policies.
 | Turn on Suggested Sites| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites!Enabled <br /> REG_DWORD: 0|
 | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\AllowServicePoweredQSA <br /> REG_DWORD: 0|
 | Turn off the auto-complete feature for web addresses | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Explorer\\AutoComplete!AutoSuggest<br /> REG_SZ: **No** |
-| Disable Periodic Check for Internet Explorer software updates| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Infodelivery\\Restrictions!NoUpdateCheck<br /> REG_DWORD: 1 |
 | Turn off browser geolocation | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation!PolicyDisableGeolocation <br /> REG_DWORD: 1 |
 | Prevent managing SmartScreen filter | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\ Internet Explorer\\PhishingFilter!EnabledV9 <br /> REG_DWORD: 0 |
 
@@ -510,8 +512,8 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
 | Configure search suggestions in Address bar              | Choose whether the address bar shows search suggestions. <br /> Default: Enabled                    |
 | Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)  <br/> Configure SmartScreen Filter (Windows Server 2016)                      | Choose whether Windows Defender SmartScreen is turned on or off.  <br /> Default: Enabled                            |
 | Allow web content on New Tab page                     | Choose whether a new tab page appears.  <br /> Default: Enabled                                     |
-| Configure Start pages                       | Choose the Start page for domain-joined devices. <br /> Set this to **about:blank**        |
-| Prevent the First Run webpage from opening pages                       | Choose whether employees see the First Run webpage. <br /> Default: Enabled        |
+| Configure Start pages                       | Choose the Start page for domain-joined devices. <br /> Set this to **\<about:blank\>**        |
+| Prevent the First Run webpage from opening on Microsoft Edge                       | Choose whether employees see the First Run webpage. <br /> Default: Disabled        |
 
 
 The Windows 10, version 1511 Microsoft Edge Group Policy names are:

windows/configuration/provisioning-packages/provisioning-multivariant.md

@@ -19,7 +19,7 @@ localizationpriority: high
 
 In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese. 
 
-To provision multivariant settings, you use Windows Imaging and Configuration Designer (ICD) to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices.
+To provision multivariant settings, you use Windows Configuration Designer to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices.
 
 Let's begin by learning how to define a **Target**.
 
@@ -258,7 +258,7 @@ Follow these steps to create a provisioning package with multivariant capabiliti
 6. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step.
 
 
-7. Use the [Windows ICD command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml. 
+7. Use the [Windows Configuration Designer command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml. 
 
     For example:
 

windows/deployment/TOC.md

@@ -1,44 +1,176 @@
-# [Deploy Windows 10](index.md)
-## [What's new in Windows 10 deployment](deploy-whats-new.md)
-## [Plan for Windows 10 deployment](planning/index.md)
-### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md)
-### [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
-### [Windows 10 compatibility](planning/windows-10-compatibility.md)
-### [Windows 10 infrastructure requirements](planning/windows-10-infrastructure-requirements.md)
-### [Windows To Go: feature overview](planning/windows-to-go-overview.md)
-#### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md)
-#### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md)
-#### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md)
-#### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md)
-#### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md)
-### [Application Compatibility Toolkit (ACT) Technical Reference](planning/act-technical-reference.md)
-#### [SUA User's Guide](planning/sua-users-guide.md)
-##### [Using the SUA Wizard](planning/using-the-sua-wizard.md)
-##### [Using the SUA Tool](planning/using-the-sua-tool.md)
-###### [Tabs on the SUA Tool Interface](planning/tabs-on-the-sua-tool-interface.md)
-###### [Showing Messages Generated by the SUA Tool](planning/showing-messages-generated-by-the-sua-tool.md)
-###### [Applying Filters to Data in the SUA Tool](planning/applying-filters-to-data-in-the-sua-tool.md)
-###### [Fixing Applications by Using the SUA Tool](planning/fixing-applications-by-using-the-sua-tool.md)
-#### [Compatibility Administrator User's Guide](planning/compatibility-administrator-users-guide.md)
-##### [Using the Compatibility Administrator Tool](planning/using-the-compatibility-administrator-tool.md)
-###### [Available Data Types and Operators in Compatibility Administrator](planning/available-data-types-and-operators-in-compatibility-administrator.md)
-###### [Searching for Fixed Applications in Compatibility Administrator](planning/searching-for-fixed-applications-in-compatibility-administrator.md)
-###### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)
-###### [Creating a Custom Compatibility Fix in Compatibility Administrator](planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md)
-###### [Creating a Custom Compatibility Mode in Compatibility Administrator](planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
-###### [Creating an AppHelp Message in Compatibility Administrator](planning/creating-an-apphelp-message-in-compatibility-administrator.md)
-###### [Viewing the Events Screen in Compatibility Administrator](planning/viewing-the-events-screen-in-compatibility-administrator.md)
-###### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)
-###### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)
-##### [Managing Application-Compatibility Fixes and Custom Fix Databases](planning/managing-application-compatibility-fixes-and-custom-fix-databases.md)
-###### [Understanding and Using Compatibility Fixes](planning/understanding-and-using-compatibility-fixes.md)
-###### [Compatibility Fix Database Management Strategies and Deployment](planning/compatibility-fix-database-management-strategies-and-deployment.md)
-###### [Testing Your Application Mitigation Packages](planning/testing-your-application-mitigation-packages.md)
-##### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md)
-#### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
-### [Change history for Plan for Windows 10 deployment](planning/change-history-for-plan-for-windows-10-deployment.md)
-## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
-## Upgrade Windows
+# [Deploy, Upgrade and Update Windows 10](index.md)
+
+## Deploy Windows 10
+### [What's new in Windows 10 deployment](deploy-whats-new.md)
+
+### [Plan for Windows 10 deployment](planning/index.md)
+#### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md)
+#### [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
+#### [Windows 10 compatibility](planning/windows-10-compatibility.md)
+#### [Windows 10 infrastructure requirements](planning/windows-10-infrastructure-requirements.md)
+#### [Windows To Go: feature overview](planning/windows-to-go-overview.md)
+##### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md)
+##### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md)
+##### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md)
+##### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md)
+##### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md)
+#### [Application Compatibility Toolkit (ACT) Technical Reference](planning/act-technical-reference.md)
+##### [SUA User's Guide](planning/sua-users-guide.md)
+###### [Using the SUA Wizard](planning/using-the-sua-wizard.md)
+###### [Using the SUA Tool](planning/using-the-sua-tool.md)
+####### [Tabs on the SUA Tool Interface](planning/tabs-on-the-sua-tool-interface.md)
+####### [Showing Messages Generated by the SUA Tool](planning/showing-messages-generated-by-the-sua-tool.md)
+####### [Applying Filters to Data in the SUA Tool](planning/applying-filters-to-data-in-the-sua-tool.md)
+####### [Fixing Applications by Using the SUA Tool](planning/fixing-applications-by-using-the-sua-tool.md)
+##### [Compatibility Administrator User's Guide](planning/compatibility-administrator-users-guide.md)
+###### [Using the Compatibility Administrator Tool](planning/using-the-compatibility-administrator-tool.md)
+####### [Available Data Types and Operators in Compatibility Administrator](planning/available-data-types-and-operators-in-compatibility-administrator.md)
+####### [Searching for Fixed Applications in Compatibility Administrator](planning/searching-for-fixed-applications-in-compatibility-administrator.md)
+####### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)
+####### [Creating a Custom Compatibility Fix in Compatibility Administrator](planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md)
+####### [Creating a Custom Compatibility Mode in Compatibility Administrator](planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
+####### [Creating an AppHelp Message in Compatibility Administrator](planning/creating-an-apphelp-message-in-compatibility-administrator.md)
+####### [Viewing the Events Screen in Compatibility Administrator](planning/viewing-the-events-screen-in-compatibility-administrator.md)
+####### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)
+####### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)
+###### [Managing Application-Compatibility Fixes and Custom Fix Databases](planning/managing-application-compatibility-fixes-and-custom-fix-databases.md)
+####### [Understanding and Using Compatibility Fixes](planning/understanding-and-using-compatibility-fixes.md)
+####### [Compatibility Fix Database Management Strategies and Deployment](planning/compatibility-fix-database-management-strategies-and-deployment.md)
+####### [Testing Your Application Mitigation Packages](planning/testing-your-application-mitigation-packages.md)
+###### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md)
+##### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
+#### [Change history for Plan for Windows 10 deployment](planning/change-history-for-plan-for-windows-10-deployment.md)
+
+### [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+
+### [Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md)
+#### [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+#### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
+#### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
+##### [Introduction to VAMT](volume-activation/introduction-vamt.md)
+##### [Active Directory-Based Activation Overview](volume-activation/active-directory-based-activation-overview.md)
+##### [Install and Configure VAMT](volume-activation/install-configure-vamt.md)
+###### [VAMT Requirements](volume-activation/vamt-requirements.md)
+###### [Install VAMT](volume-activation/install-vamt.md)
+###### [Configure Client Computers](volume-activation/configure-client-computers-vamt.md)
+##### [Add and Manage Products](volume-activation/add-manage-products-vamt.md)
+###### [Add and Remove Computers](volume-activation/add-remove-computers-vamt.md)
+###### [Update Product Status](volume-activation/update-product-status-vamt.md)
+###### [Remove Products](volume-activation/remove-products-vamt.md)
+##### [Manage Product Keys](volume-activation/manage-product-keys-vamt.md)
+###### [Add and Remove a Product Key](volume-activation/add-remove-product-key-vamt.md)
+###### [Install a Product Key](volume-activation/install-product-key-vamt.md)
+###### [Install a KMS Client Key](volume-activation/install-kms-client-key-vamt.md)
+##### [Manage Activations](volume-activation/manage-activations-vamt.md)
+###### [Perform Online Activation](volume-activation/online-activation-vamt.md)
+###### [Perform Proxy Activation](volume-activation/proxy-activation-vamt.md)
+###### [Perform KMS Activation](volume-activation/kms-activation-vamt.md)
+###### [Perform Local Reactivation](volume-activation/local-reactivation-vamt.md)
+###### [Activate an Active Directory Forest Online](volume-activation/activate-forest-vamt.md)
+###### [Activate by Proxy an Active Directory Forest](volume-activation/activate-forest-by-proxy-vamt.md)
+##### [Manage VAMT Data](volume-activation/manage-vamt-data.md)
+###### [Import and Export VAMT Data](volume-activation/import-export-vamt-data.md)
+###### [Use VAMT in Windows PowerShell](volume-activation/use-vamt-in-windows-powershell.md)
+##### [VAMT Step-by-Step Scenarios](volume-activation/vamt-step-by-step.md)
+###### [Scenario 1: Online Activation](volume-activation/scenario-online-activation-vamt.md)
+###### [Scenario 2: Proxy Activation](volume-activation/scenario-proxy-activation-vamt.md)
+###### [Scenario 3: KMS Client Activation](volume-activation/scenario-kms-activation-vamt.md)
+##### [VAMT Known Issues](volume-activation/vamt-known-issues.md)
+#### [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
+##### [User State Migration Tool (USMT) Overview Topics](usmt/usmt-topics.md)
+###### [User State Migration Tool (USMT) Overview](usmt/usmt-overview.md)
+###### [Getting Started with the User State Migration Tool (USMT)](usmt/getting-started-with-the-user-state-migration-tool.md)
+###### [Windows Upgrade and Migration Considerations](upgrade/windows-upgrade-and-migration-considerations.md)
+##### [User State Migration Tool (USMT) How-to topics](usmt/usmt-how-to.md)
+###### [Exclude Files and Settings](usmt/usmt-exclude-files-and-settings.md)
+###### [Extract Files from a Compressed USMT Migration Store](usmt/usmt-extract-files-from-a-compressed-migration-store.md)
+###### [Include Files and Settings](usmt/usmt-include-files-and-settings.md)
+###### [Migrate Application Settings](usmt/migrate-application-settings.md)
+###### [Migrate EFS Files and Certificates](usmt/usmt-migrate-efs-files-and-certificates.md)
+###### [Migrate User Accounts](usmt/usmt-migrate-user-accounts.md)
+###### [Reroute Files and Settings](usmt/usmt-reroute-files-and-settings.md)
+###### [Verify the Condition of a Compressed Migration Store](usmt/verify-the-condition-of-a-compressed-migration-store.md)
+##### [User State Migration Tool (USMT) Troubleshooting](usmt/usmt-troubleshooting.md)
+###### [Common Issues](usmt/usmt-common-issues.md)
+###### [Frequently Asked Questions](usmt/usmt-faq.md)
+###### [Log Files](usmt/usmt-log-files.md)
+###### [Return Codes](usmt/usmt-return-codes.md)
+###### [USMT Resources](usmt/usmt-resources.md)
+##### [User State Migration Toolkit (USMT) Reference](usmt/usmt-reference.md)
+###### [USMT Requirements](usmt/usmt-requirements.md)
+###### [USMT Best Practices](usmt/usmt-best-practices.md)
+###### [How USMT Works](usmt/usmt-how-it-works.md)
+###### [Plan Your Migration](usmt/usmt-plan-your-migration.md)
+####### [Common Migration Scenarios](usmt/usmt-common-migration-scenarios.md)
+####### [What Does USMT Migrate?](usmt/usmt-what-does-usmt-migrate.md)
+####### [Choose a Migration Store Type](usmt/usmt-choose-migration-store-type.md)
+######## [Migration Store Types Overview](usmt/migration-store-types-overview.md)
+######## [Estimate Migration Store Size](usmt/usmt-estimate-migration-store-size.md)
+######## [Hard-Link Migration Store](usmt/usmt-hard-link-migration-store.md)
+######## [Migration Store Encryption](usmt/usmt-migration-store-encryption.md)
+####### [Determine What to Migrate](usmt/usmt-determine-what-to-migrate.md)
+######## [Identify Users](usmt/usmt-identify-users.md)
+######## [Identify Applications Settings](usmt/usmt-identify-application-settings.md)
+######## [Identify Operating System Settings](usmt/usmt-identify-operating-system-settings.md)
+######## [Identify File Types, Files, and Folders](usmt/usmt-identify-file-types-files-and-folders.md)
+####### [Test Your Migration](usmt/usmt-test-your-migration.md)
+###### [User State Migration Tool (USMT) Command-line Syntax](usmt/usmt-command-line-syntax.md)
+####### [ScanState Syntax](usmt/usmt-scanstate-syntax.md)
+####### [LoadState Syntax](usmt/usmt-loadstate-syntax.md)
+####### [UsmtUtils Syntax](usmt/usmt-utilities.md)
+###### [USMT XML Reference](usmt/usmt-xml-reference.md)
+####### [Understanding Migration XML Files](usmt/understanding-migration-xml-files.md)
+####### [Config.xml File](usmt/usmt-configxml-file.md)
+####### [Customize USMT XML Files](usmt/usmt-customize-xml-files.md)
+####### [Custom XML Examples](usmt/usmt-custom-xml-examples.md)
+####### [Conflicts and Precedence](usmt/usmt-conflicts-and-precedence.md)
+####### [General Conventions](usmt/usmt-general-conventions.md)
+####### [XML File Requirements](usmt/xml-file-requirements.md)
+####### [Recognized Environment Variables](usmt/usmt-recognized-environment-variables.md)
+####### [XML Elements Library](usmt/usmt-xml-elements-library.md)
+###### [Offline Migration Reference](usmt/offline-migration-reference.md)
+
+### [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
+#### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+#### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+#### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+#### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
+#### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+#### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+#### [Create a task sequence with Configuration Manager and MDT](deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+#### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+#### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
+#### [Monitor the Windows 10 deployment with Configuration Manager](deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md)
+#### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+#### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+#### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+#### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+
+### [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+#### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
+##### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md)
+##### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md)
+##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
+#### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
+#### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
+#### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
+#### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md)
+#### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md)
+#### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+#### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md)
+##### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md)
+##### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md)
+##### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md)
+##### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md)
+##### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+##### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md)
+##### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md)
+##### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md)
+#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
+
+### [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
+
+## Upgrade to Windows 10
 ### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
 ### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
 ### [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
@@ -55,47 +187,8 @@
 ##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
 ##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
 #### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
-## [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
-### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
-## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
-#### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md)
-#### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md)
-#### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
-### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
-### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
-### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
-### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md)
-### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md)
-### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md)
-#### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md)
-#### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md)
-#### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md)
-#### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md)
-#### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-#### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md)
-#### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md)
-#### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md)
-## [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
-### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-### [Create a task sequence with Configuration Manager and MDT](deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
-### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
-### [Monitor the Windows 10 deployment with Configuration Manager](deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md)
-### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
-## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
-## [Convert MBR partition to GPT](mbr-to-gpt.md)
-## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
-## [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
+### [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
+
 ## [Update Windows 10](update/index.md)
 ### [Quick guide to Windows as a service](update/waas-quick-start.md)
 ### [Overview of Windows as a service](update/waas-overview.md)
@@ -117,11 +210,17 @@
 ### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md)
 ### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md)
 ### [Manage device restarts after updates](update/waas-restart.md)
+### [Manage additional Windows Update settings](update/waas-wu-settings.md)
 ### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md)
 #### [Windows Insider Program for Business using Azure Active Directory](update/waas-windows-insider-for-business-aad.md)
 #### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
 ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
 
+## [Convert MBR partition to GPT](mbr-to-gpt.md)
+## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
+## [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
+## [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
+
 ## [Volume Activation [client]](volume-activation/volume-activation-windows-10.md)
 ### [Plan for volume activation [client]](volume-activation/plan-for-volume-activation-client.md)
 ### [Activate using Key Management Service [client]](volume-activation/activate-using-key-management-service-vamt.md)
@@ -130,91 +229,5 @@
 ### [Monitor activation [client]](volume-activation/monitor-activation-client.md)
 ### [Use the Volume Activation Management Tool [client]](volume-activation/use-the-volume-activation-management-tool-client.md)
 ### [Appendix: Information sent to Microsoft during activation [client]](volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md)
-## [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
-## [Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md)
-### [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
-### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
-### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
-#### [Introduction to VAMT](volume-activation/introduction-vamt.md)
-#### [Active Directory-Based Activation Overview](volume-activation/active-directory-based-activation-overview.md)
-#### [Install and Configure VAMT](volume-activation/install-configure-vamt.md)
-##### [VAMT Requirements](volume-activation/vamt-requirements.md)
-##### [Install VAMT](volume-activation/install-vamt.md)
-##### [Configure Client Computers](volume-activation/configure-client-computers-vamt.md)
-#### [Add and Manage Products](volume-activation/add-manage-products-vamt.md)
-##### [Add and Remove Computers](volume-activation/add-remove-computers-vamt.md)
-##### [Update Product Status](volume-activation/update-product-status-vamt.md)
-##### [Remove Products](volume-activation/remove-products-vamt.md)
-#### [Manage Product Keys](volume-activation/manage-product-keys-vamt.md)
-##### [Add and Remove a Product Key](volume-activation/add-remove-product-key-vamt.md)
-##### [Install a Product Key](volume-activation/install-product-key-vamt.md)
-##### [Install a KMS Client Key](volume-activation/install-kms-client-key-vamt.md)
-#### [Manage Activations](volume-activation/manage-activations-vamt.md)
-##### [Perform Online Activation](volume-activation/online-activation-vamt.md)
-##### [Perform Proxy Activation](volume-activation/proxy-activation-vamt.md)
-##### [Perform KMS Activation](volume-activation/kms-activation-vamt.md)
-##### [Perform Local Reactivation](volume-activation/local-reactivation-vamt.md)
-##### [Activate an Active Directory Forest Online](volume-activation/activate-forest-vamt.md)
-##### [Activate by Proxy an Active Directory Forest](volume-activation/activate-forest-by-proxy-vamt.md)
-#### [Manage VAMT Data](volume-activation/manage-vamt-data.md)
-##### [Import and Export VAMT Data](volume-activation/import-export-vamt-data.md)
-##### [Use VAMT in Windows PowerShell](volume-activation/use-vamt-in-windows-powershell.md)
-#### [VAMT Step-by-Step Scenarios](volume-activation/vamt-step-by-step.md)
-##### [Scenario 1: Online Activation](volume-activation/scenario-online-activation-vamt.md)
-##### [Scenario 2: Proxy Activation](volume-activation/scenario-proxy-activation-vamt.md)
-##### [Scenario 3: KMS Client Activation](volume-activation/scenario-kms-activation-vamt.md)
-#### [VAMT Known Issues](volume-activation/vamt-known-issues.md)
-### [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
-#### [User State Migration Tool (USMT) Overview Topics](usmt/usmt-topics.md)
-##### [User State Migration Tool (USMT) Overview](usmt/usmt-overview.md)
-##### [Getting Started with the User State Migration Tool (USMT)](usmt/getting-started-with-the-user-state-migration-tool.md)
-##### [Windows Upgrade and Migration Considerations](upgrade/windows-upgrade-and-migration-considerations.md)
-#### [User State Migration Tool (USMT) How-to topics](usmt/usmt-how-to.md)
-##### [Exclude Files and Settings](usmt/usmt-exclude-files-and-settings.md)
-##### [Extract Files from a Compressed USMT Migration Store](usmt/usmt-extract-files-from-a-compressed-migration-store.md)
-##### [Include Files and Settings](usmt/usmt-include-files-and-settings.md)
-##### [Migrate Application Settings](usmt/migrate-application-settings.md)
-##### [Migrate EFS Files and Certificates](usmt/usmt-migrate-efs-files-and-certificates.md)
-##### [Migrate User Accounts](usmt/usmt-migrate-user-accounts.md)
-##### [Reroute Files and Settings](usmt/usmt-reroute-files-and-settings.md)
-##### [Verify the Condition of a Compressed Migration Store](usmt/verify-the-condition-of-a-compressed-migration-store.md)
-#### [User State Migration Tool (USMT) Troubleshooting](usmt/usmt-troubleshooting.md)
-##### [Common Issues](usmt/usmt-common-issues.md)
-##### [Frequently Asked Questions](usmt/usmt-faq.md)
-##### [Log Files](usmt/usmt-log-files.md)
-##### [Return Codes](usmt/usmt-return-codes.md)
-##### [USMT Resources](usmt/usmt-resources.md)
-#### [User State Migration Toolkit (USMT) Reference](usmt/usmt-reference.md)
-##### [USMT Requirements](usmt/usmt-requirements.md)
-##### [USMT Best Practices](usmt/usmt-best-practices.md)
-##### [How USMT Works](usmt/usmt-how-it-works.md)
-##### [Plan Your Migration](usmt/usmt-plan-your-migration.md)
-###### [Common Migration Scenarios](usmt/usmt-common-migration-scenarios.md)
-###### [What Does USMT Migrate?](usmt/usmt-what-does-usmt-migrate.md)
-###### [Choose a Migration Store Type](usmt/usmt-choose-migration-store-type.md)
-####### [Migration Store Types Overview](usmt/migration-store-types-overview.md)
-####### [Estimate Migration Store Size](usmt/usmt-estimate-migration-store-size.md)
-####### [Hard-Link Migration Store](usmt/usmt-hard-link-migration-store.md)
-####### [Migration Store Encryption](usmt/usmt-migration-store-encryption.md)
-###### [Determine What to Migrate](usmt/usmt-determine-what-to-migrate.md)
-####### [Identify Users](usmt/usmt-identify-users.md)
-####### [Identify Applications Settings](usmt/usmt-identify-application-settings.md)
-####### [Identify Operating System Settings](usmt/usmt-identify-operating-system-settings.md)
-####### [Identify File Types, Files, and Folders](usmt/usmt-identify-file-types-files-and-folders.md)
-###### [Test Your Migration](usmt/usmt-test-your-migration.md)
-##### [User State Migration Tool (USMT) Command-line Syntax](usmt/usmt-command-line-syntax.md)
-###### [ScanState Syntax](usmt/usmt-scanstate-syntax.md)
-###### [LoadState Syntax](usmt/usmt-loadstate-syntax.md)
-###### [UsmtUtils Syntax](usmt/usmt-utilities.md)
-##### [USMT XML Reference](usmt/usmt-xml-reference.md)
-###### [Understanding Migration XML Files](usmt/understanding-migration-xml-files.md)
-###### [Config.xml File](usmt/usmt-configxml-file.md)
-###### [Customize USMT XML Files](usmt/usmt-customize-xml-files.md)
-###### [Custom XML Examples](usmt/usmt-custom-xml-examples.md)
-###### [Conflicts and Precedence](usmt/usmt-conflicts-and-precedence.md)
-###### [General Conventions](usmt/usmt-general-conventions.md)
-###### [XML File Requirements](usmt/xml-file-requirements.md)
-###### [Recognized Environment Variables](usmt/usmt-recognized-environment-variables.md)
-###### [XML Elements Library](usmt/usmt-xml-elements-library.md)
-##### [Offline Migration Reference](usmt/offline-migration-reference.md)
-## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
+
+## [Change history for Deploy, Upgrade and Update Windows 10](change-history-for-deploy-windows-10.md)

windows/deployment/index.md

@@ -9,34 +9,60 @@ localizationpriority: high
 author: greg-lindsay
 ---
 
-# Deploy Windows 10
-Learn about deploying Windows 10 for IT professionals.
+# Deploy, Upgrade and Update Windows 10
+Learn about deployment in Windows 10 for IT professionals. This includes deploying the operating system, upgrading to it from previous version and updating Windows 10.
 
 ## In this section
 
+
+### Deploy Windows 10
 |Topic |Description |
 |------|------------|
 |[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
+|[Plan for Windows 10 deployment](planning/index.md) | This topic provides information about Windows 10 deployment considerations. It also provides details to assist in Windows 10 deployment planning. |
 |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
-|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | 
-|[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
-|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
+|[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. |
 |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
-|[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
-|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
-|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
-|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
+|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
+|[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
+
+### Upgrade to Windows 10
+|Topic |Description |
+|------|------------|
 |[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. |
+|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
 |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
 |[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |
+|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | 
+|[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
+
+### Update Windows 10
+|Topic |Description |
+|------|------------|
+| [Quick guide to Windows as a service](update/waas-quick-start.md) | Provides a brief summary of the key points for the new servicing model for Windows 10. |
+| [Overview of Windows as a service](update/waas-overview.md) | Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. |
+| [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy.  |
+| [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates.  |
+| [Assign devices to servicing branches for Windows 10 updates](update/waas-servicing-branches-windows-10-updates.md) | Explains how to assign devices to Current Branch (CB) or Current Branch for Business (CBB) for feature and quality updates, and how to enroll devices in Windows Insider. |
+| [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) | Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization.  |
+| [Optimize update delivery for Windows 10 updates](update/waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution.  |
+| [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. |
+| [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune.  |
+| [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](update/waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
+| [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates.  |
+| [Manage device restarts after updates](update/waas-restart.md) | Explains how to manage update related device restarts. |
+| [Manage additional Windows Update settings](update/waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
+| [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. |
+
+### Additional topics
+|Topic |Description |
+|------|------------|
+|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
+|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
 |[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) |Sideload line-of-business apps in Windows 10. |
 |[Volume Activation [client]](volume-activation/volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. |
-|[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. |
 |[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). |
 
-## Related topics
-- [Windows 10 and Windows 10 Mobile](/windows/windows-10)
-
  
 
  

windows/deployment/update/index.md

@@ -40,7 +40,8 @@ Windows as a service provides a new way to think about building, deploying, and
 | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune.  |
 | [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
 | [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates.  |
-| [Manage device restarts after updates](waas-restart.md) | Explains how to use Group Policy to manage device restarts. |
+| [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. |
+| [Manage additional Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
 | [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. |
 
 >[!TIP]

windows/deployment/update/waas-configure-wufb.md

@@ -2,7 +2,7 @@
 title: Configure Windows Update for Business (Windows 10)
 description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices.
 ms.prod: w10
-ms.mktglfcycl: manage
+ms.mktglfcycl: deploy
 ms.sitesec: library
 author: DaniHalfin
 localizationpriority: high

windows/deployment/update/waas-delivery-optimization.md

@@ -2,7 +2,7 @@
 title: Configure Delivery Optimization for Windows 10 updates (Windows 10)
 description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
 ms.prod: w10
-ms.mktglfcycl: manage
+ms.mktglfcycl: deploy
 ms.sitesec: library
 author: DaniHalfin
 localizationpriority: high

windows/deployment/update/waas-restart.md

@@ -2,7 +2,7 @@
 title: Manage device restarts after updates (Windows 10)
 description: tbd
 ms.prod: w10
-ms.mktglfcycl: manage
+ms.mktglfcycl: deploy
 ms.sitesec: library
 author: DaniHalfin
 localizationpriority: high

windows/deployment/update/waas-servicing-branches-windows-10-updates.md

@@ -2,7 +2,7 @@
 title: Assign devices to servicing branches for Windows 10 updates (Windows 10)
 description: tbd
 ms.prod: w10
-ms.mktglfcycl: manage
+ms.mktglfcycl: deploy
 ms.sitesec: library
 author: DaniHalfin
 localizationpriority: high

windows/deployment/update/waas-wu-settings.md

@@ -0,0 +1,177 @@
+---
+title: Manage additional Windows Update settings (Windows 10)
+description: Additional settings to control the behavior of Windows Update (WU) in Windows 10
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Manage additional Windows Update settings
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile 
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
+
+You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update (WU) on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more.
+
+>[!IMPORTANT]
+>In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
+
+## Summary of Windows Update settings
+
+| Group Policy setting | MDM setting | Supported from version | 
+| --- | --- | --- |
+| [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) | [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | All |
+| [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) | [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | 1703 |
+| [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) | | All |
+| [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) | | All |
+| [Enable client-side targeting](#enable-client-side-targeting) | | All |
+| [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
+| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
+| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
+
+>[!IMPORTANT]
+>Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.
+>
+>Additional settings that configure when Feature and Quality updates are received are detailed on **[Configure Windows Update for Business](waas-configure-wufb.md)**.
+
+## Scanning for updates
+
+With Windows 10, admins have a lot of flexibility in configuring how their devices scan and receive updates.
+
+[Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them to option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates.
+
+You can make custom device groups that'll work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that were not signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location).
+
+Finally, to make sure the updating experience is fully controlled by the admins, you can [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) for users.
+
+For additional settings that configure when Feature and Quality updates are received, see [Configure Windows Update for Business](waas-configure-wufb.md).
+
+### Specify Intranet Microsoft update service location
+
+Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
+This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. 
+
+To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service. 
+
+If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don’t have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them.
+If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
+
+The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service.
+The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server.
+
+>[!NOTE]
+>If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.
+>
+>If the "Alternate Download Server" is not set, it will use the intranet update service by default to download updates.
+>
+>The option to "Download files with no Url..." is only used if the "Alternate Download Server" is set.
+
+To configure this policy with MDM, use [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate).
+
+### Automatic Updates detection frequency
+
+Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20-hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 to 20 hours.
+
+To set this setting with Group Policy, navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Automatic Updates detection frequency**.
+
+If the setting is set to **Enabled**, Windows will check for available updates at the specified interval.
+If the setting is set to **Disabled** or **Not Configured**, Windows will check for available updates at the default interval of 22 hours.
+
+>[!NOTE]
+>The “Specify intranet Microsoft update service location” setting must be enabled for this policy to have effect.
+>
+>If the “Configure Automatic Updates” policy is disabled, this policy has no effect.
+
+To configure this policy with MDM, use [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency).
+
+### Remove access to use all Windows Update features
+
+By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
+
+### Do not connect to any Windows Update Internet locations
+
+Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store.
+
+Use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations** to enable this policy. When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Windows Update for Business and Delivery Optimization to stop working.
+
+>[!NOTE]
+>This policy applies only when the device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
+
+### Enable client-side targeting
+
+Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. This allows admins to configure device groups that will receive different updates from sources like WSUS or SCCM.
+
+This Group Policy setting can be found under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Enable client-side targeting**.
+If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer.
+If the setting is set to **Disabled** or **Not Configured**, no target group information will be sent to the intranet Microsoft update service.
+
+If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified.
+
+>[!NOTE]
+>This policy applies only when the intranet Microsoft update service the device is directed to is configured to support client-side targeting. If the “Specify intranet Microsoft update service location” policy is disabled or not configured, this policy has no effect.
+
+### Allow signed updates from an intranet Microsoft update service location
+
+This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. 
+
+To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**.
+
+If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the “Trusted Publishers” certificate store of the local computer.
+If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft.
+
+>[!NOTE]
+>Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft and are not affected by this policy setting.
+
+To configure this policy with MDM, use [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate).
+
+
+## Installing updates
+
+To add more flexibility to the update process, settings are available to control update installation.
+
+[Configure Automatic Updates](#configure-automatic-updates) offers 4 different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers are not installed with the rest of the received updates.
+
+### Do not include drivers with Windows Updates
+
+Allows admins to exclude Windows Update (WU) drivers during updates.
+
+To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**. 
+Enable this policy to not include drivers with Windows quality updates.
+If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification.
+
+### Configure Automatic Updates
+
+Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
+
+When enabling this setting through Group Policy, under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Configure Automatic Updates**, you must select one of the four options:
+
+**2 - Notify for download and auto install** -  When Windows finds updates that apply to this device, users will be notified that updates are ready to be downloaded. After going to **Settings > Update & security > Windows Update**, users can download and install any available updates.
+
+**3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to **Settings > Update & security > Windows Update**, users can install them.
+
+**4 - Auto download and schedule the install** - Specify the schedule using the options in the Group Policy Setting. For more information about this setting, see [Schedule update installation](waas-restart.md#schedule-update-installation).
+
+**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates.
+
+If this setting is set to *Disabled*, any updates that are available on Windows Update must be downloaded and installed manually. To do this, users must go to **Settings > Update & security > Windows Update**.
+
+If this setting is set to *Not Configured*, an administrator can still configure Automatic Updates through the settings app, under **Settings > Update & security > Windows Update > Advanced options**.
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) 
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Manage device restarts after updates](waas-restart.md)

windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md

@@ -825,6 +825,41 @@ Download and run the media creation tool. See [Download windows 10](https://www.
 </td>
 </tr>
 
+<tr>
+<td>0x80240FFF </td>
+<td>Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install <a href="https://support.microsoft.com/help/3095113/en-us">hotfix 3095113</a>, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.</td>
+<td> You can prevent this by installing <a href="http://blogs.technet.com/b/wsus/archive/2015/12/04/important-update-for-wsus-4-0-kb-3095113.aspx">hotfix 3095113</a> before you enable update synchronization. However, if you have already run into this problem, do the following: 
+
+<ol>
+<li>Disable the Upgrades classification.</li>
+<li>Install hotfix 3095113.</li>
+<li>Delete previously synched updates.</li>
+<li>Enable the Upgrades classification.</li>
+<li>Perform a full synch.</li>
+</ol>
+<p>For detailed information on how to run these steps check out <a href="http://blogs.technet.com/b/wsus/archive/2016/01/30/quot-help-i-synched-upgrades-too-soon-quot.aspx">How to delete upgrades in WSUS</a>.</p>
+</td>
+</tr>
+
+<tr>
+<td>0x8007007E</td>
+<td>Occurs when update synchronization fails because you do not have <a href="https://support.microsoft.com/help/3095113/en-us">hotfix 3095113</a> installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downlaoded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager.</td>
+<td> Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadate before you installed the hotfix.
+
+<ol>
+<li>Stop the Windows Update service. Sign in as a user with administrative privileges, and then do the following:
+<ol>
+<li>Open <b>Administrative Tools</b> from the Control Panel.</li>
+<li>Double-click <b>Services</b>.</li>
+<li>Find the <b>Windows Update</b> service, right-click it, and then click <b>Stop</b>. If prompted, enter your credentials.</li>
+</ol>
+</li>
+<li>Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.</li>
+<li>Restart the Windows Update service.</li>
+</ol>
+</td>
+</tr>
+
 </table>
 
 ### Other error codes

windows/device-security/TOC.md

@@ -12,7 +12,6 @@
 #### [Monitor app usage with AppLocker](applocker\monitor-application-usage-with-applocker.md)
 #### [Manage packaged apps with AppLocker](applocker\manage-packaged-apps-with-applocker.md)
 #### [Working with AppLocker rules](applocker\working-with-applocker-rules.md)
-#### [Working with AppLocker rules](applocker\working-with-applocker-rules.md)
 ##### [Create a rule that uses a file hash condition](applocker\create-a-rule-that-uses-a-file-hash-condition.md)
 ##### [Create a rule that uses a path condition](applocker\create-a-rule-that-uses-a-path-condition.md)
 ##### [Create a rule that uses a publisher condition](applocker\create-a-rule-that-uses-a-publisher-condition.md)
@@ -561,6 +560,7 @@
 ##### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md)
 ##### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md)
 ##### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
+#####  [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
 ##### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md)
 ##### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md)
 ##### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)

windows/device-security/bitlocker/bitlocker-group-policy-settings.md

@@ -237,7 +237,7 @@ On a computer with a compatible TPM, four types of authentication methods can be
 
 -   only the TPM for authentication
 -   insertion of a USB flash drive containing the startup key
--   the entry of a 4-digit to 20-digit personal identification number (PIN)
+-   the entry of a 6-digit to 20-digit personal identification number (PIN)
 -   a combination of the PIN and the USB flash drive
 
 There are four options for TPM-enabled computers or devices:
@@ -323,7 +323,7 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
 <tbody>
 <tr class="odd">
 <td align="left"><p><strong>Policy description</strong></p></td>
-<td align="left"><p>With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits.</p></td>
+<td align="left"><p>With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits, and it can have a maximum length of 20 digits.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p><strong>Introduced</strong></p></td>
@@ -347,14 +347,14 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
 </tr>
 <tr class="odd">
 <td align="left"><p><strong>When disabled or not configured</strong></p></td>
-<td align="left"><p>Users can configure a startup PIN of any length between 4 and 20 digits.</p></td>
+<td align="left"><p>Users can configure a startup PIN of any length between 6 and 20 digits.</p></td>
 </tr>
 </tbody>
 </table>
  
 **Reference**
 
-This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
+This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
 
 ### Disable new DMA devices when this computer is locked
 
@@ -527,7 +527,7 @@ This policy setting is used to control what unlock options are available for com
  
 **Reference**
 
-On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 4-digit to 20-digit startup PIN.
+On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 6-digit to 20-digit startup PIN.
 
 A USB drive that contains a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material that is on this USB drive.
 

windows/device-security/change-history-for-device-security.md

@@ -11,7 +11,12 @@ author: brianlic-msft
 # Change history for device security
 This topic lists new and updated topics in the [Device security](index.md) documentation.
 
+## May 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [BitLocker Group Policy settings](bitlocker/bitlocker-group-policy-settings.md) | Changed startup PIN minimun length from 4 to 6. |
+
 ## March 2017
 |New or changed topic |Description |
 |---------------------|------------|
-|[Requirements and deployment planning guidelines for Device Guard](device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
+|[Requirements and deployment planning guidelines for Device Guard](device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md) | Updated to include additional security qualifications starting with Windows 10, version 1703.|

windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md

@@ -0,0 +1,154 @@
+---
+title: Network access - Restrict clients allowed to make remote calls to SAM
+description: Security policy setting that controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Network access: Restrict clients allowed to make remote calls to SAM
+
+**Applies to**
+-   Windows 10, version 1607 and later
+-   Windows 10, version 1511 with [KB 4103198](https://support.microsoft.com/en-us/help/4013198) installed
+-   Windows 10, version 1507 with [KB 4012606](https://support.microsoft.com/en-us/help/4012606) installed 
+-   Windows 8.1 with [KB 4102219](https://support.microsoft.com/en-us/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed 
+-   Windows 7 with [KB 4012218](https://support.microsoft.com/en-us/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed 
+-   Windows Server 2016
+-   Windows Server 2012 R2 with[KB 4012219](https://support.microsoft.com/en-us/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed
+-   Windows Server 2012 with [KB 4012220](https://support.microsoft.com/en-us/help/4012220/march-2017-preview-of-monthly-quality-rollup-for-windows-server-2012) installed 
+-   Windows Server 2008 R2 with [KB 4012218](https://support.microsoft.com/en-us/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed
+
+
+The **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database. The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems by installing updates from the the KB articles listed in **Applies to** section of this topic. 
+
+This topic describes the default values for this security policy setting in different versions of Windows, related events, and how to enable audit mode before constraining the security principals that are allowed to remotely enumerate users and groups in the SAM so that your environment remains secure without adversely impacting application compatibility. 
+
+## Reference
+
+The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data. For example, a user can use SAMRPC to enumerate users, including privileged accounts such as local or domain administrators, or to enumerate groups and group memberships from the local SAM and Active Directory. This information can provide important context and serve as a starting point for an attacker to compromise a domain or networking environment. 
+
+To mitigate this risk, you can configure the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting to force the security accounts manager (SAM) to do an access check against remote calls. The access check allows or denies remote RPC connections to SAM and Active Directory for users and groups that you define. 
+
+By default, the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting is not defined. If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to the SAM. If the policy setting is left blank after the policy is defined, the policy is not enforced.   
+
+The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers, and allows Everyone access on domain controllers. You can edit the default security descriptor to allow or deny other users and groups, including the built-in Administrators.
+
+The default security descriptor on computers that run earlier versions of Windows does not restrict any remote calls to SAM, but an administrator can edit the security descriptor to enforce restrictions. This less restrictive default allows for testing the impact of enabling restrictions on existing applications.
+
+This means that if you have a mix of computers, such as servers that run both Windows Server 2016 and Windows Server 2012 R2, the servers that run Windows Server 2016 may fail to enumerate accounts by default where the servers that run Windows Server 2012 R2 succeed.
+
+## Possible values
+-  Not defined
+-  Defined, along with the security descriptor for users and groups who are allowed or denied remote access to local SAM and Active directory using SAMRPC. 
+
+## Location
+
+Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
+
+This policy setting controls a string that will contain the SDDL of the security descriptor to be deployed to the following registry setting:
+
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSam
+
+> [!NOTE] 
+This policy is implemented similarly to other Network access policies in that there is a single policy element at the registry path listed. There is no notion of a local policy versus an enterprise policy; there is just one policy setting and whichever writes last wins. For example, suppose a local administrator configures this setting as part of a local policy using the Local Security Policy snap-in (Secpol.msc), which edits that same registry path. If an enterprise administrator configures this setting as part of an enterprise GPO, that enterprise GPO will overwrite the same registry path. 
+
+## Default values
+Beginning with Windows 10, version 1607 and Windows Server 2016, computers have hard-coded and more restrictive default values than earlier versions of Windows. The different default values help strike a balance where recent Windows versions are more secure by default and older versions don’t undergo any disruptive behavior changes. Computers that run earlier versions of Windows do not perform any access check by default. That includes domain controllers and non-domain controllers. This allows administrators to test whether applying the same restriction (that is, granting READ_CONTROL access only to members of the local Administrators group) will cause compatibility problems for existing applications before implementing this security policy setting in a production environment. 
+
+In other words, the hotfix in each KB article provides the necessary code and functionality, but you need to configure the restriction after you install the hotfix—no restrictions are enabled by default after the hotfix is installed on earlier versions of Windows.
+
+### Default values beginning with Windows 10 version 1607 and Windows Server 2016 
+The following default values apply to computers beginning with Windows Server 2016 and Windows 10, version 1607. The default security descriptor for non-domain controllers grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group.
+
+
+| |Default SDDL	|Translated SDDL| Comments
+|---|---|---|---|
+|Domain controller (reading Active Directory|“”|-|Everyone has read permissions to preserve compatibility.
+|Non-domain controller|(O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>DACL: <br>•	Revision: 0x02 <br>•	Size: 0x0020 <br>•	Ace Count: 0x001 <br>•	Ace[00]------------------------- AceType:0x00 <br> (ACCESS_ALLOWED_ACE_TYPE)<br> AceSize:0x0018 <br> InheritFlags:0x00 <br> Access Mask:0x00020000 <br> AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544) <br><br> SACL: Not present |Only members of the local (built-in) Administrators group get access.|
+
+### Default values for earlier versions of Windows
+
+The following sections explain how to enable audit only mode to test the restriction while using applications you plan to run. 
+
+## Policy management
+
+This section explains how to configure audit-only mode, how to analyze related events that are logged when the Network access: Restrict clients allowed to make remote calls to SAM security policy setting is enabled, and how to configure event throttling to prevent flooding the event log.
+
+### Audit only mode
+
+Audit only mode configures the SAM interface to do the access check against the currently configured security descriptor but will not fail the call if the access check fails. Instead, the call will be allowed, but the SAM interface will log an event describing what would have happened if the feature had been enabled. This provides administrators a way to test their applications before enabling the policy in production. Audit only mode is not configured by default. To configure it, add the following registry setting.
+
+|Registry|Details|
+|---|---|
+|Path|HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa|
+|Setting|RestrictRemoteSamAuditOnlyMode|
+|Data Type|REG_DWORD|
+|Value|1|
+|Notes|This setting cannot be added or removed by using predefined Group Policy settings. <br> Administrators may create a custom policy to set the registry value if needed. <br>                               SAM responds dynamically to changes in this registry value without a reboot. <br> You can use the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script to parse the event logs, as explained in the next section.|
+
+### Related events
+
+There are corresponding events that indicate when remote calls to the SAM are restricted, what accounts attempted to read from the SAM database, and more. The following workflow is recommended to identify applications that may be affected by restricting remote calls to SAM:
+1.	Dump event logs to a common share. 
+2.	Parse them with the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script. 
+3.	Look for the following events: <br>
+•	For domain controllers, events are logged in the Directory Services log in Event Viewer with event source Directory-Service-SAM (from Event ID 16962 to 16969, as listed in the following table). <br>
+•	For non-domain controllers, the same event IDs are logged in the System log with event source Directory-Service-SAM. 
+4.	Identify which security contexts are enumerating users or groups in the SAM database. 
+5.	Prioritize the callers, determine if they should be allowed or not, then include the allowed callers in the SDDL string.
+
+|Event ID|Event Message Text|Explanation |
+|---|---|---|
+|16962|"Remote calls to the SAM database are being restricted using the default security descriptor: %1.%n "<br><br> %2-  "Default SD String:" |Emit event when registry SDDL is absent, causing fallback to default hard-coded SDDL (event should include a copy of the default SDDL).|
+|16963|Message Text: "Remote calls to the SAM database are being restricted using the configured registry security descriptor: %1.%n" <br><br> %1 - "Registry SD String:" |Emit event when a new SDDL is read from the registry (either on startup or change) and is considered valid. The event includes the source and a copy of the queried SDDL.
+|16964|"The registry security descriptor is malformed: %1.%n Remote calls to the SAM database are being restricted using the default security descriptor: %2.%n" <br><br>%1- "Malformed SD String:"<br> %2- "Default SD String:"|Emit event when registry SDDL is mal-formed, causing fallback to default hard-coded SDDL (event should include a copy of the default SDDL).
+|16965|Message Text: "A remote call to the SAM database has been denied.%nClient SID: %1%n Network address: %2%n"<br><br> %1- "Client SID:" %2- "Client Network Address | Emit event when access is denied to a remote client. Event should include identity and network address of the client.
+|16966|Audit Mode is enabled- <br><br>Message Text: "Audit only mode is now enabled for remote calls to the SAM database. SAM will log an event for clients who would have been denied access in normal mode. %n"|Emit event whenever training mode (see 16968) is enabled or disabled. 
+|16967|Audit Mode is disabled- <br><br>Message Text: "Audit only mode is now disabled for remote calls to the SAM database.%n For more information"|Emit event whenever training mode (see 16968) is enabled or disabled.
+|16968| Message Text: "Audit only mode is currently enabled for remote calls to the SAM database.%n The following client would have been normally denied access:%nClient SID: %1 from network address: %2. %n" <br>%1- "Client SID:" <br>%2- "Client Network Address:"|Emit event when access would have been denied to a remote client, but was allowed through due to training mode being enabled. Event should include identity and network address of the client.|
+|16969|Message Text: "%2 remote calls to the SAM database have been denied in the past %1 seconds throttling window.%n <br>"%1- "Throttle window:" <br>%2- "Suppressed Message Count:"| Throttling may be necessary for some events due to expected high volume on some servers causing the event log to wrap. <br><br>Note: There is no throttling of events when audit mode is enabled. Environments with a large number of low-privilege and anonymous querying of the remote database may see large numbers of events logged to the System log. For more info, see the [Event Throttling](#event-throttling) section.
+
+Compare the security context attempting to remotely enumerate accounts with the default security descriptor. Then edit the security descriptor to add accounts that require remote access. 
+
+### Event Throttling
+A busy server can flood event logs with events related to the remote enumeration access check. To prevent this, access-denied events are logged once every 15 minutes by default. The length of this period is controlled by the following registry value.
+
+|Registry Path|System\CurrentControlSet\Control\Lsa\ 
+|---|---|
+Setting |RestrictRemoteSamEventThrottlingWindow|
+Data Type |DWORD|
+|Value|seconds|
+|Reboot Required?|No|
+|Notes|**Default** is 900 seconds – 15mins. <br>The throttling uses a suppressed events counter which starts at 0 and gets incremented during the throttling window. <br> For example, X events were suppressed in the last 15 minutes. <br>The counter is restarted after the event 16969 is logged.
+
+### Restart requirement
+
+Restarts are not required to enable, disable or modify the **Network access: Restrict clients allowed to make remote calls to SAM security** policy setting, including audit only mode. Changes become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability	
+The SAMRPC protocol has a default security posture that makes it possible for low-privileged attackers to query a machine on the network for data that is critical to their further hacking and penetration plans. <br><br>
+The following example illustrates how an attacker might exploit remote SAM enumeration:
+1.	A low-privileged attacker gains a foothold on a network.
+2.	The attacker then queries all machines on the network to determine which ones have a highly privileged domain user configured as a local administrator on that machine. 
+3.	If the attacker can then find any other vulnerability on that machine that allows taking it over, the attacker can then squat on the machine waiting for the high-privileged user to logon and then steal or impersonate those credentials.
+
+### Countermeasure
+You can mitigate this vulnerability by enabling the **Network access: Restrict clients allowed to make remote calls** to SAM security policy setting and configuring the SDDL for only those accounts that are explicitly allowed access.
+
+### Potential impact
+If the policy is defined, admin tools, scripts and software that formerly enumerated users, groups and group membership may fail. To identify accounts that may be affected, test this setting in [audit only mode](#audit-only-mode).  
+
+## Related Topics
+[Security Options](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/security-options)
+
+[SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016](https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b)
+
+<br>

windows/device-security/security-policy-settings/security-options.md

@@ -82,6 +82,7 @@ For info about setting security policies, see [Configure security policy setting
 | [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.| 
 | [Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)| Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting. |
 | [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. |
+| [Network access: Restrict clients allowed to make remote calls to SAM](network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting. |
 | [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. |
 | [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. |
 | [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)| Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting. |

windows/threat-protection/change-history-for-threat-protection.md

@@ -14,7 +14,7 @@ This topic lists new and updated topics in the [Threat protection](index.md) doc
 ## March 2017
 |New or changed topic |Description |
 |---------------------|------------|
-|[Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Azure Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)|Updated based on Windows 10, version 1703.|
+|[Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)|Updated based on Windows 10, version 1703.|
 |[How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) |New |
 |[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. |
 |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) |Updated based on Windows 10, version 1703. |

windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md

@@ -0,0 +1,250 @@
+---
+title: WannaCrypt ransomware worm targets out-of-date systems
+description: In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.
+keywords: wannacry, wannacrypt, wanna, ransomware
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: medium
+author: iaanw
+---
+
+#   WannaCrypt ransomware worm targets out-of-date systems
+ 
+
+On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) if they have not already done so.
+
+Microsoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.
+
+In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.
+
+## Attack vector
+
+Ransomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB 'EternalBlue' vulnerability, [CVE-2017-0145](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145), which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx), which was released on March 14, 2017.
+
+WannaCrypt's spreading mechanism is borrowed from [well-known](https://packetstormsecurity.com/files/142464/MS17-010-SMBv1-SrvOs2FeaToNt-OOB-Remote-Code-Execution.html) [public SMB exploits](https://github.com/RiskSense-Ops/MS17-010), which armed this regular ransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix had become available.
+
+The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.
+
+We haven't found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware:
+ 
+- Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit
+- Infection through SMB exploit when an unpatched computer is addressable from other infected machines
+ 
+## Dropper
+
+The threat arrives as a dropper Trojan that has the following two components:
+
+1. A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers
+2. The ransomware known as WannaCrypt
+
+The dropper tries to connect the following domains using the API `InternetOpenUrlA()`:
+ 
+- www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
+- www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
+ 
+If connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system.
+
+In other words, unlike in most malware infections, **IT Administrators should NOT block these domains**. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.
+ 
+![Connection information from WannaCrypt code](images/wanna1.png)
+
+The threat creates a service named *mssecsvc2.0*, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:
+```
+Service Name: mssecsvc2.0
+Service Description: (Microsoft Security Center (2.0) Service)
+Service Parameters: '-m security'
+```
+ 
+ ![Mssecsvc2.0 process details](images/wanna2.png)
+
+## WannaCrypt ransomware
+
+The ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is 'WNcry@2ol7'.
+
+When run, WannaCrypt creates the following registry keys:
+ 
+- *HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\\<random string> = '\<malware working directory>\tasksche.exe'*
+- *HKLM\SOFTWARE\WanaCrypt0r\\wd = '\<malware working directory>'*
+ 
+It changes the wallpaper to a ransom message by modifying the following registry key:
+ 
+- *HKCU\Control Panel\Desktop\Wallpaper: '\<malware working directory>\\@WanaDecryptor@.bmp'*
+ 
+It creates the following files in the malware's working directory:
+ 
+- *00000000.eky*
+- *00000000.pky*
+- *00000000.res*
+- *274901494632976.bat*
+- *@Please_Read_Me@.txt*
+- *@WanaDecryptor@.bmp*
+- *@WanaDecryptor@.exe*
+- *b.wnry*
+- *c.wnry*
+- *f.wnry*
+- *m.vbs*
+- *msg\m_bulgarian.wnry*
+- *msg\m_chinese (simplified).wnry*
+- *msg\m_chinese (traditional).wnry*
+- *msg\m_croatian.wnry*
+- *msg\m_czech.wnry*
+- *msg\m_danish.wnry*
+- *msg\m_dutch.wnry*
+- *msg\m_english.wnry*
+- *msg\m_filipino.wnry*
+- *msg\m_finnish.wnry*
+- *msg\m_french.wnry*
+- *msg\m_german.wnry*
+- *msg\m_greek.wnry*
+- *msg\m_indonesian.wnry*
+- *msg\m_italian.wnry*
+- *msg\m_japanese.wnry*
+- *msg\m_korean.wnry*
+- *msg\m_latvian.wnry*
+- *msg\m_norwegian.wnry*
+- *msg\m_polish.wnry*
+- *msg\m_portuguese.wnry*
+- *msg\m_romanian.wnry*
+- *msg\m_russian.wnry*
+- *msg\m_slovak.wnry*
+- *msg\m_spanish.wnry*
+- *msg\m_swedish.wnry*
+- *msg\m_turkish.wnry*
+- *msg\m_vietnamese.wnry*
+- *r.wnry*
+- *s.wnry*
+- *t.wnry*
+- *TaskData\Tor\libeay32.dll*
+- *TaskData\Tor\libevent-2-0-5.dll*
+- *TaskData\Tor\libevent_core-2-0-5.dll*
+- *TaskData\Tor\libevent_extra-2-0-5.dll*
+- *TaskData\Tor\libgcc_s_sjlj-1.dll*
+- *TaskData\Tor\libssp-0.dll*
+- *TaskData\Tor\ssleay32.dll*
+- *TaskData\Tor\taskhsvc.exe*
+- *TaskData\Tor\tor.exe*
+- *TaskData\Tor\zlib1.dll*
+- *taskdl.exe*
+- *taskse.exe*
+- *u.wnry*
+ 
+WannaCrypt may also create the following files:
+ 
+- *%SystemRoot%\tasksche.exe*
+- *%SystemDrive%\intel\\\<random directory name>\tasksche.exe*
+- *%ProgramData%\\\<random directory name>\tasksche.exe*
+ 
+It may create a randomly named service that has the following associated ImagePath: `cmd.exe /c '<malware working directory>\tasksche.exe'`.
+
+It then searches the whole computer for any file with any of the following file name extensions: *.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der' , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.*
+
+WannaCrypt encrypts all files it finds and renames them by appending *.WNCRY* to the file name. For example, if a file is named *picture.jpg*, the ransomware encrypts and renames the file to *picture.jpg.WNCRY*.
+
+This ransomware also creates the file *@Please_Read_Me@.txt* in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).
+
+After completing the encryption process, the malware deletes the volume shadow copies by running the following command:
+`cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet`
+
+It then replaces the desktop background image with the following message:
+
+![Example background image of WannaCrypt](images/wanna3.png)
+ 
+It also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer:
+ 
+ ![Screenshot of WannaCrypt ransom notice](images/wanna4.png)
+
+The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.
+
+The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.
+ 
+ ![Screenshot of decryption window](images/wanna5.png)
+
+## Spreading capability
+
+The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel, as shown below.
+
+![Spreading scanning activity](images/wanna6.png)
+ 
+The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.
+
+When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.
+ 
+ ![Kernel-level shellcode used by WannaCrypt](images/wanna7.png)
+
+ ![Kernel-level shellcode used by WannaCrypt](images/wanna8.png)
+ 
+## Protection against the WannaCrypt attack
+
+To get the latest protection from Microsoft, upgrade to [Windows 10](https://www.microsoft.com/en-us/windows/windows-10-upgrade). Keeping your computers [up-to-date](https://www.microsoft.com/en-us/security/portal/mmpc/help/updatefaqs.aspx) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.
+
+We recommend customers that have not yet installed the security update [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:
+
+- Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](https://support.microsoft.com/kb/2696547) and as [recommended previously](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/)
+- Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445
+ 
+[Windows Defender Antivirus](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10) detects this threat as [Ransom:Win32/WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt) as of the *1.243.297.0* update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.
+
+For enterprises, use [Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.
+
+Use [Office 365 Advanced Threat Protection](https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/), which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.
+
+Monitor networks with [Windows Defender Advanced Threat Protection](http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection - Ransomware response playbook](https://www.microsoft.com/en-us/download/details.aspx?id=55090).
+
+## Resources
+
+Download English language security updates: [Windows Server 2003 SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows Server 2003 SP2 x86,](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe) [Windows XP SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows XP SP3 x86](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe), [Windows XP Embedded SP3 x86](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe), [Windows 8 x86,](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu) [Windows 8 x64](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu)
+
+Download localized language security updates: [Windows Server 2003 SP2 x64](http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e), [Windows Server 2003 SP2 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9), [Windows XP SP2 x64](http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa), [Windows XP SP3 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f), [Windows XP Embedded SP3 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add), [Windows 8 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340), [Windows 8 x64](http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0)
+
+MS17-010 Security Update: [https://technet.microsoft.com/en-us/library/security/ms17-010.aspx](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx)
+
+Customer guidance for WannaCrypt attacks: [https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/)
+
+General information on ransomware: [https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx](https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx)
+
+## Indicators of compromise
+
+SHA1 of samples analyzed:
+ 
+- 51e4307093f8ca8854359c0ac882ddca427a813c
+- e889544aff85ffaf8b0d0da705105dee7c97fe26
+ 
+Files created:
+ 
+- %SystemRoot%\mssecsvc.exe
+- %SystemRoot%\tasksche.exe
+- %SystemRoot%\qeriuwjhrf
+- b.wnry
+- c.wnry
+- f.wnry
+- r.wnry
+- s.wnry
+- t.wnry
+- u.wnry
+- taskdl.exe
+- taskse.exe
+- 00000000.eky
+- 00000000.res
+- 00000000.pky
+- @WanaDecryptor@.exe
+- @Please_Read_Me@.txt
+- m.vbs
+- @WanaDecryptor@.exe.lnk
+- @WanaDecryptor@.bmp
+- 274901494632976.bat
+- taskdl.exe
+- Taskse.exe
+- Files with '.wnry' extension
+- Files with '.WNCRY' extension
+ 
+Registry keys created:
+ 
+- HKLM\SOFTWARE\WanaCrypt0r\wd
+ 
+ 
+ 
+*Karthik Selvaraj, Elia Florio, Andrea Lelli, and Tanmay Ganacharya*<br />*Microsoft Malware Protection Center*
+ 

windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md

@@ -28,7 +28,7 @@ You can use a dedicated command-line tool to perform various functions in Window
 
 This utility can be useful when you want to automate the use of Windows Defender Antivirus. 
 
-The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
+The utility is available in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
 
 > [!NOTE]
 > You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
@@ -51,6 +51,7 @@ Command | Description
 \-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
 \-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
 \-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md)
+\-SignatureUpdate [-UNC [-Path <path>]] | Checks for new definition updates
 
 
 

windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md

@@ -146,6 +146,8 @@ Use the following argument with the Windows Defender AV command line utility (*m
 ```DOS
 MpCmdRun - ValidateMapsConnection 
 ```
+> [!NOTE]
+> You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
 
 See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.
 

windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md

@@ -1,6 +1,6 @@
 ---
 title: View and organize the Windows Defender ATP Alerts queue
-description: Learn about how the Windows Defender ATP alerts queue work, and how to sort and filter lists of alerts.
+description: Learn about how the Windows Defender ATP alerts queues work, and how to sort and filter lists of alerts.
 keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -21,7 +21,7 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In any of the queues, you'll see details such as the severity of alerts and the number of machines where the alerts were seen.
+The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on.
 
 Alerts are organized in queues by their workflow status or assignment:
 
@@ -33,17 +33,17 @@ Alerts are organized in queues by their workflow status or assignment:
 To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
 
 > [!NOTE]
-> By default, the queues are sorted from newest to oldest.
+> By default, alerts in the queues are sorted from newest to oldest.
 
 ## Sort and filter the alerts
-You can sort and filter the alerts by using the available filters or clicking columns that allows you to sort the view in ascending or descending order.
+You can sort and filter the alerts using the available filters or clicking on a column's header that will sort the view in ascending or descending order.
 
 ![Alerts queue with numbers](images/alerts-queue-numbered.png)
 
 Highlighted area|Area name|Description
 :---|:---|:---
 1 | Alert filters | Filter the list of alerts by severity, detection source, time period, or change the view from flat to grouped.
-2 | Alert selected | Select an alert to bring up the **Alert management** to manage and see details about the alert.
+2 | Alert selected | Select an alert to bring up the **Alert management** pane to manage and see details about the alert.
 3 | Alert management pane | View and manage alerts without leaving the alerts queue view.
 
 ### Sort, filter, and group the alerts list
@@ -76,9 +76,9 @@ Reviewing the various alerts and their severity can help you decide on the appro
 
 **View**</br>
 - **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top.
-- **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating alerts together.
+- **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating similar alerts together.
 
-The group view allows for efficient alert triage and management.
+The grouped view allows efficient alert triage and management.
 
 ### Use the Alert management pane
 Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert.

windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md

@@ -77,7 +77,7 @@ netsh winhttp set proxy <proxy>:<port>
 For example: netsh winhttp set proxy 10.0.0.6:8080
 
 ## Enable access to Windows Defender ATP service URLs in the proxy server
-If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
+If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
 
 Primary Domain Controller | .Microsoft.com DNS record
 :---|:---

windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md

@@ -134,7 +134,7 @@ This step will guide you in simulating an event in connection to a malicious IP
 ## Step 4: Explore the custom alert in the portal
 This step will guide you in exploring the custom alert in the portal.
 
-1.	Open the [Windows Defender ATP portal](http: /securitycenter.windows.com/) on a browser.
+1.	Open the [Windows Defender ATP portal](http://securitycenter.windows.com/) on a browser.
 
 2.	Log in with your Windows Defender ATP credentials.
 

windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md

@@ -28,11 +28,11 @@ Follow these steps to associate your WIP policy with your organization's existin
 
 2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
 
-    ![Microsoft Azure Intune, Create a new policy using the the Azure portal](images/wip-azure-vpn-device-policy.png)
+    ![Microsoft Intune, Create a new policy using the portal](images/wip-azure-vpn-device-policy.png)
 
 3.  In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**.
 
-    ![Microsoft Azure Intune, Create a new policy using the Create Profile blade](images/wip-azure-vpn-configure-policy.png)
+    ![Microsoft Intune, Create a new policy using the Create Profile blade](images/wip-azure-vpn-configure-policy.png)
 
 4. In the **Custom OMA-URI Settings** blade, click **Add**.
 
@@ -48,13 +48,13 @@ Follow these steps to associate your WIP policy with your organization's existin
     
     - **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_.
 
-        ![Microsoft Azure Intune, Add your OMA-URI settings](images/wip-azure-vpn-custom-omauri.png)
+        ![Microsoft Intune, Add your OMA-URI settings](images/wip-azure-vpn-custom-omauri.png)
 
 6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy.
 
 7. Click **Create** to create the policy, including your OMA_URI info.
 
-## Deploy your VPN policy using Microsoft Azure Intune
+## Deploy your VPN policy using Microsoft Intune
 After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
 
 **To deploy your Custom VPN policy**
@@ -70,4 +70,4 @@ After you’ve created your VPN policy, you'll need to deploy it to the same gro
     ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md

@@ -342,6 +342,9 @@ After you've added the apps you want to protect with WIP, you'll need to apply a
 
 We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**.
 
+>[!NOTE]
+>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
+
 **To add your protection mode**
 
 1.	From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
@@ -353,7 +356,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
     |Mode |Description |
     |-----|------------|
     |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
-    |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459).|
+    |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
     |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
     |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<br><br>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
 

windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md

@@ -339,10 +339,13 @@ After you've added the apps you want to protect with WIP, you'll need to apply a
 
 We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
 
+>[!NOTE]
+>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
+
 |Mode |Description |
 |-----|------------|
 |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
-|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
+|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
 |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
 |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
 

windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md

@@ -1,5 +1,5 @@
 ---
-title: Deploy your Windows Information Protection (WIP) policy using Microsoft Azure Intune (Windows 10)
+title: Deploy your Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
 description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
 ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
 keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune
@@ -11,7 +11,7 @@ author: eross-msft
 localizationpriority: high
 ---
 
-# Deploy your Windows Information Protection (WIP) policy using Microsoft Azure Intune
+# Deploy your Windows Information Protection (WIP) policy using Microsoft Intune
 **Applies to:**
 
 - Windows 10, version 1607 and later
@@ -29,15 +29,15 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll
 
     The policy is deployed to the selected users' devices.
 
-    ![Microsoft Azure Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
+    ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
 
 
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
 
 ## Related topics
-- [Create a Windows Information Protection (WIP) policy using Microsoft Azure Intune](create-wip-policy-using-intune.md)
+- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
 
-- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Azure Intune](create-vpn-and-wip-policy-using-intune.md)
+- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
 
 - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)

windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md

@@ -82,7 +82,8 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
     
         You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list.
 
-    -   **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list.
+    -   **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
+
 
     -   **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
     
@@ -123,18 +124,18 @@ Enterprise data is automatically encrypted after it’s loaded on a device from
 
 Your WIP policy includes a list of trusted apps that are allowed to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned.
 
+>[!NOTE]
+>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
+
 You can set your WIP policy to use 1 of 4 protection and management modes:
 
 |Mode|Description|
 |----|-----------|
 |Hide overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
-|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
+|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
 |Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
 |Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.<p>**Note**<br>For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
 
->[!NOTE]
->For info about how to collect your audit logs, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
-
 ## Turn off WIP
 You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied.
 

windows/whats-new/whats-new-windows-10-version-1703.md

@@ -171,7 +171,7 @@ For Windows desktops, users are able to reset a forgotten PIN through **Settings
 For more details, check out [What if I forget my PIN?](/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password#what-if-i-forget-my-pin).
 
 ### Windows Information Protection (WIP) and Azure Active Directory (Azure AD)
-Microsoft Azure Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Azure Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Azure Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md).
+Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md).
 
 You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md).