Merge remote-tracking branch 'refs/remotes/origin/master' into live

2025-05-16 07:17:24 +00:00 · 2016-10-10 10:05:26 -07:00 · 2016-10-10 10:05:26 -07:00 · d396171881
commit d396171881
parent 09ffc29af7 9d26981cdf
83 changed files with 2692 additions and 280 deletions
--- a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
+++ b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
@ -11,12 +11,12 @@ localizationpriority: medium
 ---

 # End a Surface Hub meeting with I'm Done
-Surface Hub is a collaboration device designed to be used simultaneously and sequentially by multiple people. At the end of a Surface Hub meeting, one of the attendees can tap or click **I'm Done** to end the meeting. Tapping **I'm Done** tells Surface Hub to clean up info from the current meeting, so that it will be ready for the next meeting. When a meeting attendee taps **I'm Done**, Surface Hub cleans up, or resets, these states. 
+Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **I'm Done** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states:
 - Applications
 - Operating system
 - User interface

-This topic explains what **I'm Done** resets for each of these states. 
+This topic explains what **I'm Done** resets for each of these states.

 ## Applications
 When you start apps on Surface Hub, they are stored in memory and data is stored at the application level. Data is available to all users during that session (or meeting) until date is removed or overwritten. When **I'm done** is selected, Surface Hub application state is cleared out by closing applications, deleting browser history, resetting applications, and removing Skype logs.
@ -35,6 +35,7 @@ Skype does not store personally-identifiable information on Surface Hub. Informa

 ## Operating System
 The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting. 
+
 ### File System
 Meeting attendees have access to a limited set of directories on the Surface Hub. When **I'm Done** is selected, Surface Hub clears these directories:<br>
 - Music
@ -53,7 +54,7 @@ Surface Hub also clears these directories, since many applications often write t
 - Public Downloads

 ### Credentials
-User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap I’m done.
+User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **I’m done**.

 ## User interface
 User interface (UI) settings are returned to their default values when **I'm Done** is selected. 
@ -69,7 +70,7 @@ User interface (UI) settings are returned to their default values when **I'm Don
 Accessibility features and apps are returned to default settings when **I'm Done** is selected.
 - Filter keys
 - High contrast
- Stickey keys
+- Sticky keys
 - Toggle keys
 - Mouse keys
 - Magnifier
@ -80,12 +81,11 @@ The clipboard is cleared to remove data that was copied to the clipboard during

 ## Frequently asked questions
 **What happens if I forget to tap I'm Done at the end of a meeting, and someone else uses the Surface Hub later?**<br>
-When you don't tap **I"m Done** at the end of your meeting, Surface Hub enters a Resume state. This is similar to leaving content on a whiteboard in a meeting room, and forgetting to erase the whiteboard. When you return to the meeting room, that content will still be on the whiteboard unless someone erarses it. With Surface Hub, meeting content is still available if an attendee doesn't tap **I'm Done**. However, Surface Hub removes all meeting data during daily maintenance. Any meeting that wasn't ended with **I'm Done** will be cleaned up during maintenance. 
+Surface Hub only cleans up meeting content when users tap **I'm Done**. If you leave the meeting without tapping **I'm Done**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one.

 **Are documents recoverable?**<br> 
-Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. 3rd-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. 
+Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting.

 **Do the clean-up actions from I'm Done comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**<br>
 No. Currently, the clean-up actions from **I'm Done** do not comply with this standard.  
-
-  
+  
--- a/devices/surface-hub/images/wicd-screen02b.png
+++ b/devices/surface-hub/images/wicd-screen02b.png
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@ -36,14 +36,3 @@ Documents related to the Microsoft Surface Hub.
 </tr>
 </tbody>
 </table>
-
- 
-
- 
-
- 
-
-
-
-
-
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@ -54,7 +54,7 @@ A device account is an Exchange resource account that Surface Hub uses to displa
 After you've created your device account, there are a couple of ways to verify that it's setup correctly.
 - Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. 
 - Use the account with the [Lync Windows Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub.
-
+ 

 ## Prepare for first-run program 
 There are a few more item to consider before you start the [first-run program](first-run-program-surface-hub.md).  
--- a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
+++ b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
@ -156,7 +156,7 @@ Depending on the app, you may or may not need to download a new app framework.

    ![icd tiles](images/wicd-screen-apps-02a.png)

-    Select the settings that are **Common to all Windows editions**, and click **Next**.
+    Select the settings that are **Common to all Windows desktop editions**, and click **Next**.

    ![icd tiles](images/wicd-screen02b.png)

--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@ -565,7 +565,7 @@ After you create the Windows Store for Business portal, configure it by using th

 Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business.

-**Note**&nbsp;&nbsp;Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business.
+**Note**&nbsp;&nbsp;Your educational institution can now use a credit card to pay for apps in Windows Store for Business.

 You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users.

--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@ -18,6 +18,8 @@ author: jdeckerMS

 Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.

+[Download the Set up School PCs app from the Windows Store](https://www.microsoft.com/store/apps/9nblggh4ls40)
+
 ![Run app, turn on PC, insert USB key](images/app1.jpg)

 ## What does this app do?
--- a/mdop/agpm/choosing-which-version-of-agpm-to-install.md
+++ b/mdop/agpm/choosing-which-version-of-agpm-to-install.md
@ -13,7 +13,7 @@ ms.prod: w10
 # Choosing Which Version of AGPM to Install


-Each release of Microsoft Advanced Group Policy Management (AGPM) supports specific versions of the Windows operating system. We strongly recommend that you run the AGPM Client and AGPM Server on the same line of operating systems, for example, Windows 8.1 with Windows Server 2012 R2, Windows 8 with Windows Server 2012, and so on.
+Each release of Microsoft Advanced Group Policy Management (AGPM) supports specific versions of the Windows operating system. We strongly recommend that you run the AGPM Client and AGPM Server on the same line of operating systems. For example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.

 We recommend that you install the AGPM Server on the most recent version of the operating system in the domain. AGPM uses the Group Policy Management Console (GPMC) to back up and restore Group Policy Objects (GPOs). Because newer versions of the GPMC provide additional policy settings that are not available in earlier versions, you can manage more policy settings by using the most recent version of the operating system.

@ -45,8 +45,8 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP3, and
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Windows 10</p></td>
-<td align="left"><p>Windows 10</p></td>
+<td align="left"><p>Windows Server 2016 or Windows 10</p></td>
+<td align="left"><p>Windows Server 2016 or Windows 10</p></td>
 <td align="left"><p>Supported</p></td>
 </tr>
 <tr class="even">
@ -55,19 +55,19 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP3, and
 <td align="left"><p>Supported</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, Windows 8.1, or Windows 8</p></td>
-<td align="left"><p>Windows Server 2012 or Windows 8</p></td>
+<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, or Windows 8.1</p></td>
+<td align="left"><p>Windows Server 2012 or Windows 8.1</p></td>
 <td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1 or Windows 8</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with Service Pack 1 (SP1)</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
@ -77,7 +77,7 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP3, and
 <tr class="odd">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
 </tr>
 </tbody>
 </table>
@ -113,29 +113,29 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP2, and
 <td align="left"><p>Supported</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, Windows 8.1, or Windows 8</p></td>
-<td align="left"><p>Windows Server 2012 or Windows 8</p></td>
+<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, or Windows 8.1</p></td>
+<td align="left"><p>Windows Server 2012 or Windows 8.1</p></td>
 <td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1 or Windows 8</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with Service Pack 1 (SP1)</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
 <td align="left"><p>Not supported</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
 </tr>
 </tbody>
 </table>
@ -164,29 +164,29 @@ Table 2 lists the operating systems on which you can install AGPM 4.0 SP1, and t
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Windows Server 2012 or Windows 8</p></td>
-<td align="left"><p>Windows Server 2012 or Windows 8</p></td>
+<td align="left"><p>Windows Server 2012</p></td>
+<td align="left"><p>Windows Server 2012</p></td>
 <td align="left"><p>Supported</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2008 R2, or Windows 7</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
 <td align="left"><p>Supported</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2008 R2, or Windows 7</p></td>
 </tr>
 </tbody>
 </table>
--- a/mdop/agpm/index.md
+++ b/mdop/agpm/index.md
@ -18,11 +18,11 @@ Microsoft Advanced Group Policy Management (AGPM) extends the capabilities of th
 ## AGPM Version Information


-[AGPM 4.0 SP3](agpm-40-sp3-navengl.md) supports Windows 10, Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
+[AGPM 4.0 SP3](agpm-40-sp3-navengl.md) supports Windows 10, Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.

-[AGPM 4.0 SP2](agpm-40-sp2-navengl.md) supports Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
+[AGPM 4.0 SP2](agpm-40-sp2-navengl.md) supports Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.

-[AGPM 4.0 SP1](agpm-40-sp1-navengl.md) supports Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
+[AGPM 4.0 SP1](agpm-40-sp1-navengl.md) supports Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.

 [AGPM 4](agpm-4-navengl.md) supports Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.

--- a/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp3.md
+++ b/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp3.md
@ -88,6 +88,10 @@ If a user who has the Editor role submits a request to deploy a GPO, and the use

 **Workaround:** None.

+### Added mechanism to override AGPM default behavior of removing GPO permission changes
+
+As of HF02, AGPM has added a registry key to enable overriding the default AGPM GPO permission behavior. For more information, please see [Changes to Group Policy object permissions through AGPM are ignored](https://support.microsoft.com/kb/3174540)
+
 ## Related topics


--- a/mdop/agpm/whats-new-in-agpm-40-sp3.md
+++ b/mdop/agpm/whats-new-in-agpm-40-sp3.md
@ -22,7 +22,7 @@ AGPM 4.0 SP3 supports the following features and functionality.

 ### Support for Windows 10

-AGPM 4.0 SP3 adds support for the Windows 10 operating systems.
+AGPM 4.0 SP3 adds support for the Windows 10 and Windows Server 2016 operating systems.

 ### Support for PowerShell

@ -111,7 +111,7 @@ You can upgrade the AGPM Client or AGPM Server to AGPM 4.0 SP3 without being pr
 ## Supported configurations


-AGPM 4.0 SP3 supports the configurations in the following table. Although AGPM supports mixed configurations, we strongly recommend that you run the AGPM Client and AGPM Server on the same operating system line—for example, Windows 10 only, Windows 8.1 with Windows Server 2012 R2, and so on.
+AGPM 4.0 SP3 supports the configurations in the following table. Although AGPM supports mixed configurations, we strongly recommend that you run the AGPM Client and AGPM Server on the same operating system line—for example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.

 **AGPM 4.0 SP3 supported operating systems and policy settings**

@ -130,7 +130,7 @@ AGPM 4.0 SP3 supports the configurations in the following table. Although AGPM
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Windows 10</p></td>
+<td align="left"><p>Windows Server 2016 or Windows 10</p></td>
 <td align="left"><p>Windows 10</p></td>
 <td align="left"><p>Supported</p></td>
 </tr>
@ -140,29 +140,29 @@ AGPM 4.0 SP3 supports the configurations in the following table. Although AGPM
 <td align="left"><p>Supported</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, Windows 8.1, or Windows 8</p></td>
-<td align="left"><p>Windows Server 2012 or Windows 8</p></td>
+<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, or Windows 8.1</p></td>
+<td align="left"><p>Windows Server 2012</p></td>
 <td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1 or Windows 8</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with Service Pack 1 (SP1)</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
 <td align="left"><p>Not supported</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
 </tr>
 </tbody>
 </table>
@ -190,7 +190,7 @@ The following table describes the behavior of AGPM 4.0 SP3 Client and Server in

 **Remote Server Administration Tools**

-**Windows 10**
+**Windows 10 or Windows Server 2016**

 If the .NET Framework 4.5.1 is not enabled or installed, the installer blocks the installation.

--- a/mdop/appv-v5/app-v-51-supported-configurations.md
+++ b/mdop/appv-v5/app-v-51-supported-configurations.md
@ -58,16 +58,21 @@ Microsoft provides support for the current service pack and, in some cases, the
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"><p>Microsoft Windows Server 2016</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="even">
 <td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>64-bit</p></td>
@ -147,16 +152,21 @@ The following table lists the operating systems that are supported for the App-V
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"><p>Microsoft Windows Server 2016</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="even">
 <td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>64-bit</p></td>
@ -195,16 +205,21 @@ The following table lists the operating systems that are supported for the App-V
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"><p>Microsoft Windows Server 2016</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="even">
 <td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>64-bit</p></td>
@ -267,6 +282,8 @@ The following table lists the SQL Server versions that are supported for the App

 The following table lists the operating systems that are supported for the App-V 5.1 client installation.

+**Note:** With the Windows 10 Anniversary release (aka 1607 version), the App-V client is in-box and will block installation of any previous version of the App-V client
+
 <table>
 <colgroup>
 <col width="33%" />
@ -282,7 +299,7 @@ The following table lists the operating systems that are supported for the App-V
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft Windows 10</p></td>
+<td align="left"><p>Microsoft Windows 10 (pre-1607 version)</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
@ -292,11 +309,6 @@ The following table lists the operating systems that are supported for the App-V
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Microsoft Windows 8</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>32-bit or 64-bit</p></td>
-</tr>
-<tr class="even">
 <td align="left"><p>Windows 7</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>32-bit or 64-bit</p></td>
@ -344,16 +356,21 @@ The following table lists the operating systems that are supported for App-V 5.1
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"><p>Microsoft Windows Server 2016</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="even">
 <td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>64-bit</p></td>
@ -393,32 +410,32 @@ The following table lists the operating systems that are supported for the App-V
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"><p>Microsoft Windows Server 2016</p></td>
 <td align="left"></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
+<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="odd">
 <td align="left"><p>Microsoft Windows Server 2012</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td align="left"><p>Microsoft Windows 10</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>32-bit and 64-bit</p></td>
 </tr>
-<tr class="odd">
-<td align="left"><p>Microsoft Windows 8.1</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>32-bit and 64-bit</p></td>
-</tr>
 <tr class="even">
-<td align="left"><p>Microsoft Windows 8</p></td>
+<td align="left"><p>Microsoft Windows 8.1</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>32-bit and 64-bit</p></td>
 </tr>
--- a/mdop/appv-v5/release-notes-for-app-v-51.md
+++ b/mdop/appv-v5/release-notes-for-app-v-51.md
@ -143,6 +143,44 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO

 **Workaround**: Use a different filename

+## Intermittent "File Not Found" error when Mounting a Package
+
+
+Occassionally when mounting a package, a "File Not Found" (0x80070002) error is generated. Typically, this occurs when a folder in an App-V package contains many files ( i.e. 20K or more). This can cause streaming to take longer than expected and to time out which generates the "File Not Found" error.
+
+**Workaround**: Starting with HF06, a new registry key has been introduced to enable extending this time-out period.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="80%" />
+</colgroup>
+<tbody>
+<tr>
+<td align="left">Path</td>
+<td align="left">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Streaming</td>
+</tr>
+<tr>
+<td align="left">Setting</td>
+<td align="left">StreamResponseWaitTimeout</td>
+</tr>
+<tr>
+<td align="left">DataType</td>
+<td align="left">DWORD</td>
+</tr>
+<tr>
+<td align="left">Units</td>
+<td align="left">Seconds</td>
+</tr>
+<tr>
+<td align="left">Default</td>
+<td align="left">5<br />
+**Note**: this value is the default if the registry key is not defined or a value <=5 is specified.
+</td>
+</tr>
+</tbody>
+</table>
+
 ## Got a suggestion for App-V?


--- a/mdop/mbam-v25/about-mbam-25-sp1.md
+++ b/mdop/mbam-v25/about-mbam-25-sp1.md
@ -88,7 +88,7 @@ For a list of all languages supported for client and server in MBAM 2.5 and MBAM

 ### Support for Windows 10

-MBAM 2.5 SP1 adds support for Windows 10, in addition to the same software that is supported in earlier versions of MBAM.
+MBAM 2.5 SP1 adds support for Windows 10 and Windows Server 2016, in addition to the same software that is supported in earlier versions of MBAM.

 Windows 10 is supported in both MBAM 2.5 and MBAM 2.5 SP1.

@ -217,6 +217,7 @@ After installation, the service will now set the MBAM agent service to use delay

 The compliance calculation logic for "Locked Fixed Data" volumes has been changed to report the volumes as "Compliant," but with a Protector State and Encryption State of "Unknown" and with a Compliance Status Detail of "Volume is locked". Previously, locked volumes were reported as “Non-Compliant”, a Protector State of "Encrypted", an Encryption State of "Unknown", and a Compliance Status Detail of "An unknown error".

+
 ## How to Get MDOP Technologies


--- a/mdop/mbam-v25/mbam-25-supported-configurations.md
+++ b/mdop/mbam-v25/mbam-25-supported-configurations.md
@ -137,6 +137,8 @@ The following tables show the languages that are supported for the MBAM Client (

 ### MBAM Server operating system requirements

+We strongly recommend that you run the MBAM Client and MBAM Server on the same line of operating systems. For example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.
+
 The following table lists the operating systems that are supported for the MBAM Server installation.

 <table>
@ -156,21 +158,27 @@ The following table lists the operating systems that are supported for the MBAM
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Windows Server 2008 R2</p></td>
-<td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
-<td align="left"><p>SP1</p></td>
+<td align="left"><p>Windows Server 2016</p></td>
+<td align="left"><p>Standard or Datacenter</p></td>
+<td align="left"></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
+<td align="left"><p>Windows Server 2012 R2</p></td>
+<td align="left"><p>Standard or Datacenter</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="odd">
 <td align="left"><p>Windows Server 2012</p></td>
 <td align="left"><p>Standard or Datacenter</p></td>
 <td align="left"></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows Server 2012 R2</p></td>
-<td align="left"><p>Standard or Datacenter</p></td>
-<td align="left"><p></p></td>
+<td align="left"><p>Windows Server 2008 R2</p></td>
+<td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
+<td align="left"><p>SP1</p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 </tbody>
@ -441,6 +449,8 @@ The following table lists the server processor, RAM, and disk space requirements

 ### Client operating system requirements

+We strongly recommend that you run the MBAM Client and MBAM Server on the same line of operating systems. For example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.
+
 The following table lists the operating systems that are supported for MBAM Client installation. The same requirements apply to the Stand-alone and the Configuration Manager Integration topologies.

 <table>
@ -472,20 +482,14 @@ The following table lists the operating systems that are supported for MBAM Clie
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows 8</p></td>
-<td align="left"><p>Enterprise</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>32-bit or 64-bit</p></td>
-</tr>
-<tr class="even">
 <td align="left"><p>Windows 7</p></td>
 <td align="left"><p>Enterprise or Ultimate</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>Windows To Go</p></td>
-<td align="left"><p>Windows 8, Windows 8.1, and Windows 10 Enterprise</p></td>
+<td align="left"><p>Windows 8.1 and Windows 10 Enterprise</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
@ -532,30 +536,24 @@ The following table lists the operating systems that are supported for MBAM Grou
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows 8</p></td>
-<td align="left"><p>Enterprise, or Pro</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>32-bit or 64-bit</p></td>
-</tr>
-<tr class="even">
 <td align="left"><p>Windows 7</p></td>
 <td align="left"><p>Enterprise, or Ultimate</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>Windows Server 2012 R2</p></td>
 <td align="left"><p>Standard or Datacenter</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td align="left"><p>Windows Server 2012</p></td>
 <td align="left"><p>Standard or Datacenter</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>Windows Server 2008 R2</p></td>
 <td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
 <td align="left"><p>SP1</p></td>
--- a/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md
+++ b/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md
@ -118,6 +118,22 @@ If Internet Explorer Enhanced Security Configuration (ESC) is turned on, an "Acc

 **Workaround:** If the "Access Denied" error message appears when you try to view reports on the MBAM Server, you can set a Group Policy Object or change the default manually in your image to disable Enhanced Security Configuration. You can also alternatively view the reports from another computer on which ESC is not enabled.

+### Support for Bitlocker XTS-AES encryption algorithm
+Bitlocker added support for the XTS-AES encryption algorithm in Windows 10, version 1511. 
+As of HF02, MBAM now supports this Bitlocker option and is a client-only update.
+However, there are two known limitations:
+
+* MBAM will correctly report compliance status but the **Cipher Strength** field in MBAM reports will be empty. 
+MBAM pre-built reports and compliance charts won’t break but the **Cipher Strength** column will be empty for XTS machines. 
+Also, if a customer has a custom report that uses this particular field, they may have to make adjustments to accommodate this update.  
+
+* Customers must use the same encryption strength for OS and data volumes on the same machine.
+If different encryption strengths are used, MBAM will report the machine as **non-compliant**.
+
+### Self-Service Portal automatically adds "-" on Key ID entry
+As of HF02, the MBAM Self-Service Portal automatically adds the '-' on Key ID entry.  
+**Note:** The Server has to be reconfigured for the Javascript to take effect.
+
 ## Got a suggestion for MBAM?


--- a/mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md
+++ b/mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md
@ -70,7 +70,7 @@ If upon installation the user or administrator choses to participate in the Cust

 ### Monitor Application Settings

-The **Monitor Application Settings** task is used to synchronize settings for Windows apps. It is runs at logon but is delayed by 30 seconds to not affect the logon detrimentally. The Monitor Application Status task runs the UevAppMonitor.exe file, which is located in the UE-V Agent installation directory.
+The **Monitor Application Settings** task is used to synchronize settings for Windows apps. It is run at logon but is delayed by 30 seconds to not affect the logon detrimentally. The Monitor Application Status task runs the UevAppMonitor.exe file, which is located in the UE-V Agent installation directory.

 <table>
 <colgroup>
@ -96,7 +96,7 @@ The **Monitor Application Settings** task is used to synchronize settings for Wi
 ### Sync Controller Application

 The **Sync Controller Application** task is used to start the Sync Controller to synchronize settings from the computer to the settings storage location. By default, the task runs every 30 minutes. At that time, local settings are synchronized to the settings storage location, and updated settings on the settings storage location are synchronized to the computer. The Sync Controller application runs the Microsoft.Uev.SyncController.exe, which is located in the UE-V Agent installation directory.
-
+**Note:** As per the **Monitor Application Settings** task, this task is run at logon but is delayed by 30 seconds to not affect the logon detrimentally.
 <table>
 <colgroup>
 <col width="50%" />
@ -305,7 +305,7 @@ The following additional information applies to UE-V scheduled tasks:

 -   ll task sequence programs are located in the UE-V Agent installation folder, `%programFiles%\Microsoft User Experience Virtualization\Agent\[architecture]\`, by default.

-   The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to “SyncProvider” (UE-V 2 default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings do not synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute.  You can also increase the 30 min default to a higher amount if necessary.
+-   The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to “SyncProvider” (UE-V 2 default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings do not synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute.  You can also increase the 30 min default to a higher amount if necessary. If users complain that settings do not synchronize fast enough on logon, then you can remove the delay setting for the scheduled task. (You can find the delay setting in the **Edit Trigger** dialogue box)

 -   You do not need to disable the Template Auto Update scheduled task if you use another method to keep the clients’ templates in sync (i.e. Group Policy or Configuration Manager Baselines). Leaving the SettingsTemplateCatalog property value blank prevents UE-V from checking the settings catalog for custom templates. This scheduled task runs ApplySettingsCatalog.exe and will essentially return immediately.

--- a/windows/deploy/TOC.md
+++ b/windows/deploy/TOC.md
@ -9,6 +9,7 @@
 #### [Prepare your environment](upgrade-analytics-prepare-your-environment.md)
 #### [Resolve application and driver issues](upgrade-analytics-resolve-issues.md)
 #### [Deploy Windows](upgrade-analytics-deploy-windows.md)
+#### [Review site discovery](upgrade-analytics-review-site-discovery.md)
 ### [Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)
 ## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
 ### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
@ -44,6 +45,7 @@
 ### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 ## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
 ## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+## [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md)
 ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
 ## [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
 ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
--- a/windows/deploy/change-history-for-deploy-windows-10.md
+++ b/windows/deploy/change-history-for-deploy-windows-10.md
@ -15,6 +15,9 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc
 | New or changed topic | Description |
 |----------------------|-------------|
 | [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) | New | 
+| [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) | Updated with prerequisites for site discovery |
+| [Resolve application and driver issues](upgrade-analytics-resolve-issues.md) | Updated with app status info for Ready For Windows |
+| [Review site discovery](upgrade-analytics-review-site-discovery.md) | New |

 ## RELEASE: Windows 10, version 1607

@ -26,6 +29,11 @@ The topics in this library have been updated for Windows 10, version 1607 (also

 =======

+## October 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) | New | 
+
 ## August 2016
 | New or changed topic | Description |
 |----------------------|-------------|
--- a/windows/deploy/images/upgrade-analytics-create-iedataoptin.png
+++ b/windows/deploy/images/upgrade-analytics-create-iedataoptin.png
--- a/windows/deploy/images/upgrade-analytics-most-active-sites.png
+++ b/windows/deploy/images/upgrade-analytics-most-active-sites.png
--- a/windows/deploy/images/upgrade-analytics-namepub-rollup.PNG
+++ b/windows/deploy/images/upgrade-analytics-namepub-rollup.PNG
--- a/windows/deploy/images/upgrade-analytics-query-activex-name.png
+++ b/windows/deploy/images/upgrade-analytics-query-activex-name.png
--- a/windows/deploy/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG
+++ b/windows/deploy/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG
--- a/windows/deploy/images/upgrade-analytics-ready-for-windows-status.PNG
+++ b/windows/deploy/images/upgrade-analytics-ready-for-windows-status.PNG
--- a/windows/deploy/images/upgrade-analytics-site-activity-by-doc-mode.png
+++ b/windows/deploy/images/upgrade-analytics-site-activity-by-doc-mode.png
--- a/windows/deploy/images/upgrade-analytics-site-domain-detail.png
+++ b/windows/deploy/images/upgrade-analytics-site-domain-detail.png
--- a/windows/deploy/images/upgrade-process.png
+++ b/windows/deploy/images/upgrade-process.png
--- a/windows/deploy/index.md
+++ b/windows/deploy/index.md
@ -21,6 +21,7 @@ Learn about deploying Windows 10 for IT professionals.
 |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
 |[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |
 |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
+|[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
 |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
 |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
 | [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) | Create a provisioning package to apply commonly used settings to a PC running Windows 10. |
--- a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
+++ b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
@ -92,9 +92,10 @@ By default MDT stores the log files locally on the client. In order to capture a

 1.  On MDT01, log on as **CONTOSO\\Administrator**.
 2.  Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
+
    ``` syntax
    New-Item -Path E:\Logs -ItemType directory
-    New-SmbShare ?Name Logs$ ?Path E:\Logs -ChangeAccess EVERYONE
+    New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
    icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
    ```

--- a/windows/deploy/resolve-windows-10-upgrade-errors.md
+++ b/windows/deploy/resolve-windows-10-upgrade-errors.md
@ -0,0 +1,890 @@
+---
+title: Resolve Windows 10 upgrade errors
+description: Resolve Windows 10 upgrade errors
+ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+localizationpriority: high
+---
+
+# Resolve Windows 10 upgrade errors
+
+**Applies to**
+-   Windows 10
+
+This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
+
+## In this topic
+
+The following sections and procedures are provided in this guide:
+
+- [The Windows 10 upgrade process](#the-windows-10-upgrade-process): An explanation of phases used during the upgrade process.<BR>
+- [Quick fixes](#quick-fixes): Steps you can take to eliminate many Windows upgrade errors.<BR>
+- [Upgrade error codes](#upgrade-error-codes): The components of an error code are explained.
+    - [Result codes](#result-codes): Information about result codes.
+    - [Extend codes](#extend-codes): Information about extend codes.
+- [Log files](#log-files): A list and description of log files useful for troubleshooting.
+    - [Log entry structure](#log-entry-structure): The format of a log entry is described.
+    - [Analyze log files](#analyze-log-files): General procedures for log file analysis, and an example.
+- [Resolution procedures](#resolution-procedures): Causes and mitigation procedures associated with specific error codes.
+    - [0xC1900101](#0xC1900101): Information about the 0xC1900101 result code.
+    - [0x800xxxxx](#0x800xxxxx): Information about result codes that start with 0x800.
+    - [Other result codes](#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
+    - [Other error codes](#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
+
+## The Windows 10 upgrade process
+
+The Windows Setup application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. When performing an operating system upgrade, Windows Setup uses the following phases:
+
+1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Installation components are gathered.
+2. **Safe OS phase**: A recovery partition is configured and updates are installed. An OS rollback is prepared if needed.
+        - Example error codes: 0x2000C, 0x20017
+3. **First boot phase**: Initial settings are applied.
+        - Example error codes: 0x30018, 0x3000D
+4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**.
+        - Example error: 0x4000D, 0x40017
+5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful.
+        - Example error: 0x50000
+
+**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown):
+
+![Upgrade process](images/upgrade-process.png)
+
+DU = Driver/device updates.<BR>
+OOBE = Out of box experience.<BR>
+WIM = Windows image (Microsoft)
+
+## Quick fixes
+
+The following steps can resolve many Windows upgrade problems.
+
+<OL>
+<LI>Check all hard drives for errors and attempt repairs. To automatically repair hard drives, open an elevated command prompt, switch to the drive you wish to repair, and type the following command. You will be required to reboot the computer if the hard drive being repaired is also the system drive.
+<UL>
+<LI>chkdsk /F</LI>
+</UL>
+</LI>
+<LI>Attept to restore and repair system files by typing the following commands at an elevated command prompt. It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image).
+<UL>
+<LI>DISM.exe /Online /Cleanup-image /Restorehealth</LI>
+<LI>sfc /scannow</LI>
+</UL>
+</LI>
+<LI>Update Windows so that all available recommended updates are installed.</LI>
+<LI>Uninstall non-Microsoft antivirus software.
+  <UL> 
+  <LI>Use Windows Defender for protection during the upgrade. 
+  <LI>Verify compatibility information and re-install antivirus applications after the upgrade.</LI></LI>
+  </UL>
+<LI>Uninstall all nonessential software.</LI>
+<LI>Remove nonessential external hardware, such as docks and USB devices.</LI> 
+<LI>Update firmware and drivers.</LI>
+<LI>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</LI>
+<LI>Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS.
+</OL>
+
+
+
+## Upgrade error codes
+
+If the upgrade process is not successful, Windows Setup will return two codes:
+
+1. **A result code**: The result code corresponds to a specific Win32 error.
+2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred.  
+
+>For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**.
+
+Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/en-us/kb/3159635) then only a result code might be returned.
+
+### Result codes
+
+>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. <BR>To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Other error codes](#other-error-codes) section later in this topic.
+
+Result codes can be matched to the type of error encountered. To match a result code to an error:
+
+1. Identify the error code type, either Win32 or NTSTATUS, using the first hexidecimal digit:
+        <BR>8 = Win32 error code (ex: 0x**8**0070070)
+        <BR>C = NTSTATUS value (ex: 0x**C**1900107)
+2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits correspond to the last 16 bits of the [HRESULT](https://msdn.microsoft.com/en-us/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/en-us/library/cc231200.aspx) structure.
+3. Based on the type of error code determined in the first step, match the 4 digits derived from the second step to either a [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx), or an [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx). 
+
+For example:
+- 0x80070070 = Win32 = 0070 = 0x00000070 = ERROR_DISK_FULL
+- 0xC1900107 = NTSTATUS = 0107 = 0x00000107 = STATUS_SOME_NOT_MAPPED
+
+Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot. 
+
+### Extend codes
+
+>Important: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update.
+
+Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation:
+
+1. Use the first digit to identify the phase (ex: 0x4000D  = 4).
+2. Use the last two digits to identify the operation (ex: 0x4000D  = 0D).
+3. Match the phase and operation to values in the tables provided below.
+
+The following tables provide the corresponding phase and operation for values of an extend code:
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD colspan=2 align="center" valign="top" BGCOLOR="#a0e4fa"><B>Extend code: phase</B></TD>
+<TR><TD style='padding:0in 4pt 0in 4pt'><b>Hex</b><TD style='padding:0in 5.4pt 0in 5.4pt'><span style='padding:0in 1pt 0in 1pt;'><b>Phase</b>
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>0<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_UNKNOWN
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_DOWNLEVEL
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>2<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_SAFE_OS
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>3<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_FIRST_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>4<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OOBE_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>5<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_UNINSTALL
+</TABLE>
+
+<TABLE border=0 cellspacing=0 cellpadding=0 style='border-collapse:collapse;border:none'>
+<TR><TD colspan=2 align="center" valign="top" BGCOLOR="#a0e4fa"><B>Extend code: operation</B></TD>
+<TR><TD align="left" valign="top" style='border:dotted #A6A6A6 1.0pt;'>
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt'><b>Hex</b><TD style='padding:0in 4pt 0in 4pt'><span style='padding:0in 5.4pt 0in 5.4pt;'><b>Operation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>0<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_UNKNOWN
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_COPY_PAYLOAD
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>2<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_DOWNLOAD_UPDATES
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>3<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_UPDATES
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>4<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>5<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>6<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_REPLICATE_OC
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>7<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_DRVIERS
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>8<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_SAFE_OS
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>9<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_ROLLBACK
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>A<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_FIRST_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>B<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_OOBE_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>C<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_APPLY_IMAGE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>D<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_MIGRATE_DATA
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>E<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_SET_PRODUCT_KEY
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>F<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ADD_UNATTEND
+</TABLE>
+</TD>
+<TD align="left" valign="top" style='border:dotted #A6A6A6 1.0pt;'>
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt'><b>Hex</b><TD style='padding:0in 4pt 0in 4pt'><b>Operation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>10<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ADD_DRIVER
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>11<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ENABLE_FEATURE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>12<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_DISABLE_FEATURE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>13<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>14<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_REGISTER_SYNC_PROCESS
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>15<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_CREATE_FILE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>16<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_CREATE_REGISTRY
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>17<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>18<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_SYSPREP
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>19<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_OOBE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1A<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_BEGIN_FIRST_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1B<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_END_FIRST_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1C<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_BEGIN_OOBE_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1D<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_END_OOBE_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1E<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PRE_OOBE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1F<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_POST_OOBE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>20<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE
+</TABLE>
+</TD>
+</TR>
+</TABLE>
+
+For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**).
+
+## Log files
+
+Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code. 
+
+<P>The following table describes some log files and how to use them for troubleshooting purposes:
+
+<TABLE>
+<TR>
+<td BGCOLOR="#a0e4fa"><B>Log file<td BGCOLOR="#a0e4fa"><B>Phase: Location<td BGCOLOR="#a0e4fa"><B>Description<td BGCOLOR="#a0e4fa"><B>When to use
+
+<TR><TD rowspan=5>setupact.log<TD>Down-Level:<BR>$Windows.~BT\Sources\Panther<TD>Contains information about setup actions during the downlevel phase. 
+<TD>All down-level failures and starting point for rollback investigations.<BR> This is the most important log for diagnosing setup issues.
+<TR><TD>OOBE:<BR>$Windows.~BT\Sources\Panther\UnattendGC
+<TD>Contains information about actions during the OOBE phase.<TD>Investigating rollbacks that failed during OOBE phase and operations – 0x4001C, 0x4001D, 0x4001E, 0x4001F.
+<TR><TD>Rollback:<BR>$Windows.~BT\Sources\Rollback<TD>Contains information about actions during rollback.<TD>Investigating generic rollbacks - 0xC1900101.
+<TR><TD>Pre-initialization (prior to downlevel):<BR>Windows</TD><TD>Contains information about initializing setup.<TD>If setup fails to launch.
+<TR><TD>Post-upgrade (after OOBE):<BR>Windows\Panther<TD>Contains information about setup actions during the installation.<TD>Investigate post-upgrade related issues.
+
+<TR><TD>setuperr.log<TD>Same as setupact.log<TD>Contains information about setup errors during the installation.<TD>Review all errors encountered during the installation phase.
+
+<TR><TD>miglog.xml<TD>Post-upgrade (after OOBE):<BR>Windows\Panther<TD>Contains information about what was migrated during the installation.<TD>Identify post upgrade data migration issues.
+
+<TR><TD>BlueBox.log<TD>Down-Level:<BR>Windows\Logs\Mosetup<TD>Contains information communication between setup.exe and Windows Update.<TD>Use during WSUS and WU down-level failures or for 0xC1900107.
+
+<TR><TD>Supplemental rollback logs:<BR>
+Setupmem.dmp<BR>
+setupapi.dev.log<BR>
+Event logs (*.evtx)
+
+
+<TD>$Windows.~BT\Sources\Rollback<TD>Additional logs collected during rollback.
+<TD>
+Setupmem.dmp: If OS bugchecks during upgrade, setup will attempt to extract a mini-dump.<BR>
+Setupapi: Device install issues - 0x30018<BR>
+Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.
+
+</TABLE>
+
+### Log entry structure
+
+A setupact.log or setuperr.log entry includes the following elements:
+
+<OL>
+<LI><B>The date and time</B> - 2016-09-08 09:20:05.
+<LI><B>The log level</B> - Info, Warning, Error, Fatal Error.
+<LI><B>The logging component</B> - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS.
+<UL>
+<LI>The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are particularly useful for troubleshooting Windows Setup errors.
+</UL>
+<LI><B>The message</B> - Operation completed successfully.
+</OL>
+
+See the following example:
+
+| Date/Time | Log level | Component | Message |
+|------|------------|------------|------------|
+|2016-09-08 09:23:50,|  Warning |         MIG  |   Could not replace object C:\Users\name\Cookies. Target Object cannot be removed.|
+
+
+### Analyze log files
+
+<P>To analyze Windows Setup log files:
+
+<OL>
+<LI>Determine the Windows Setup error code.
+<LI>Based on the [extend code](#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate.
+<LI>Open the log file in a text editor, such as notepad.
+<LI>Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
+<LI>To find the last occurrence of the result code:
+  <OL type="a">
+  <LI>Scroll to the bottom of the file and click after the last character.
+  <LI>Click **Edit**.
+  <LI>Click **Find**.
+  <LI>Type the result code.
+  <LI>Under **Direction** select **Up**.
+  <LI>Click **Find Next**.
+  </OL>
+<LI> When you have located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed just prior to generating the result code.
+<LI> Search for the following important text strings:
+  <UL>
+  <LI><B>Shell application requested abort</B>
+  <LI><B>Abandoning apply due to error for object</B>
+  </UL>
+<LI> Decode Win32 errors that appear in this section.
+<LI> Write down the timestamp for the observed errors in this section.
+<LI> Search other log files for additional information matching these timestamps or errors.
+</OL>
+
+For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file:
+
+>Some lines in the text below are shortened to enhance readability. The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just "CN."
+
+<P><B>setuperr.log</B> content:
+
+<pre style="font-size: 10px; overflow-y: visible">
+27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
+27:08, Error                  Gather failed. Last error: 0x00000000
+27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
+27:09, Error           SP     CMigrateFramework: Gather framework failed. Status: 44
+27:09, Error           SP     Operation failed: Migrate framework (Full). Error: 0x8007042B[gle=0x000000b7]
+27:09, Error           SP     Operation execution failed: 13. hr = 0x8007042B[gle=0x000000b7]
+27:09, Error           SP     CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7]
+</PRE>
+
+The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]** (shown below):
+
+<pre style="font-size: 10px; overflow-y: visible">
+27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+</PRE>
+
+</B>The error 0x00000570 is a [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable.
+
+Therefore, Windows Setup failed because it was not able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**.  This file is a local system certificate and can be safely deleted. Searching the setupact.log file for additional details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure:
+
+<P><B>setupact.log</B> content:
+
+<pre style="font-size: 10px; overflow-y: visible">
+27:00, Info                   Gather started at 10/5/2016 23:27:00
+27:00, Info [0x080489] MIG    Setting system object filter context (System)
+27:00, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
+27:00, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
+27:00, Info            SP     ExecuteProgress: Elapsed events:1 of 4, Percent: 12
+27:00, Info [0x0802c6] MIG    Processing GATHER for migration unit: <System>\UpgradeFramework (CMXEAgent)
+27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
+27:08, Info            SP     ExecuteProgress: Elapsed events:2 of 4, Percent: 25
+27:08, Info            SP     ExecuteProgress: Elapsed events:3 of 4, Percent: 37
+27:08, Info [0x080489] MIG    Setting system object filter context (System)
+27:08, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
+27:08, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
+27:08, Info            MIG    COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress.
+27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened-
+27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object.
+27:08, Error                  Gather failed. Last error: 0x00000000
+27:08, Info                   Gather ended at 10/5/2016 23:27:08 with result 44
+27:08, Info                   Leaving MigGather method
+27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
+</PRE>
+
+<P>This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file. Note: In this example, the full, unshortened file name is  C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f. 
+
+## Resolution procedures
+
+### 0xC1900101
+
+A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:<BR>
+
+- The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp, 
+- Event logs: $Windows.~bt\Sources\Rollback\*.evtx 
+- The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log
+
+The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018).  To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/en-us/kb/929135) before initiating the upgrade process. 
+
+<P>See the following general troubleshooting procedures associated with a result code of 0xC1900101:
+
+
+<TABLE border=1 cellspacing=0 cellpadding=0>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x20004</B>
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation
+<BR>This is generally caused by out-of-date drivers. 
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Uninstall antivirus applications.
+<BR>Remove all unused SATA devices.
+<BR>Remove all unused devices and drivers.
+<BR>Update drivers and BIOS.
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x2000c</B>
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.
+<BR>This is generally caused by out-of-date drivers. 
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
+<BR>Contact your hardware vendor to obtain updated device drivers.
+<BR>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. 
+</TABLE>
+</TD>
+</TR>
+
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x20017
+
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A driver has caused an illegal operation.
+<BR>Windows was not able to migrate the driver, resulting in a rollback of the operating system.
+<P>This is a safeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. 
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+Ensure that all that drivers are updated.<BR>
+Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
+<BR>For more information, see [Understanding Failures and Log Files](https://technet.microsoft.com/en-us/library/ee851579.aspx).
+<BR>Update or uninstall the problem drivers.
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x30018</B>
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A device driver has stopped responding to setup.exe during the upgrade process.
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
+<BR>Contact your hardware vendor to obtain updated device drivers.
+<BR>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. 
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x3000D</B>
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
+<BR>This can occur due to a problem with a display driver.
+
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
+<BR>Update or uninstall the display driver.
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x4000D</B>
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A rollback occurred due to a driver configuration issue.
+<P>Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.  
+
+<P>This can occur due to incompatible drivers.  
+
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+<P>Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors. 
+<p>Review the rollback log and determine the stop code.
+<BR>The rollback log is located in the **C:\$Windows.~BT\Sources\Panther** folder.  An example analysis is shown below. This example is not representative of all cases:
+<p>Info SP     Crash 0x0000007E detected
+<BR>Info SP       Module name           : 
+<BR>Info SP       Bugcheck parameter 1  : 0xFFFFFFFFC0000005
+<BR>Info SP       Bugcheck parameter 2  : 0xFFFFF8015BC0036A
+<BR>Info SP       Bugcheck parameter 3  : 0xFFFFD000E5D23728
+<BR>Info SP       Bugcheck parameter 4  : 0xFFFFD000E5D22F40
+<BR>Info SP     Cannot recover the system.
+<BR>Info SP     Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
+
+
+<P>Typically there is a a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:<BR>
+
+1. Make sure you have enough disk space.<BR>
+2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.<BR>
+3. Try changing video adapters.<BR>
+4. Check with your hardware vendor for any BIOS updates.<BR>
+5. Disable BIOS memory options such as caching or shadowing.
+</p>
+</TABLE>
+</TD>
+</TR>
+
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x40017</B>
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows 10 upgrade failed after the second reboot.
+<BR>This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers.
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Clean boot into Windows, and then attempt the upgrade to Windows 10.<BR>
+
+For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135).
+
+<P>Ensure you select the option to "Download and install updates (recommended)."
+</TABLE>
+</TD>
+</TR>
+
+</TABLE>
+
+### 0x800xxxxx
+
+Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
+
+<P>See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
+
+<TABLE border=1 cellspacing=0 cellpadding=0>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+8000405 - 0x20007
+
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+An unspecified error occurred with a driver during the SafeOS phase.
+
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+This error has more than one possible cause. Attempt [quick fixes](#quick-fixes), and if not successful, [analyze log files](#analyze-log-files) in order to determine the problem and solution.
+
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+800704B8 - 0x3001A
+
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+An extended error has occurred during the first boot phase.
+
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/en-us/kb/929135).
+
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+8007042B - 0x4000D
+
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+The installation failed during the second boot phase while attempting the MIGRATE_DATA operation. 
+<BR>This issue can occur due to file system, application, or driver issues.
+
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+[Analyze log files](#analyze-log-files) in order to determine the file, application, or driver that is not able to be migrated. Disconnect, update, remove, or replace the device or object.
+
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+8007001F - 0x4000D
+
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+General failure, a device attached to the system is not functioning.  
+
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+[Analyze log files](#analyze-log-files) in order to determine the device that is not functioning properly. Disconnect, update, or replace the device.
+
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+8007042B - 0x4001E
+
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+The installation failed during the second boot phase while attempting the PRE_OOBE operation.
+
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+This error has more than one possible cause. Attempt [quick fixes](#quick-fixes), and if not successful, [analyze log files](#analyze-log-files) in order to determine the problem and solution.
+
+</TABLE>
+</TD>
+</TR>
+
+</TABLE>
+
+
+### Other result codes
+
+<table>
+
+<tr>
+<td BGCOLOR="#a0e4fa"><B>Error code</th>
+<td BGCOLOR="#a0e4fa"><B>Cause</th>
+<td BGCOLOR="#a0e4fa"><B>Mitigation</th>
+</tr>
+
+<tr>
+<td>0xC1900200</td>
+<td>Setup.exe has detected that the machine does not meet the minimum system requirements.</td>
+<td>Ensure the system you are trying to upgrade meets the minimum system requirements. <P>See [Windows 10 specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications)  for information.</td>
+</tr>
+
+
+<tr>
+<td>0x80090011</td>
+<td>A device driver error occurred during user data migration.</td>
+<td>Contact your hardware vendor and get all the device drivers updated. It is recommended to have an active internet connection during upgrade process. 
+<P>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</td>
+</tr>
+<tr>
+<td>0xC7700112</td>
+<td>Failure to complete writing data to the system drive, possibly due to write access failure on the hard disk.</td>
+<td>This issue is resolved in the latest version of Upgrade Assistant. 
+<P>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</td>
+</tr>
+
+<tr>
+<td>0x80190001</td>
+<td>An unexpected error was encountered while attempting to download files required for upgrade.</td>
+<td>To resolve this issue, download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10).
+</td>
+</tr>
+<tr>
+<td>0x80246007</td>
+<td>The update was not downloaded successfully.</td>
+<td>Attempt other methods of upgrading the operatign system.<BR>
+Download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10). 
+<BR>Attempt to upgrade using .ISO or USB.<BR>
+**Note**: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx).
+</td>
+</tr>
+<tr>
+<td>0xC1900201</td>
+<td>The system did not pass the minimum requirements to install the update.</td>
+<td>Contact the hardware vendor to get the latest updates.</td>
+</tr>
+<tr>
+<td>0x80240017</td>
+<td>The upgrade is unavailable for this edition of Windows.</td>
+<td>Administrative policies enforced by your organization might be preventing the upgrade. Contact your IT administrator.</td>
+</tr>
+
+<tr>
+<td>0x80070020</td>
+<td>The existing process cannot access the file because it is being used by another process.</td>
+<td>Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135).</td>
+</tr>
+<tr>
+<td>0x80070522</td>
+<td>The user doesn’t have required privilege or credentials to upgrade.</td>
+<td>Ensure that you have signed in as a local administrator or have local administrator privileges.</td>
+</tr>
+<tr>
+<td>0xC1900107</td>
+<td>A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade.
+</td>
+<td>Reboot the device and run setup again. If restarting device does not resolve the issue, then use the Disk Cleanup utility and cleanup the temporary as well as the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/en-us/instantanswers/8fef4121-711b-4be1-996f-99e02c7301c2/disk-cleanup-in-windows-10).</td>
+</tr>
+<tr>
+<td>0xC1900209</td>
+<td>The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.</td>
+<td>Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](https://blogs.technet.microsoft.com/mniehaus/2015/08/23/windows-10-pre-upgrade-validation-using-setup-exe/) for more information.
+
+<P>You can also download the [Windows Assessment and Deployment Kit (ADK) for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526740) and install Application Compatibility Tools.
+</td>
+</tr>
+
+
+<tr>
+<td>0x8007002 </td>
+<td>This error is specific to upgrades using System Center Configuration Manager 2012 R2 SP1 CU3 (5.00.8238.1403)</td>
+<td>Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)
+
+<P>The error 80072efe means that the connection with the server was terminated abnormally.
+
+<P>To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.
+</td>
+</tr>
+
+</table>
+
+### Other error codes
+
+<TABLE>
+
+<TR><td BGCOLOR="#a0e4fa">Error Codes<td BGCOLOR="#a0e4fa">Cause<td BGCOLOR="#a0e4fa">Mitigation</TD></TR>
+<TR><TD>0x80070003- 0x20007
+<TD>This is a failure during SafeOS phase driver installation. 
+
+<TD>[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
+</TD></TR>
+<TR><TD>0x8007025D - 0x2000C
+<TD>This error occurs if the ISO file's metadata is corrupt.<TD>"Re-download the ISO/Media and re-attempt the upgrade.
+
+Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/en-us/software-download/windows10).
+
+</TD></TR>
+<TR><TD>0x80070490 - 0x20007<TD>An incompatible device driver is present.
+
+<TD>[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
+
+</TD></TR>
+<TR><TD>0xC1900101 - 0x2000c
+<TD>An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.
+<TD>Run checkdisk to repair the file system. For more information, see the [quick fixes](#quick-fixes) section in this guide.
+<P>Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.</TD></TR>
+<TR><TD>0xC1900200 - 0x20008
+
+<TD>The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10.
+
+<TD>See [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications) and verify the computer meets minimum requirements.
+
+<BR>Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).</TD></TR>
+<TR><TD>0x80070004 - 0x3000D
+<TD>This is a problem with data migration during the first boot phase. There are multiple possible causes.
+
+<TD>[Analyze log files](#analyze-log-files) to determine the issue.</TD></TR>
+<TR><TD>0xC1900101 - 0x4001E
+<TD>Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.
+<TD>This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xC1900101) section of this guide and review general troubleshooting procedures described in that section.</TD></TR>
+<TR><TD>0x80070005 - 0x4000D
+<TD>The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data.
+<TD>[Analyze log files](#analyze-log-files) to determine the data point that is reporting access denied.</TD></TR>
+<TR><TD>0x80070004 - 0x50012
+<TD>Windows Setup failed to open a file. 
+<TD>[Analyze log files](#analyze-log-files) to determine the data point that is reporting access problems.</TD></TR>
+<TR><TD>0xC190020e 
+<BR>0x80070070 - 0x50011
+<BR>0x80070070 - 0x50012
+<BR>0x80070070 - 0x60000
+<TD>These errors indicate the computer does not have enough free space available to install the upgrade.
+<TD>To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/en-us/help/17421/windows-free-up-drive-space) before proceeding with the upgrade.
+ 
+<P>Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS.  Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.
+</TD></TR>
+
+</TABLE>
+
+
+
+
+## Related topics
+
+[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx)
+<BR>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
+<BR>[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+<BR>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+<BR>[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
--- a/windows/deploy/upgrade-analytics-get-started.md
+++ b/windows/deploy/upgrade-analytics-get-started.md
@ -95,10 +95,15 @@ The compatibility update KB scans your computers and enables application usage t
 | **Operating System** | **KBs** |
 |----------------------|-----------------------------------------------------------------------------|
 | Windows 8.1          | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2976978><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513.   |
-| Windows 7 SP1        | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2952664><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513. |
+| Windows 7 SP1        | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2952664><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2952664 must be installed before you can download and install KB3150513. |

 IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time.

+| **Site discovery** | **KB** |
+|----------------------|-----------------------------------------------------------------------------|
+| [Review site discovery](upgrade-analytics-review-site-discovery.md)         | Site discovery requires the [July 2016 security update for Internet Explorer](https://support.microsoft.com/en-us/kb/3170106) (KB3170106) or later.  |
+
+
 ### Automate data collection

 To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes.
@ -151,9 +156,19 @@ To run the Upgrade Analytics deployment script:

 3.  For troubleshooting, set isVerboseLogging to $true to generate log information that can help with diagnosing issues. By default, isVerboseLogging is set to $false. Ensure the Diagnostics folder is installed in the same directory as the script to use this mode.

-4.  Notify users if they need to restart their computers. By default, this is set to off.
+4.  To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:

-5.  After you finish editing the parameters in RunConfig.bat, run the script as an administrator.
+    > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
+    >
+    > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
+    >
+    > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
+    >
+    > *IEOptInLevel = 3 Data collection is enabled for all sites*
+
+5.  Notify users if they need to restart their computers. By default, this is set to off.
+
+6.  After you finish editing the parameters in RunConfig.bat, run the script as an administrator.

 ## Seeing data from computers in Upgrade Analytics

--- a/windows/deploy/upgrade-analytics-resolve-issues.md
+++ b/windows/deploy/upgrade-analytics-resolve-issues.md
@ -22,6 +22,12 @@ Upgrade decisions include:

 The blades in the **Resolve issues** section are:

+- Review applications with known issues
+- Review applications with no known issues
+- Review drivers with known issues
+
+As you review applications with known issues, you can also see ISV support of applications for [Ready for Windows](https://www.readyforwindows.com/).
+
 ## Review applications with known issues

 Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**.
@ -67,14 +73,39 @@ For applications assessed as **Fix available**, review the table below for detai
 | Fix available      | Yes                               | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but won’t migrate.                                                                                    | Remove the application before upgrading and reinstall on the new operating system.<br>             |
 | Fix available      | Yes                               | Disk encryption blocking upgrade                         | The application’s encryption features are blocking the upgrade.                                                                                                    | Disable the encryption feature before upgrading and enable it again after upgrading.<br>           |

+### ISV support for applications with Ready for Windows
+
+[Ready for Windows](https://www.readyforwindows.com/) lists software solutions that are supported and in use for Windows 10. This site leverages data about application adoption from commercial Windows 10 installations and helps IT managers upgrade to Windows 10 with confidence. For more information, see [Ready for Windows Frequently Asked Questions](https://developer.microsoft.com/windows/ready-for-windows/#/faq/). 
+
+Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example:
+
+![Upgrade analytics Ready for Windows status](images/upgrade-analytics-ready-for-windows-status.png)
+
+If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance.
+
+![Upgrade analytics Ready for Windows status guidance precedence](images/upgrade-analytics-ready-for-windows-status-guidance-precedence.png)
+
+If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows. 
+
+![Name publisher rollup](images/upgrade-analytics-namepub-rollup.png)
+
+The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses)
+
+| Ready for Windows Status | Query rollup level | What this means | Guidance |
+|-------------------|--------------------------|-----------------|----------|
+|Supported version available    | Granular | The software provider has declared support for one or more versions of this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10. |
+|  Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. | 
+| Adopted   | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. |
+| Insufficient Data | Granular | Too few commercial Windows 10 devices are sharing information about this version of this application for Microsoft to categorize its adoption. | N/A |
+| Contact developer | Granular | There may be compatibility issues with this version of the application, so Microsoft recommends contacting the software provider to learn more. | Check [Ready for Windows](https://www.readyforwindows.com/) for additional information.|
+|Supported version available | NamePublisher | The software provider has declared support for this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10.|
+|Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.|
+| Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A |
+
 ## Review applications with no known issues

 Applications with no issues known to Microsoft are listed, grouped by upgrade decision.

-<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
-<img src="media/image7.png" width="197" height="336" />
-->
-
 ![Review applications with no known issues](images/upgrade-analytics-apps-no-known-issues.png)

 Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**.
@ -95,10 +126,6 @@ To change an application's upgrade decision:

 Drivers that won’t migrate to the new operating system are listed, grouped by availability.

-<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
-<img src="media/image8.png" width="197" height="316" />
-->
-
 ![Review drivers with known issues](images/upgrade-analytics-drivers-known.png)

 Availability categories are explained in the table below.
--- a/windows/deploy/upgrade-analytics-review-site-discovery.md
+++ b/windows/deploy/upgrade-analytics-review-site-discovery.md
@ -0,0 +1,68 @@
+---
+title: Review site discovery
+description: Explains how to review internet web site discovery with Upgrade Analytics.
+ms.prod: w10
+author: Justinha
+---
+
+# Review site discovery
+
+This section of the Upgrade Analytics workflow provides an inventory of web sites that are being used by client computers that run Internet Explorer on Windows 8.1 and Windows 7 in your environment. This inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. Data from Microsoft Edge is not collected. 
+
+> Note: Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
+
+## Install prerequisite security update for Internet Explorer
+
+Ensure the following prerequisites are met before using site discovery:
+
+1. Install the latest Internet Explorer 11 Cumulative Update. This update provides the capability for site discovery and is available in the [July 2016 cumulative update](https://support.microsoft.com/kb/3170106) and later.
+2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)).
+3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Analytics deployment script](upgrade-analytics-get-started.md#run-the-upgrade-analytics-deployment-script) to allow Internet Explorer data collection before you run it. 
+
+    If necessary, you can also enable it by creating the following registry entry. 
+
+    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection 
+
+    Entry name: IEDataOptIn
+
+    Data type: DWORD
+
+    Values:
+
+    > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
+    >
+    > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
+    >
+    > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
+    >
+    > *IEOptInLevel = 3 Data collection is enabled for all sites*
+
+    For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://msdn.microsoft.com/library/ms537183.aspx). 
+
+    ![Create the IEDataOptIn registry key](images/upgrade-analytics-create-iedataoptin.png)
+
+## Review most active sites
+
+This blade indicates the most visited sites by computers in your environment. Review this list to determine which web applications and sites are used most frequently. The number of visits is based on the total number of views, and not by the number of unique devices accessing a page.
+
+For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL. 
+
+![Most active sites](Images/upgrade-analytics-most-active-sites.png) 
+
+Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name. 
+
+![Site domain detail](images/upgrade-analytics-site-domain-detail.png)
+
+## Review document modes in use 
+
+This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes).
+
+![Site activity by document mode](images/upgrade-analytics-site-activity-by-doc-mode.png)
+
+## Run browser-related queries 
+
+You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries. 
+
+![](images/upgrade-analytics-query-activex-name.png)
+
+
--- a/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
+++ b/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
@ -23,4 +23,6 @@ The Upgrade Analytics workflow gives you compatibility and usage information abo

 3.  [Identifying computers that are upgrade ready](upgrade-analytics-deploy-windows.md)

+4.  [Review site discovery](upgrade-analytics-review-site-discovery.md)
+

--- a/windows/deploy/windows-10-upgrade-paths.md
+++ b/windows/deploy/windows-10-upgrade-paths.md
@ -19,9 +19,11 @@ author: greg-lindsay

 This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).

+>**Windows 10 LTSB**: The upgrade paths displayed below do not apply to Windows 10 LTSB. In-place upgrade from Windows 7 or Windows 8.1 to Windows 10 LTSB is not supported.
+
 >**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.  

->**Free upgrade**: Some upgrade paths qualify for a free upgrade using Windows Update. For a list of upgrade paths that are available as part of the free upgrade offer, see [Free upgrade paths](#Free-upgrade-paths).
+>**Free upgrade**: The Windows 10 free upgrade offer expired on July 29, 2016. For more information, see [Free upgrade paths](#Free-upgrade-paths).

 ✔ = Full upgrade is supported including personal data, settings, and applications.<BR>
 D = Edition downgrade; personal data is maintained, applications and settings are removed.
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@ -38,7 +38,15 @@
 #### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
 ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
-## [VPN profile options](vpn-profile-options.md)
+## [VPN technical guide](vpn-guide.md)
+### [VPN connection types](vpn-connection-type.md)
+### [VPN routing decisions](vpn-routing.md)
+### [VPN authentication options](vpn-authentication.md)
+### [VPN and conditional access](vpn-conditional-access.md)
+### [VPN name resolution](vpn-name-resolution.md)
+### [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+### [VPN security features](vpn-security-features.md)
+### [VPN profile options](vpn-profile-options.md)
 ## [Windows security baselines](windows-security-baselines.md)
 ## [Security technologies](security-technologies.md)
 ### [Access Control Overview](access-control.md)
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@ -12,6 +12,12 @@ author: brianlic-msft
 # Change history for Keep Windows 10 secure
 This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).

+## October 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic |
+
 ## September 2016

 | New or changed topic | Description |
@ -20,7 +26,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
 |[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
 | [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) | Clarified how convenience PIN works in Windows 10, version 1607, on domain-joined PCs |
-| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq ezxample and added a new Windows PowerShell example for creating a self-signed certficate |
+| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq example and added a new Windows PowerShell example for creating a self-signed certificate |

 ## August 2016
 |New or changed topic | Description |
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@ -40,89 +40,64 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-

 ## Hardware and software requirements

-The PC must meet the following hardware and software requirements to use Credential Guard:
+To deploy Credential Guard, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements. Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. 

-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Requirement</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Windows 10 Enterprise</p></td>
-<td align="left"><p>The PC must be running Windows 10 Enterprise.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>UEFI firmware version 2.3.1 or higher and Secure Boot</p></td>
-<td align="left"><p>To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby) Windows Hardware Compatibility Program requirement.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Virtualization extensions</p></td>
-<td align="left"><p>The following virtualization extensions are required to support virtualization-based security:</p>
-<ul>
-<li>Intel VT-x or AMD-V</li>
-<li>Second Level Address Translation</li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>x64 architecture</p></td>
-<td align="left"><p>The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>A VT-d or AMD-Vi IOMMU (Input/output memory management unit)</p></td>
-<td align="left"><p>In Windows 10, an IOMMU enhances system resiliency against memory attacks. ¹</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Trusted Platform Module (TPM) version 1.2 or 2.0</p></td>
-<td align="left"><p>TPM 1.2 and 2.0 provides protection for encryption keys used by virtualization-based security to protect Credential Guard secrets where all other keys are stored. See the following table to determine which TPM versions are supported on your OS.</p>
-<table>
-<th>OS version</th>
-<th>Required TPM</th>
-<tr>
-<td>Windows 10 version 1507</td>
-<td>TPM 2.0</td>
-</tr>
-<tr>
-<td>Windows 10 version 1511, Windows Server 2016, or later</td>
-<td>TPM 2.0 or TPM 1.2</td>
-</tr>
-</table>
-<div class="alert">
-<strong>Note</strong>  If you don't have a TPM installed, Credential Guard will still be enabled, but the virtualization-based security keys used to protect Credential Guard secrets will not bound to the TPM. Instead, the keys will be protected in a UEFI Boot Service variable.
-</div>
-</td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Secure firmware update process</p></td>
-<td align="left"><p>To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.</p><p>Credential Guard relies on the security of the underlying hardware and firmware. It is critical to keep the firmware updated with the latest security fixes.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>The firmware is updated for [Secure MOR implementation](http://msdn.microsoft.com/library/windows/hardware/mt270973.aspx)</p></td>
-<td align="left"><p>Credential Guard requires the secure MOR bit to help prevent certain memory attacks.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Physical PC</p></td>
-<td align="left"><p>For PCs running Windows 10, version 1511 and Windows 10, version 1507, you cannot run Credential Guard on a virtual machine.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Virtual machine</p></td>
-<td align="left"><p>For PCs running Windows 10, version 1607 or Windows Server 2016, you can run Credential Guard on a Generation 2 virtual machine.</p></td>
-</tr>
-</tr>
-<tr class="even">
-<td align="left"><p>Hypervisor</p></td>
-<td align="left"><p>You must use the Windows hypervisor.</p></td>
-</tr>
-</tbody>
-</table>
- 
-¹ If you choose the **Secure Boot and DMA protection** option in the Group Policy setting, an IOMMU is required. The **Secure Boot** Group Policy option enables Credential Guard on devices without an IOMMU.
+You can deploy Credential Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
+
+The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
+
+> [!NOTE]  
+> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.<br>
+> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).
+
+
+## Credential Guard requirements for baseline protections
+
+|Baseline Protections - requirement           | Description                                        |
+|---------------------------------------------|----------------------------------------------------|
+| Hardware: **64-bit CPU**              | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
+| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>- VT-x (Intel) or<br>- AMD-V<br>And:<br>- Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Hardware: **IOMMU** (input/output memory management unit)  |  **Requirement**: VT-D or AMD Vi IOMMU<br><br>**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
+| Hardware: **Trusted Platform Module (TPM)**  |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br><br>**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
+| Firmware: **Secure firmware update process**      | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Firmware: **Secure MOR implementation**  |  **Requirement**: Secure MOR implementation<br><br>**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
+| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
+
+> [!IMPORTANT]
+> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide.
+
+## Credential Guard requirements for improved security
+
+The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
+
+### 2015 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
+
+| Protections for Improved Security - requirement         | Description                                        |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- BIOS password or stronger authentication must be supported.<br>- In the BIOS configuration, BIOS authentication must be set.<br>- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+
+<br>
+
+### 2016 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1607, and Windows Server 2016)
+
+> [!IMPORTANT]
+> The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Credential Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
+
+| Protections for Improved Security - requirement         | Description                                        |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).<br><br>**Security benefits**:<br>- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>- HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.<br><br>**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.<br><br>**Security benefits**:<br>- Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+
+<br>
+
+### 2017 Additional Qualification Requirements for Credential Guard (announced as options for future Windows operating systems for 2017) 
+
+| Protections for Improved Security - requirement         | Description                                        |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **UEFI NX Protections**  | **Requirements**:<br>- All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.<br><br>UEFI Runtime Services:<br>- Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.<br>- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.<br>- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware. |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |

 ## Manage Credential Guard

--- a/windows/keep-secure/images/vpn-app-rules.png
+++ b/windows/keep-secure/images/vpn-app-rules.png
--- a/windows/keep-secure/images/vpn-app-trigger.PNG
+++ b/windows/keep-secure/images/vpn-app-trigger.PNG
--- a/windows/keep-secure/images/vpn-conditional-access-intune.png
+++ b/windows/keep-secure/images/vpn-conditional-access-intune.png
--- a/windows/keep-secure/images/vpn-connection-intune.png
+++ b/windows/keep-secure/images/vpn-connection-intune.png
--- a/windows/keep-secure/images/vpn-connection.png
+++ b/windows/keep-secure/images/vpn-connection.png
--- a/windows/keep-secure/images/vpn-custom-xml-intune.png
+++ b/windows/keep-secure/images/vpn-custom-xml-intune.png
--- a/windows/keep-secure/images/vpn-device-compliance.png
+++ b/windows/keep-secure/images/vpn-device-compliance.png
--- a/windows/keep-secure/images/vpn-eap-xml.png
+++ b/windows/keep-secure/images/vpn-eap-xml.png
--- a/windows/keep-secure/images/vpn-intune-policy.png
+++ b/windows/keep-secure/images/vpn-intune-policy.png
--- a/windows/keep-secure/images/vpn-name-intune.png
+++ b/windows/keep-secure/images/vpn-name-intune.png
--- a/windows/keep-secure/images/vpn-profilexml-intune.png
+++ b/windows/keep-secure/images/vpn-profilexml-intune.png
--- a/windows/keep-secure/images/vpn-split-route.png
+++ b/windows/keep-secure/images/vpn-split-route.png
--- a/windows/keep-secure/images/vpn-split.png
+++ b/windows/keep-secure/images/vpn-split.png
--- a/windows/keep-secure/images/vpn-traffic-rules.png
+++ b/windows/keep-secure/images/vpn-traffic-rules.png
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@ -312,7 +312,6 @@ You’ll need this software to set Windows Hello for Business policies in your e
 <tr class="header">
 <th align="left">Windows Hello for Business mode</th>
 <th align="left">Azure AD</th>
-<th align="left">Active Directory (AD) on-premises (available with production release of Windows Server 2016)</th>
 <th align="left">Azure AD/AD hybrid (available with production release of Windows Server 2016)</th>
 </tr>
 </thead>
@ -321,11 +320,6 @@ You’ll need this software to set Windows Hello for Business policies in your e
 <td align="left">Key-based authentication</td>
 <td align="left">Azure AD subscription</td>
 <td align="left"><ul>
-<li>Active Directory Federation Service (AD FS) (Windows Server 2016)</li>
-<li>A few Windows Server 2016 domain controllers on-site</li>
-<li>Microsoft System Center 2012 R2 Configuration Manager SP2</li>
-</ul></td>
-<td align="left"><ul>
 <li>Azure AD subscription</li>
 <li>[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
 <li>A few Windows Server 2016 domain controllers on-site</li>
@ -341,12 +335,6 @@ You’ll need this software to set Windows Hello for Business policies in your e
 <li>PKI infrastructure</li>
 </ul></td>
 <td align="left"><ul>
-<li>ADFS (Windows Server 2016)</li>
-<li>Active Directory Domain Services (AD DS) Windows Server 2016 schema</li>
-<li>PKI infrastructure</li>
-<li>Configuration Manager SP2, Intune, or non-Microsoft MDM solution</li>
-</ul></td>
-<td align="left"><ul>
 <li>Azure AD subscription</li>
 <li>[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
 <li>AD CS with NDES</li>
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@ -26,7 +26,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
 | [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
 | [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
 |[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies. |
-| [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
+| [VPN technical guide](vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
 | [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
 | [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
 | [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
--- a/windows/keep-secure/microsoft-passport-guide.md
+++ b/windows/keep-secure/microsoft-passport-guide.md
@ -298,7 +298,6 @@ Table 1. Deployment requirements for Microsoft Passport
 <th align="left">Microsoft Passport method</th>
 <th align="left">Azure AD</th>
 <th align="left">Hybrid Active Directory</th>
-<th align="left">On-premises Active Directory only</th>
 </tr>
 </thead>
 <tbody>
@ -312,8 +311,6 @@ Table 1. Deployment requirements for Microsoft Passport
 <li>A management solution, such as Configuration Manager, Group Policy, or MDM</li>
 <li>Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)</li>
 </ul></td>
-<td align="left"><p>One or more Windows Server 2016 Technical Preview domain controllers</p>
-<p>AD FS of Windows Server 2016 Technical Preview</p></td>
 </tr>
 <tr class="even">
 <td align="left">Certificate-based</td>
@ -326,9 +323,6 @@ Table 1. Deployment requirements for Microsoft Passport
 <li>AD CS with NDES</li>
 <li>Configuration Manager (current branch) or Configuration Manager 2016 Technical Preview for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work</li>
 </ul></td>
-<td align="left"><p>AD DS Windows Server 2016 Technical Preview schema </p>
-<p>AD FS of Windows Server 2016 Technical Preview</p>
-<p>PKI infrastructure  System Center 2012 R2 Configuration Manager with SP2 or later</p></td>
 </tr>
 </tbody>
 </table>
--- a/windows/keep-secure/remote-credential-guard.md
+++ b/windows/keep-secure/remote-credential-guard.md
@ -35,7 +35,6 @@ The Remote Desktop client and server must meet the following requirements in ord
 - They must be running at least Windows 10, version 1607 or Windows Server 2016.
 - The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard.

-
 ## Enable Remote Credential Guard

 You must enable Remote Credential Guard on the target device by using the registry.
@ -60,12 +59,13 @@ You can use Remote Credential Guard on the client device by setting a Group Poli

 1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**.
 2. Double-click **Restrict delegation of credentials to remote servers**.
-3. In the **Use the following restricted mode** box:
-    - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Require Remote Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used.
+3. Under **Use the following restricted mode**:
+    - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Prefer Remote Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used.

        > **Note:**  Neither Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
        
-    - If you want to allow Remote Credential Guard, choose **Prefer Remote Credential Guard**.
+    - If you want to require Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [Hardware and software requirements](#hardware-and-software-requirements) listed earlier in this topic.
+    
 4. Click **OK**.

    ![Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@ -74,6 +74,8 @@ Event ID | Error Type | Resolution steps
 ## Troubleshoot onboarding issues using Microsoft Intune
 You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.

+If you have configured policies in Intune and they are not propagated on endpoints, you might need to configure automatic MDM enrollment. For more information, see the [Configure automatic MDM enrollment](https://go.microsoft.com/fwlink/?linkid=829597) section.
+
 Use the following tables to understand the possible causes of issues while onboarding:

 - Microsoft Intune error codes and OMA-URIs table
@ -114,7 +116,7 @@ Channel name: Admin

 ID | Severity | Event description | Troubleshooting steps
 :---|:---|:---|:---
-1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ELAM driver needs to be enabled see, [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions.
+1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).

 ## Troubleshoot onboarding issues on the endpoint
 If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
--- a/windows/keep-secure/vpn-authentication.md
+++ b/windows/keep-secure/vpn-authentication.md
@ -0,0 +1,61 @@
+---
+title: VPN authentication options (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, networking
+author: jdeckerMS
+localizationpriority: high
+---
+
+# VPN authentication options
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).
+
+Windows supports a number of EAP authentication methods. 
+
+<table>
+<thead><tr><th>Method</th><th>Details</th></thead>
+<tbody>
+<tr><td>EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2)</td><td><ul><li>User name and password authentication</li><li>Winlogon credentials - can specify authentication with computer sign-in credentials</li></ul></td></tr>
+<tr><td>EAP-Transport Layer Security (EAP-TLS) </td><td><ul><li>Supports the following types of certificate authentication<ul><li>Certificate with keys in the software Key Storage Provider (KSP)</li><li>Certificate with keys in Trusted Platform Module (TPM) KSP</li><li>Smart card certficates</li><li>Windows Hello for Business certificate</li></ul></li><li>Certificate filtering<ul><li>Certificate filtering can be enabled to search for a particular certificate to use to authenticate with</li><li>Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based</li></ul></li><li>Server validation - with TLS, server validation can be toggled on or off<ul><li>Server name - specify the server to validate</li><li>Server certificate - trusted root certificate to validate the server</li><li>Notification - specify if the user should get a notification asking whether to trust the server or not</li></ul></li></ul></td></tr>
+<tr><td><a href="https://msdn.microsoft.com/library/cc754179.aspx">Protected Extensible Authentication Protocol (PEAP)</a></td><td><ul><li>Server validation - with PEAP, server validation can be toggled on or off<ul><li>Server name - specify the server to validate</li><li>Server certificate - trusted root certificate to validate the server</li><li>Notification - specify if the user should get a notification asking whether to trust the server or not</li></ul></li><li>Inner method - the outer method creates a secure tunnel inside while the inner method is used to complete the authentication<ul><li>EAP-MSCHAPv2</li><li>EAP-TLS</li></ul><li>Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.<li><a href="https://msdn.microsoft.com/library/cc238384.aspx">Cryptobinding</a>: By deriving and exchanging values from the PEAP phase 1 key material (<b>Tunnel Key</b>) and from the PEAP phase 2 inner EAP method key material (<b>Inner Session Key</b>), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.</li></li></ul></td></tr>
+<tr><td>Tunneled Transport Layer Security (TTLS)</td><td><ul><li>Inner method<ul><li>Non-EAP<ul><li>Password Authentication Protocol (PAP)</li><li>CHAP</li><li>MSCHAP</li><li>MSCHAPv2</li></ul></li><li>EAP<ul><li>MSCHAPv2</li><li>TLS</li></ul></li></ul></li><li>Server validation: in TTLS, the server must be validated. The following can be configured:<ul><li>Server name</li><li>Trusted root certificate for server certificate</li><li>Whether there should be a server validation notification</li></ul></li></ul></td></tr></tbody>
+</table>
+</br>
+
+For a UWP VPN plug-in, the app vendor controls the authentication method to be used. The following credential types can be used:
+
+- Smart card
+- Certificate
+- Windows Hello for Business
+- User name and password
+- One-time password
+- Custom credential type
+
+## Configure authentication
+
+See [EAP configuration](https://msdn.microsoft.com/library/windows/hardware/mt168513.aspx) for EAP XML configuration. 
+
+>[!NOTE]
+>To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](https://msdn.microsoft.com/library/windows/hardware/mt168513.aspx) to create a smart card certificate. [Learn more about Windows Hello for Business.](https://technet.microsoft.com/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport)
+
+The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
+
+![EAP XML configuration in Intune profile](images/vpn-eap-xml.png)
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)
--- a/windows/keep-secure/vpn-auto-trigger-profile.md
+++ b/windows/keep-secure/vpn-auto-trigger-profile.md
@ -0,0 +1,88 @@
+---
+title: VPN auto-triggered profile options (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, networking
+author: jdeckerMS
+localizationpriority: high
+---
+
+# VPN auto-triggered profile options
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+In Windows 10, a number of features were added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules: 
+
+- App trigger
+- Name-based trigger
+- Always On
+
+## App trigger
+
+VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
+
+The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.
+
+[Find a package family name (PFN) for per-app VPN configuration](https://docs.microsoft.com/intune/deploy-use/find-a-pfn-for-per-app-vpn)
+
+
+## Name-based trigger
+
+You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.
+ 
+Name-based auto-trigger can be configured using the VPNv2/*ProfileName*/DomainNameInformationList/dniRowId/AutoTrigger setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+
+There are four types of name-based triggers:
+
+- Short name: for example, if **HRweb** is configured as a trigger and the stack sees a DNS resolution request for **HRweb**, the VPN will be triggered.
+- Fully-qualified domain name (FQDN): for example, if **HRweb.corp.contoso.com** is configured as a trigger and the stack sees a DNS resolution request for **HRweb.corp.contoso.com**, the VPN will be triggered.
+- Suffix: for example, if **.corp.contoso.com** is configured as a trigger and the stack sees a DNS resolution request with a matching suffix (such as **HRweb.corp.contoso.com**), the VPN will be triggered. For any short name resolution, VPN will be triggered and the DNS server will be queried for the *ShortName*.**corp.contoso.com**.
+- All: if used, all DNS resolution should trigger VPN.
+
+
+## Always On
+
+Always On is a feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers: 
+
+- User sign-in 
+- Network change 
+- Device screen on 
+
+When the trigger occurs, VPN tries to connect. If an error occurs or any user input is needed, the user is shown a toast notification for additional interaction.
+
+
+When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. 
+
+## Trusted network detection
+
+This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
+
+Trusted network detection can be configured using the VPNv2/*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+
+
+## Configure app-triggered VPN
+
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
+
+The following image shows associating an app to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
+
+![Add an app for the VPN connection](images/vpn-app-trigger.png)
+
+After you add an associated app, if you select the **Only these apps can use this VPN connection (per-app VPN)** checkbox, the app becomes available in **Corporate Boundaries**, where you can configure rules for the app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details. 
+
+![Configure rules for the app](images/vpn-app-rules.png)
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)
--- a/windows/keep-secure/vpn-conditional-access.md
+++ b/windows/keep-secure/vpn-conditional-access.md
@ -0,0 +1,127 @@
+---
+title: VPN and conditional access (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, networking
+author: jdeckerMS
+localizationpriority: high
+---
+
+# VPN and conditional access
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.  
+
+>[!NOTE]
+>Conditional Access is an Azure AD Premium feature. 
+
+Conditional Access Platform components used for Device Compliance include the following cloud-based services:
+- [Conditional Access Framework](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
+
+- [Azure AD Connect Health](https://azure.microsoft.com/documentation/articles/active-directory-Azure ADconnect-health/)
+
+- [Windows Health Attestation Service](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation) (optional)
+
+- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA).  An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. 
+
+- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules.  If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN.  Note that certificate authentication methods such as EAP-TLS can be used. 
+
+    Additional details regarding the Azure AD issued short-lived certificate: 
+    - The default lifetime is 60 minutes and is configurable
+    - When that certificate expires, the client will again check with Azure AD so that continued health can be validated before a new certificate is issued allowing continuation of the connection
+
+- [Microsoft Intune device compliance policies](https://docs.microsoft.com/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
+
+    - Antivirus status
+    - Auto-update status and update compliance
+    - Password policy compliance
+    - Encryption compliance
+    - Device health attestation state (validated against attestation service after query)
+
+
+The following client-side components are also required:
+- [HealthAttestation Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn934876.aspx)
+- [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) DeviceCompliance node settings
+- Trusted Platform Module (TPM)
+
+## VPN device compliance 
+
+Server-side infrastructure requirements to support VPN device compliance include:
+
+- The VPN server should be configured for certificate authentication.
+- The VPN server should trust the tenant-specific Azure AD CA
+- Either of the below should be true for Kerberos/NTLM SSO:
+   -	Domain servers trust Azure AD CA
+   -	A domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO)
+   
+After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node.
+
+Two client-side configuration service providers are leveraged for VPN device compliance.
+
+- VPNv2 CSP DeviceCompliance settings
+   - **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client will attempt to communicate with Azure AD to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Azure AD.
+   - **Sso**: nodes under SSO can be used to choose a certificate different from the VPN authentication certificate for  Kerberos authentication in the case of device compliance.
+   - **Sso/Enabled**: if this field is set to **true**, the VPN client will look for a separate certificate for Kerberos authentication.
+   - **Sso/IssuerHash**: hashes for the VPN client to look for the correct certificate for Kerberos authentication.
+   - **Sso/Eku**: comma-separated list of Enhanced Key Usage (EKU) extensions for the VPN client to look for the correct certificate for Kerberos authentication.
+- HealthAttestation CSP (not a requirement) - functions performed by the HealthAttestation CSP include:
+   - Collects TPM data used to verify health states
+   - Forwards the data to the Health Attestation Service (HAS)
+   - Provisions the Health Attestation Certificate received from the HAS
+   - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
+   
+## Client connection flow
+
+
+The  VPN client side connection flow works as follows:
+
+![Device compliance workflow when VPN client attempts to connect](images/vpn-device-compliance.png)
+ 
+When a Device Compliance-enabled VPN connection profile is triggered (either manually or automatically):
+
+1.	 The VPN client calls into Windows 10’s AAD Token Broker, identifying itself as a VPN client.
+2.	 The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies.
+3.	 If compliant, Azure AD requests a short-lived certificate
+4.	 Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection  processing.
+5. The VPN client uses the Azure AD-issued certificate to authenticate with the VPN server.
+
+
+
+## Configure conditional access
+
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
+
+The following image shows conditional access options in a VPN Profile configuration policy using Microsoft Intune.
+
+![conditional access in profile](images/vpn-conditional-access-intune.png)
+
+>[!NOTE]
+>In Intune, the certificate selected in **Select a client certificate for client authentication** does not set any VPNv2 CSP nodes. It is simply a way to tie the VPN profile’s successful provisioning to the existence of a certificate. If you are enabling conditional access and using the Azure AD short-lived certificate for both VPN server authentication and domain resource authentication, do not select a certificate since the short-lived certificate is not a certificate that would be on the user’s device yet.
+
+## Learn more about Conditional Access and Azure AD Health
+
+- [Azure Active Directory conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/)
+- [Getting started with Azure Active Directory Conditional Access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access-azuread-connected-apps/)
+- [Control the health of Windows 10-based devices](https://technet.microsoft.com/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/14/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2/)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/15/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3/)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
+
+
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)
--- a/windows/keep-secure/vpn-connection-type.md
+++ b/windows/keep-secure/vpn-connection-type.md
@ -0,0 +1,84 @@
+---
+title: VPN connection types (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, networking
+author: jdeckerMS
+localizationpriority: high
+---
+
+# VPN connection types
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.
+
+There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. 
+
+![VPN connection types](images/vpn-connection.png)
+
+## Built-in VPN client
+
+- Tunneling protocols
+
+    - [Internet Key Exchange version 2 (IKEv2)](https://technet.microsoft.com/library/ff687731.aspx)
+
+      Configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+           
+    - [L2TP](https://technet.microsoft.com/library/ff687761.aspx)
+
+      L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+    
+    - [PPTP](https://technet.microsoft.com/library/ff687676.aspx)
+
+    - [SSTP](https://technet.microsoft.com/library/ff687819.aspx)
+
+        SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option.
+        
+- Automatic
+
+    The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt from most secure to least secure. 
+
+    Configure **Automatic** for the **NativeProtocolType** setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+    
+  
+ 
+## Universal Windows Platform VPN plug-in
+
+The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.  
+
+There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
+
+## Configure connection type
+
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
+
+The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune.
+
+![Available connection types](images/vpn-connection-intune.png)
+     
+In Intune, you can also include custom XML for third-party plug-in profiles.
+
+![Custom XML](images/vpn-custom-xml-intune.png)
+
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)
+    
+
+
+
+
+
--- a/windows/keep-secure/vpn-guide.md
+++ b/windows/keep-secure/vpn-guide.md
@ -0,0 +1,45 @@
+---
+title: Windows 10 VPN technical guide (Windows 10)
+description: Use this guide to configure VPN deployment for Windows 10.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Windows 10 VPN technical guide
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
+
+![Intune VPN policy template](images/vpn-intune-policy.png)
+
+>[!NOTE]
+>This guide does not explain server deployment.  
+
+## In this guide
+
+| Topic | Description  |
+| --- | --- |
+| [VPN connection types](vpn-connection-type.md) | Select a VPN client and tunneling protocol |
+| [VPN routing decisions](vpn-routing.md)  | Choose between split tunnel and force tunnel configuration |
+| [VPN authentication options](vpn-authentication.md)  | Select a method for Extensible Authentication Protocol (EAP) authentication. |
+| [VPN and conditional access](vpn-conditional-access.md)  | Use Azure Active Directory policy evaluation to set access policies for VPN connections. |
+| [VPN name resolution](vpn-name-resolution.md)  | Decide how name resolution should work |
+| [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)  | Set a VPN profile to connect automatically by app or by name, to be "always on", and to not trigger VPN on trusted networks |
+| [VPN security features](vpn-security-features.md)  | Set a LockDown VPN profile, configure traffic filtering, and connect VPN profile to Windows Information Protection (WIP) |
+| [VPN profile options](vpn-profile-options.md)  | Combine settings into single VPN profile using XML |
+
+
+## Learn more
+
+- [VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune)
+
+
+
--- a/windows/keep-secure/vpn-name-resolution.md
+++ b/windows/keep-secure/vpn-name-resolution.md
@ -0,0 +1,82 @@
+---
+title: VPN name resolution (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, networking
+author: jdeckerMS
+localizationpriority: high
+---
+
+# VPN name resolution
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server.
+
+The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS suffix on the most preferred interface based on the interface metric is appended to the name (in the case of a short name) and a DNS query is sent out on the preferred interface. If the query times out, the DNS suffix search list is used in order and DNS queries are sent on all interfaces. 
+
+## Name Resolution Policy table (NRPT)
+ 
+The NRPT is a table of namespaces that determines the DNS client’s havior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache.
+
+There are 3 types of name matches that can  set up for NRPT:
+
+- Fully qualified domain name (FQDN) that can  used for direct matching to a name
+
+- Suffix match results in either a comparison of suffixes (for FQDN resolution) or the appending of the suffix (in case of a short name)
+
+- Any resolution should attempt to first resolve with the proxy server/DNS server with this entry
+
+NRPT is set using the **VPNv2/*ProfileName*/DomainNameInformationList** node of the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx). This node also configures Web proxy server or domain name servers. 
+
+[Learn more about NRPT](https://technet.microsoft.com/library/ee649207%28v=ws.10%29.aspx)
+
+ 
+## DNS suffix
+
+This setting is used to configure the primary DNS suffix for the VPN interface and the suffix search list after the VPN connection is established.
+
+Primary DNS suffix is set using the **VPNv2/*ProfileName*/DnsSuffix** node.
+
+
+
+[Learn more about primaryDNS suffix](https://technet.microsoft.com/library/cc959611.aspx)
+
+## Persistent
+
+You can also configure *persistent* name resolution rules. Name resolution for specified items will only  performed over VPN.
+
+Persistent name resolution is set using the **VPNv2/*ProfileName*/DomainNameInformationList//*dniRowId*/Persistent** node.
+
+
+
+## Configure name resolution
+
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
+
+The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune.
+
+![Add DNS rule](images/vpn-name-intune.png)
+
+The fields in **Add or edit DNS rule** in the Intune profile correspond to the XML settings shown in the following table.
+
+| Field | XML |
+| --- | --- |
+| **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName**  |
+| **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers**  |
+| **Proxy server** |  **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers**  |
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)
--- a/windows/keep-secure/vpn-profile-options.md
+++ b/windows/keep-secure/vpn-profile-options.md
@ -16,48 +16,288 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile

-Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect.
+Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or System Center Configuration Manager. All VPN settings in Windows 10 can be configued using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx). 

-## Always On
+>[!NOTE]
+>If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers) first.

-Always On is a new feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers:
-   User sign-on
-   Network change
+The following table lists the VPN settings and whether the setting can be configured in Intune and Configuration Manager, or can only be configured using **ProfileXML**.

-When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** &gt; **Network & Internet** &gt; **VPN** &gt; *VPN profile* &gt; **Let apps automatically use this VPN connection**.
+| Profile setting | Can be configured in Intune and Configuration Manager | 
+| --- | --- | 
+| Connection type | yes | 
+| Routing: split-tunnel routes | yes, except exclusion routes |
+| Routing: forced-tunnel | yes |
+| Authentication (EAP) | yes, if connection type is built-in |
+| Conditional access | yes |
+| Proxy settings | yes, by PAC/WPAD file or server and port |
+| Name resolution: NRPT | yes |
+| Name resolution: DNS suffix | no |
+| Name resolution: persistent | no |
+| Auto-trigger: app trigger | yes |
+| Auto-trigger: name trigger | yes |
+| Auto-trigger: Always On | no |
+| Auto-trigger: trusted network detection | no |
+| LockDown | no |
+| Windows Information Protection (WIP) | no |
+| Traffic filters | yes |

-## App-triggered VPN
+The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic.

-VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. This feature was included in Windows 8.1 as "On demand VPN". The applications can be defined using the following:
-   Package family name for Universal Windows Platform (UWP) apps
-   File path for Classic Windows applications

-## Traffic filters
+## Sample Native VPN profile

-Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy . With the ever-increasing landscape of remote threats on the corporate network and lesser IT controls on machines, it becomes essential to control the traffic that is allowed through. While server-side layers of firewalls and proxies help, by adding traffic filters the first layer of filtering can be moved onto the client with more advanced filtering on the server side. There are two types of Traffic Filter rules:
+The following is a sample Native VPN profile. This blob would fall under the ProfileXML node. 

-   **App-based rules**. With app-based rules, a list of applications can be marked such that only traffic originating from these apps is allowed to go over the VPN interface.
-   **Traffic-based rules**. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified such that only traffic matching these rules is allowed to go over the VPN interface.
+```
+<VPNProfile>  
+  <ProfileName>TestVpnProfile</ProfileName>  
+  <NativeProfile>  
+    <Servers>testServer.VPN.com</Servers>  
+    <NativeProtocolType>IKEv2</NativeProtocolType> 
+    
+    <!--Sample EAP profile (PEAP)--> 
+    <Authentication>  
+      <UserMethod>Eap</UserMethod>  
+      <MachineMethod>Eap</MachineMethod>  
+      <Eap>  
+       <Configuration>
+          <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
+            <EapMethod>
+              <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type>
+              <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
+              <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
+              <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
+            </EapMethod>
+            <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
+              <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
+                <Type>25</Type>
+                <EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1">
+                  <ServerValidation>
+                    <DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation>
+                    <ServerNames></ServerNames>
+                    <TrustedRootCA>d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2 </TrustedRootCA>
+                    <TrustedRootCA>d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74 </TrustedRootCA>
+                  </ServerValidation>
+                  <FastReconnect>true</FastReconnect>
+                  <InnerEapOptional>false</InnerEapOptional>
+                  <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
+                    <Type>13</Type>
+                    <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
+                      <CredentialsSource>
+                        <CertificateStore>
+                          <SimpleCertSelection>true</SimpleCertSelection>
+                        </CertificateStore>
+                      </CredentialsSource>
+                      <ServerValidation>
+                        <DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation>
+                        <ServerNames></ServerNames>
+                        <TrustedRootCA>d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2 </TrustedRootCA>
+                        <TrustedRootCA>d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74 </TrustedRootCA>
+                      </ServerValidation>
+                      <DifferentUsername>false</DifferentUsername>
+                      <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
+                      <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
+                      <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
+                        <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
+                          <EKUMapping>
+                            <EKUMap>
+                              <EKUName>AAD Conditional Access</EKUName>
+                              <EKUOID>1.3.6.1.4.1.311.87</EKUOID>
+                            </EKUMap>
+                          </EKUMapping>
+                          <ClientAuthEKUList Enabled="true">
+                            <EKUMapInList>
+                              <EKUName>AAD Conditional Access</EKUName>
+                            </EKUMapInList>
+                          </ClientAuthEKUList>
+                        </FilteringInfo>
+                      </TLSExtensions>
+                    </EapType>
+                  </Eap>
+                  <EnableQuarantineChecks>false</EnableQuarantineChecks>
+                  <RequireCryptoBinding>true</RequireCryptoBinding>
+                  <PeapExtensions>
+                    <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">true</PerformServerValidation>
+                    <AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName>
+                  </PeapExtensions>
+                </EapType>
+              </Eap>
+            </Config>
+          </EapHostConfig>
+        </Configuration>
+      </Eap>  
+    </Authentication>  
+    
+    <!--Sample routing policy: in this case, this is a split tunnel configuration with two routes configured-->
+    <RoutingPolicyType>SplitTunnel</RoutingPolicyType>  
+    <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>  
+  </NativeProfile>  
+    <Route>  
+    <Address>192.168.0.0</Address>  
+    <PrefixSize>24</PrefixSize>  
+  </Route>  
+  <Route>  
+    <Address>10.10.0.0</Address>  
+    <PrefixSize>16</PrefixSize>  
+  </Route>  
+  
+  <!--VPN will be triggered for the two apps specified here-->
+  <AppTrigger>  
+    <App>  
+      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>  
+    </App>  
+  </AppTrigger>  
+  <AppTrigger>  
+    <App>  
+      <Id>C:\windows\system32\ping.exe</Id>  
+    </App>  
+  </AppTrigger>  
+  
+  <!--Example of per-app VPN. This configures traffic filtering rules for two apps. Internet Explorer is configured for force tunnel, meaning that all traffic allowed through this app must go over VPN. Microsoft Edge is configured as split tunnel, so whether data goes over VPN or the physical interface is dictated by the routing configuration.-->
+  <TrafficFilter>  
+    <App>  
+      <Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>  
+    </App>  
+    <Protocol>6</Protocol>  
+    <LocalPortRanges>10,20-50,100-200</LocalPortRanges>  
+    <RemotePortRanges>20-50,100-200,300</RemotePortRanges>  
+    <RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>  
+    <RoutingPolicyType>ForceTunnel</RoutingPolicyType>  
+  </TrafficFilter>  
+  <TrafficFilter>  
+    <App>  
+      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>  
+    </App>  
+    <LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>  
+  </TrafficFilter>  
+  
+  <!--Name resolution configuration. The AutoTrigger node configures name-based triggering. In this profile, the domain "hrsite.corporate.contoso.com" triggers VPN.-->
+  <DomainNameInformation>  
+    <DomainName>hrsite.corporate.contoso.com</DomainName>  
+    <DnsServers>1.2.3.4,5.6.7.8</DnsServers>  
+    <WebProxyServers>5.5.5.5</WebProxyServers>  
+    <AutoTrigger>true</AutoTrigger>  
+  </DomainNameInformation>  
+  <DomainNameInformation>  
+    <DomainName>.corp.contoso.com</DomainName>  
+    <DnsServers>10.10.10.10,20.20.20.20</DnsServers>  
+    <WebProxyServers>100.100.100.100</WebProxyServers>  
+  </DomainNameInformation>  
+  
+  <!--EDPMode is turned on for the enterprise ID "corp.contoso.com". When a user accesses an app with that ID, VPN will be triggered.-->
+  <EdpModeId>corp.contoso.com</EdpModeId>  
+  <RememberCredentials>true</RememberCredentials>  
+  
+  <!--Always On is turned off, and triggering VPN for the apps and domain name specified earlier in the profile will not occur if the user is connected to the trusted network "contoso.com".-->
+  <AlwaysOn>false</AlwaysOn>  
+  <DnsSuffix>corp.contoso.com</DnsSuffix>  
+  <TrustedNetworkDetection>contoso.com</TrustedNetworkDetection>  
+  <Proxy>  
+    <Manual>  
+      <Server>HelloServer</Server>  
+    </Manual>  
+    <AutoConfigUrl>Helloworld.Com</AutoConfigUrl>  
+  </Proxy>  
+  
+  <!--Device compliance is enabled and an alternate certificate is specified for domain resource authentication.-->
+  <DeviceCompliance>  
+        <Enabled>true</Enabled>  
+        <Sso>  
+            <Enabled>true</Enabled>  
+            <Eku>This is my Eku</Eku>  
+            <IssuerHash>This is my issuer hash</IssuerHash>  
+        </Sso>  
+    </DeviceCompliance>  
+</VPNProfile> 
+```

-There can be many sets of rules which are linked by **OR**. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by **AND**. This gives the IT admins a lot of power to craft the perfect policy befitting their use case.
+## Sample plug-in VPN profile

-## LockDown VPN
+The following is a sample plug-in VPN profile. This blob would fall under the ProfileXML node. 

-A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
-   The system attempts to keep the VPN connected at all times.
-   The user cannot disconnect the VPN connection.
-   The user cannot delete or modify the VPN profile.
-   The VPN LockDown profile uses forced tunnel connection.
-   If the VPN connection is not available, outbound network traffic is blocked.
-   Only one VPN LockDown profile is allowed on a device.
-> **Note:**  For inbox VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) tunnel type.
- 
-## Learn about VPN and the Conditional Access Framework in Azure Active Directory
+```
+<VPNProfile>
+	<ProfileName>TestVpnProfile</ProfileName>
+	<PluginProfile>
+		<ServerUrlList>testserver1.contoso.com;testserver2.contoso..com</ServerUrlList>
+		<PluginPackageFamilyName>JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy</PluginPackageFamilyName>
+		<CustomConfiguration>&lt;pulse-schema&gt;&lt;isSingleSignOnCredential&gt;true&lt;/isSingleSignOnCredential&gt;&lt;/pulse-schema&gt;</CustomConfiguration>
+	</PluginProfile>
+	<Route>
+		<Address>192.168.0.0</Address>
+		<PrefixSize>24</PrefixSize>
+	</Route>
+	<Route>
+		<Address>10.10.0.0</Address>
+		<PrefixSize>16</PrefixSize>
+	</Route>
+	<AppTrigger>
+		<App>
+			<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
+		</App>
+	</AppTrigger>
+	<AppTrigger>
+		<App>
+			<Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
+		</App>
+	</AppTrigger>
+	<TrafficFilter>
+		<App>
+			<Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
+		</App>
+		<Protocol>6</Protocol>
+		<LocalPortRanges>10,20-50,100-200</LocalPortRanges>
+		<RemotePortRanges>20-50,100-200,300</RemotePortRanges>
+		<RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>
+		<!--<RoutingPolicyType>ForceTunnel</RoutingPolicyType>-->
+	</TrafficFilter>
+	<TrafficFilter>
+		<App>
+			<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
+		</App>
+		<LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>
+	</TrafficFilter>
+	<TrafficFilter>
+		<App>
+			<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
+		</App>
+		<Claims>O:SYG:SYD:(A;;CC;;;AU)</Claims>
+		<!--<RoutingPolicyType>SplitTunnel</RoutingPolicyType>-->
+	</TrafficFilter>
+	<DomainNameInformation>
+		<DomainName>corp.contoso.com</DomainName>
+		<DnsServers>1.2.3.4,5.6.7.8</DnsServers>
+		<WebProxyServers>5.5.5.5</WebProxyServers>
+		<AutoTrigger>false</AutoTrigger>
+	</DomainNameInformation>
+	<DomainNameInformation>
+		<DomainName>corp.contoso.com</DomainName>
+		<DnsServers>10.10.10.10,20.20.20.20</DnsServers>
+		<WebProxyServers>100.100.100.100</WebProxyServers>
+	</DomainNameInformation>
+	<!--<EdpModeId>corp.contoso.com</EdpModeId>-->
+	<RememberCredentials>true</RememberCredentials>
+	<AlwaysOn>false</AlwaysOn>
+	<DnsSuffix>corp.contoso.com</DnsSuffix>
+	<TrustedNetworkDetection>contoso.com,test.corp.contoso.com</TrustedNetworkDetection>
+	<Proxy>
+		<Manual>
+			<Server>HelloServer</Server>
+		</Manual>
+		<AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
+	</Proxy>
+</VPNProfile>  

- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/14/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2/)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/15/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3/)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
+```
+
+## Apply ProfileXML using Intune
+
+After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
+
+The OMS-URI setting to apply ProfileXML is **./user/vendor/MSFT/*VPN profile name*/ProfileXML**.
+
+![Paste your ProfileXML in OMA-URI Setting value field](images/vpn-profilexml-intune.png)

 ## Learn more

@ -65,3 +305,13 @@ A VPN profile configured with LockDown secures the device to only allow network
 - [VPNv2 configuration service provider (CSP) reference](https://go.microsoft.com/fwlink/p/?LinkId=617588)
 - [How to Create VPN Profiles in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=618028)

+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
--- a/windows/keep-secure/vpn-routing.md
+++ b/windows/keep-secure/vpn-routing.md
@ -0,0 +1,68 @@
+---
+title: VPN routing decisions (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, networking
+author: jdeckerMS
+localizationpriority: high
+---
+
+# VPN routing decisions
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection. 
+
+## Split tunnel configuration
+
+In a split tunnel configuration, routes can be specified to go over VPN and all other traffic will go over the physical interface. 
+
+Routes can be configured using the VPNv2/*ProfileName*/RouteList setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+ 
+For each route item in the list the following can be specified: 
+
+- **Address**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Address
+- **Prefix size**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Prefix
+- **Exclusion route**: VPNv2/*ProfileName*/RouteList/*routeRowId*/ExclusionRoute
+   
+   Windows VPN platform now supports the ability to specify exclusion routes that specifically should not go over the physical interface. 
+
+Routes can also be added at connect time through the server for UWP VPN apps.  
+
+## Force tunnel configuration
+
+In a force tunnel configuration, all traffic will go over VPN. This is the default configuration and takes effect if no routes are specified. 
+
+The only implication of this setting is the manipulation of routing entries. In the case of a force Tunnel VPN V4 and V6 default routes (for example. 0.0.0.0/0) are added to the routing table with a lower Metric than ones for other interfaces. This sends traffic through the VPN as long as there isn’t a specific route on the Physical Interface itself. 
+
+For built-in VPN, this decision is controlled using the MDM setting **VPNv2/ProfileName/NativeProfile/RoutingPolicyType**.
+
+For a UWP VPN plug-in, this property is directly controlled by the app. If the VPN plug-in passes only 2 include routes (default route for both v4 and v6), the Windows VPN Platform marks the VPN as force tunnel.  
+
+## Configure routing
+
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
+
+When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration.
+
+![split tunnel](images/vpn-split.png)
+
+Next, in **Corporate Boundaries**, you add the routes that should use the VPN connection.   
+  
+![add route for split tunnel](images/vpn-split-route.png)
+
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)
--- a/windows/keep-secure/vpn-security-features.md
+++ b/windows/keep-secure/vpn-security-features.md
@ -0,0 +1,87 @@
+---
+title: VPN security features (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, networking
+author: jdeckerMS
+localizationpriority: high
+---
+
+# VPN security features
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+
+## LockDown VPN
+
+A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
+
+- The system attempts to keep the VPN connected at all times.
+- The user cannot disconnect the VPN connection.
+- The user cannot delete or modify the VPN profile.
+- The VPN LockDown profile uses forced tunnel connection.
+- If the VPN connection is not available, outbound network traffic is blocked.
+- Only one VPN LockDown profile is allowed on a device. 
+
+>[!NOTE]
+>For built-in VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type.
+
+Deploy this feature with caution as the resultant connection will not be able to send or receive any network traffic without the VPN being connected. 
+
+
+
+## Windows Information Protection (WIP) integration with VPN
+
+Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally.
+
+The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include:
+
+- Core functionality: File encryption and file access blocking
+- UX policy enforcement: Restricting copy/paste, drag/drop, and sharing operations
+- WIP network policy enforcement: Protecting intranet resources over the corporate network and VPN
+- Network policy enforcement: Protecting SMB and Internet cloud resources over the corporate network and VPN
+
+The value of the **EdpModeId** is an Enterprise ID. The networking stack will look for this ID in the app token to determine whether VPN should be triggered for that particular app. 
+
+Additionally, when connecting with WIP, the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced configuration is needed) because the WIP policies and App lists automatically take effect.
+
+[Learn more about Windows Information Protection](protect-enterprise-data-using-wip.md)
+
+
+## Traffic filters
+
+Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy. Network admins to effectively add interface specific firewall rules on the VPN Interface.There are two types of Traffic Filter rules:
+
+- App-based rules. With app-based rules, a list of applications can be marked such that only traffic originating from these apps is allowed to go over the VPN interface.
+- Traffic-based rules. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified such that only traffic matching these rules is allowed to go over the VPN interface.
+
+There can be many sets of rules which are linked by OR. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by AND. In addition, these rules can be applied at a per-app level or a per-device level. 
+
+For example, an admin could define rules that specify: 
+
+- The Contoso HR App must be allowed to go through the VPN and only access port 4545. 
+- The Contoso finance apps is allowed to go over the VPN and only access the Remote IP ranges of 10.10.0.40 - 10.10.0.201 on port 5889.
+- All other apps on the device should be able to access only ports 80 or 443.  
+
+## Configure traffic filters
+
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
+
+The following image shows the interface to configure traffic rules in a VPN Profile configuration policy using Microsoft Intune.
+
+![Add a traffic rule](images/vpn-traffic-rules.png)
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN profile options](vpn-profile-options.md)
--- a/windows/keep-secure/windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md
@ -20,6 +20,7 @@ localizationpriority: high
 - Windows 10 Pro
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
 >For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).

 Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@ -86,6 +86,7 @@
 ##### [About App-V Reporting](appv-reporting.md)
 ##### [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](appv-install-the-reporting-server-on-a-standalone-computer.md)
 #### [App-V Deployment Checklist](appv-deployment-checklist.md)
+#### [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
 #### [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
 #### [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
 ### [Operations for App-V](appv-operations.md)
--- a/windows/manage/appv-deploying-appv.md
+++ b/windows/manage/appv-deploying-appv.md
@ -30,7 +30,8 @@ App-V supports a number of different deployment options. Review this topic for i

    This section provides a deployment checklist that can be used to assist with installing App-V.

-   [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)<br>
+-   [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)<br>
+[Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)<br>
 [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)

    These sections describe how to use App-V to deliver Microsoft Office as a virtualized application to computers in your organization.
--- a/windows/manage/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/manage/appv-deploying-microsoft-office-2016-with-appv.md
@ -0,0 +1,444 @@
+---
+title: Deploying Microsoft Office 2016 by Using App-V (Windows 10)
+description: Deploying Microsoft Office 2016 by Using App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Deploying Microsoft Office 2016 by Using App-V
+
+**Applies to**
+-   Windows 10, version 1607
+
+Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2013, see [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md). For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md).
+
+This topic contains the following sections:
+
+-   [What to know before you start](#what-to-know-before-you-start)
+
+-   [Creating an Office 2016 package for App-V with the Office Deployment Tool](#creating-an-office-2016-package-for-app-v-with-the-office-deployment-tool) 
+
+-   [Publishing the Office package for App-V](#publishing-the-office-package-for-app-v) 
+
+-   [Customizing and managing Office App-V packages](#customizing-and-managing-office-app-v-packages) 
+
+## What to know before you start
+
+Before you deploy Office 2016 by using App-V, review the following planning information.
+
+### Supported Office versions and Office coexistence
+
+Use the following table to get information about supported versions of Office and about running coexisting versions of Office.
+
+| **Information to review**           | **Description**        |
+|-------------------------------------|------------------------|
+| [Supported versions of Microsoft Office](appv-planning-for-using-appv-with-office.md#bkmk-office-vers-supp-appv)     | - Supported versions of Office<br>- Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)<br>- Office licensing options |
+| [Planning for using App-V with coexisting versions of Office](appv-planning-for-using-appv-with-office.md#bkmk-plan-coexisting) | Considerations for installing different versions of Office on the same computer   |
+
+### Packaging, publishing, and deployment requirements
+
+Before you deploy Office by using App-V, review the following requirements.
+
+ 
+
+| **Task**  | **Requirement**   |
+|-----------|-------------------|
+| Packaging  | - All of the Office applications that you want to deploy to users must be in a single package.<br>- In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.<br>- If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office). |
+| Publishing   | - You can publish only one Office package to each client computer.<br>- You must publish the Office package globally. You cannot publish to the user. |
+| Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:<br>- Office 365 ProPlus<br>- Visio Pro for Office 365<br>- Project Pro for Office 365 | You must enable [shared computer activation](https://technet.microsoft.com/library/dn782860.aspx). |
+
+### Excluding Office applications from a package
+
+The following table describes the recommended methods for excluding specific Office applications from a package.
+
+| **Task**    | **Details**   |
+|-------------|---------------|
+| Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool. | Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.<br><br>For more information, see [ExcludeApp element](https://technet.microsoft.com/library/jj219426.aspx#BKMK_ExcludeAppElement). |
+| Modify the DeploymentConfig.xml file                                                            | Modify the DeploymentConfig.xml file after the package has been created. This file contains the default package settings for all users on a computer that is running the App-V Client.<br>For more information, see [Disabling Office 2016 applications](#disabling-office-2016-applications).                      |
+
+## Creating an Office 2016 package for App-V with the Office Deployment Tool
+
+Complete the following steps to create an Office 2016 package for App-V.
+
+>**Important**&nbsp;&nbsp;In App-V 5.0 and later, you must use the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
+
+### Review prerequisites for using the Office Deployment Tool
+
+The computer on which you are installing the Office Deployment Tool must have:
+
+ 
+
+| **Prerequisite**     | **Description**    |
+|----------------------|--------------------|
+| Prerequisite software    | .Net Framework 4    |
+| Supported operating systems | -   64-bit version of Windows 10<br>- 64-bit version of Windows 8 or 8.1<br>- 64-bit version of Windows 7 |
+
+>**Note**&nbsp;&nbsp;In this topic, the term “Office 2016 App-V package” refers to subscription licensing.
+
+### Create Office 2016 App-V Packages Using Office Deployment Tool
+
+You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Subscription Licensing.
+
+Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers.
+
+### Download the Office Deployment Tool
+
+Office 2016 App-V Packages are created using the Office Deployment Tool, which generates an Office 2016 App-V Package. The package cannot be created or modified through the App-V sequencer. To begin package creation:
+
+1.  Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117).
+
+    > **Important**&nbsp;&nbsp;You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages.
+
+2.  Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved.
+
+    Example: \\\\Server\\Office2016
+
+3.  Check that a setup.exe and a configuration.xml file exist and are in the location you specified.
+
+### Download Office 2016 applications
+
+After you download the Office Deployment Tool, you can use it to get the latest Office 2016 applications. After getting the Office applications, you create the Office 2016 App-V package.
+
+The XML file that is included in the Office Deployment Tool specifies the product details, such as the languages and Office applications included.
+
+**Step 1: Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications:
+
+1.  Open the sample XML file in Notepad or your favorite text editor.
+
+2.  With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the configuration.xml file:
+
+    ```
+    <Configuration>
+       <Add SourcePath= ”\\Server\Office2016” OfficeClientEdition="32" >
+        <Product ID="O365ProPlusRetail ">
+          <Language ID="en-us" />
+        </Product>
+        <Product ID="VisioProRetail">
+          <Language ID="en-us" />
+        </Product>
+      </Add>  
+    </Configuration>
+    ```
+    
+    >**Note**&nbsp;&nbsp;The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the “&lt;! - -“ from the beginning of the line, and the “-- &gt;” from the end of the line.
+
+    The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office2016, which is the location where Office applications will be saved. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
+
+| **Input**    | **Description**            | **Example**    |
+|--------------|----------------------------|----------------|
+| Add element  | Specifies the products and languages to include in the package.     | N/A     |
+| OfficeClientEdition (attribute of Add element) | Specifies the edition of Office 2016 product to use: 32-bit or 64-bit. The operation fails if **OfficeClientEdition** is not set to a valid value.     | **OfficeClientEdition**="32"<br>**OfficeClientEdition**="64"  |
+| Product element   | Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.<br>For more information about the product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297).   | `Product ID ="O365ProPlusRetail"`<br>`Product ID ="VisioProRetail"`<br>`Product ID ="ProjectProRetail"` |
+| Language element     | Specifies the language supported in the applications    | `Language ID="en-us"`   |
+| Version (attribute of Add element) | Optional. Specifies a build to use for the package<br>Defaults to latest advertised build (as defined in v32.CAB at the Office source).   | `16.1.2.3`    |
+| SourcePath (attribute of Add element)   | Specifies the location in which the applications will be saved to.    | `Sourcepath = "\\Server\Office2016"`     |
+| Channel (part of Add element)       | Optional. Defines which channel to use for updating Office after it is installed.<br>The default is **Deferred** for Office 365 ProPlus and **Current** for Visio Pro for Office 365 and Project Online Desktop Client. <br>For more information about update channels, see [Overview of update channels for Office 365 ProPlus](https://technet.microsoft.com/library/mt455210.aspx). | `Channel="Current"`<br><br>`Channel="Deferred"`<br><br>`Channel="FirstReleaseDeferred"`<br><br>`Channel="FirstReleaseCurrent"`  |
+
+After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
+
+**Step 2: Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with description of details:
+
+`\\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml`
+
+In the example:
+
+| Element | Description |
+|-------------------------------|--------------------------------------|
+| **\\\\server\\Office2016**    | is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.    |
+| **Setup.exe**   | is the Office Deployment Tool.     |
+| **/download**   | downloads the Office 2016 applications that you specify in the customConfig.xml file.  |
+| **\\\\server\\Office2016\\Customconfig.xml** | passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \\\\Server\\Office2016. |
+
+### Convert the Office applications into an App-V package
+
+After you download the Office 2016 applications through the Office Deployment Tool, use the Office Deployment Tool to convert them into an Office 2016 App-V package. Complete the steps that correspond to your licensing model.
+
+**Summary of what you’ll need to do:**
+
+-   Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10 computers.
+
+-   Create an Office App-V package for either Subscription Licensing package by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file.
+
+    The following table summarizes the values you need to enter in the CustomConfig.xml file. The steps in the sections that follow the table will specify the exact entries you need to make.
+
+>**Note**&nbsp;&nbsp;You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
+
+| **Product ID**                                   | **Subscription Licensing**                                  |
+|--------------------------------------------------|-------------------------------------------------------------|
+| **Office 2016**                                  | O365ProPlusRetail                                           |
+| **Office 2016 with Visio 2016**                  | O365ProPlusRetail<br>VisioProRetail                         |
+| **Office 2016 with Visio 2016 and Project 2016** | O365ProPlusRetail<br>VisioProRetail<br>ProjectProRetail     |
+
+#### How to convert the Office applications into an App-V package
+1. In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
+
+    - **SourcePath**: Point to the Office applications downloaded earlier.
+
+    - **ProductID**: Specify the type of licensing, as shown in the following example:
+
+        - Subscription Licensing:
+        ```
+<Configuration>
+   <Add SourcePath= "\\server\Office 2016" OfficeClientEdition="32" >
+    <Product ID="O365ProPlusRetail">
+      <Language ID="en-us" />
+    </Product>
+    <Product ID="VisioProRetail">
+      <Language ID="en-us" />
+    </Product>
+  </Add>  
+</Configuration>
+        ```
+        In this example, the following changes were made to create a package with Subscription licensing:
+        
+        **SourcePath** is the path, which was changed to point to the Office applications that were downloaded earlier.<br>
+        **Product ID** for Office was changed to `O365ProPlusRetail`.<br>
+        **Product ID** for Visio was changed to `VisioProRetail`.
+        
+    - **ExcludeApp** (optional): Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access.
+
+    - **PACKAGEGUID** (optional): By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
+        
+        An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
+        
+        >**Note**&nbsp;&nbsp;Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
+
+2.	Use the /packager command to convert the Office applications to an Office 2016 App-V package.
+
+    For example:
+
+    ``` syntax
+    \\server\Office2016\setup.exe /packager \\server\Office2016\Customconfig.xml  \\server\share\Office2016AppV
+    ```
+
+    In the example:
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><code>\\server\Office2016</code></p></td>
+    <td align="left"><p>is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Setup.exe</code></p></td>
+    <td align="left"><p>is the Office Deployment Tool.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>/packager</code></p></td>
+    <td align="left"><p>creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>\\server\Office2016\Customconfig.xml</code></p></td>
+    <td align="left"><p>passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>\\server\share\Office2016AppV</code></p></td>
+    <td align="left"><p>specifies the location of the newly created Office App-V package.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+    After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:<br>
+    
+    - **App-V Packages** – contains an Office 2016 App-V package and two deployment configuration files.
+    - **WorkingDir**
+
+    **Note**&nbsp;&nbsp;To troubleshoot any issues, see the log files in the %temp% directory (default).
+
+3. Verify that the Office 2016 App-V package works correctly:
+
+    1. Publish the Office 2016 App-V package, which you created globally, to a test computer, and verify that the Office 2016 shortcuts appear.
+
+    2. Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected.
+
+## Publishing the Office package for App-V
+
+Use the following information to publish an Office package.
+
+### Methods for publishing Office App-V packages
+
+Deploy the App-V package for Office 2016 by using the same methods you use for any other package:
+
+-   System Center Configuration Manager
+
+-   App-V Server
+
+-   Stand-alone through Windows PowerShell commands
+
+### Publishing prerequisites and requirements
+
+| **Prerequisite or requirement**       | **Details**        |
+|---------------------------------------|--------------------|
+| Enable Windows PowerShell scripting on the App-V clients | To publish Office 2016 packages, you must run a script.<br><br>Package scripts are disabled by default on App-V clients. To enable scripting, run the following Windows PowerShell command:<br>`Set-AppvClientConfiguration -EnablePackageScripts 1`    |
+| Publish the Office 2016 package globally     | Extension points in the Office App-V package require installation at the computer level.<br><br>When you publish at the computer level, no prerequisite actions or redistributables are needed, and the Office 2016 package globally enables its applications to work like natively installed Office, eliminating the need for administrators to customize packages. |
+
+### How to publish an Office package
+
+Run the following command to publish an Office package globally:
+
+-   `Add-AppvClientPackage <Path_to_AppV_Package > | Publish-AppvClientPackage -global`
+
+-   From the Web Management Console on the App-V Server, you can add permissions to a group of computers instead of to a user group to enable packages to be published globally to the computers in the corresponding group.
+
+## Customizing and managing Office App-V packages
+
+To manage your Office App-V packages, use the same operations as you would for any other package, with a few exceptions as outlined in the following sections.
+
+-   [Enabling Office plug-ins by using connection groups](#enabling-office-plug-ins-by-using-connection-groups) 
+
+-   [Disabling Office 2016 applications](#disabling-office-2016-applications) 
+
+-   [Disabling Office 2016 shortcuts](#disabling-office-2016-shortcuts) 
+
+-   [Managing Office 2016 package upgrades](#managing-office-2016-package-upgrades) 
+
+-   [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office) 
+
+### Enabling Office plug-ins by using connection groups
+
+Use the steps in this section to enable Office plug-ins with your Office package. To use Office plug-ins, you must use the App-V Sequencer to create a separate package that contains just the plug-ins. You cannot use the Office Deployment Tool to create the plug-ins package. You then create a connection group that contains the Office package and the plug-ins package, as described in the following steps.
+
+#### To enable plug-ins for Office App-V packages
+
+1.  Add a Connection Group through App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet.
+
+2.  Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins.
+
+3.  Create an App-V package that includes the desired plug-ins.
+
+4.  Add a Connection Group through App-V server, System Center Configuration Manager, or a Windows PowerShell cmdlet.
+
+5.  Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created.
+
+    > **Important**&nbsp;&nbsp;The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.
+
+6.  Ensure that both packages are published to the target computer and that the plug-in package is published globally to match the global settings of the published Office 2016 App-V package.
+
+7.  Verify that the Deployment Configuration File of the plug-in package has the same settings that the Office 2016 App-V package has.
+
+    Since the Office 2016 App-V package is integrated with the operating system, the plug-in package settings should match. You can search the Deployment Configuration File for “COM Mode” and ensure that your plug-ins package has that value set as “Integrated” and that both "InProcessEnabled" and "OutOfProcessEnabled" match the settings of the Office 2016 App-V package you published.
+
+8.  Open the Deployment Configuration File and set the value for **Objects Enabled** to **false**.
+
+9.  If you made any changes to the Deployment Configuration file after sequencing, ensure that the plug-in package is published with the file.
+
+10.  Ensure that the Connection Group you created is enabled onto your desired computer. The Connection Group created will likely “pend” if the Office 2016 App-V package is in use when the Connection Group is enabled. If that happens, you have to reboot to successfully enable the Connection Group.
+
+11.  After you successfully publish both packages and enable the Connection Group, start the target Office 2016 application and verify that the plug-in you published and added to the connection group works as expected.
+
+### Disabling Office 2016 applications
+
+You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
+
+>**Note**&nbsp;&nbsp;To exclude specific Office applications (for example, Access) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.
+
+#### To disable an Office 2016 application
+
+1.  Open a Deployment Configuration File with a text editor such as **Notepad** and search for “Applications."
+
+2.  Search for the Office application you want to disable, for example, Access 2016.
+
+3.  Change the value of "Enabled" from "true" to "false."
+
+4.  Save the Deployment Configuration File.
+
+5.  Add the Office 2016 App-V Package with the new Deployment Configuration File.
+
+    ``` syntax
+    <Application Id="[{AppVPackageRoot}]\officel6\lync.exe" Enabled="true">
+      <VisualElements>
+        <Name>Lync 2016</Name>
+        <Icon />
+        <Description />
+      </VisualElements>
+    </Application>
+    <Application Id="[(AppVPackageRoot}]\office16\MSACCESS.EXE" Enabled="true">
+      <VisualElements>
+        <Name>Access 2016</Name>
+        <Icon />
+        <Description />
+      </VisualElements>
+    </Application>
+    ```
+
+6. Re-add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
+
+### Disabling Office 2016 shortcuts
+
+You may want to disable shortcuts for certain Office applications instead of unpublishing or removing the package. The following example shows how to disable shortcuts for Microsoft Access.
+
+#### To disable shortcuts for Office 2016 applications
+
+1.  Open a Deployment Configuration File in Notepad and search for “Shortcuts”.
+
+2.  To disable certain shortcuts, delete or comment out the specific shortcuts you don’t want. You must keep the subsystem present and enabled. For example, in the example below, delete the Microsoft Access shortcuts, while keeping the subsystems &lt;shortcut&gt; &lt;/shortcut&gt; intact to disable the Microsoft Access shortcut.
+
+    ``` syntax
+    Shortcuts 
+    
+    -->
+     <Shortcuts Enabled="true">
+      <Extensions>
+        <Extension Category="AppV.Shortcut">
+          <Shortcut>
+           <File>[{Common Programs}]\Microsoft Office 2016\Access 2016.lnk</File>
+           <Target>[{AppvPackageRoot}])office16\MSACCESS.EXE</Target>
+           <Icon>[{Windows}]\Installer\{90150000-000F-0000-0000-000000FF1CE)\accicons.exe.Ø.ico</Icon>
+           <Arguments />
+           <WorkingDirectory />
+           <AppuserModelId>Microsoft.Office.MSACCESS.EXE.16</AppUserModelId>
+           <AppUsermodelExcludeFroeShowInNewInstall>true</AppUsermodelExcludeFroeShowInNewInstall>
+           <Description>Build a professional app quickly to manage data.</Description>
+           <ShowCommand>l</ShowCommand>
+           <ApplicationId>[{AppVPackageRoot}]\officel6\MSACCESS.EXE</ApplicationId>
+        </Shortcut>
+    ```
+
+3. Save the Deployment Configuration File.
+
+4. Republish Office 2016 App-V Package with new Deployment Configuration File.
+
+Many additional settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document.
+
+### Managing Office 2016 package upgrades
+
+To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a previously deployed Office 2016 package, perform the following steps.
+
+#### How to upgrade a previously deployed Office 2016 package
+
+1.  Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
+
+    > **Note**&nbsp;&nbsp;Office App-V packages have two Version IDs:
+    > - An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
+    > - A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
+
+2.  Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
+
+3.  Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
+
+### Deploying Visio 2016 and Project 2016 with Office
+
+The following table describes the requirements and options for deploying Visio 2016 and Project 2016 with Office.
+
+| **Task**            | **Details**   |
+|---------------------|---------------|
+| How do I package and publish Visio 2016 and Project 2016 with Office? | You must include Visio 2016 and Project 2016 in the same package with Office.<br>If you are not deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic.  |
+| How can I deploy Visio 2016 and Project 2016 to specific users?       | Use one of the following methods:<br>**To create two different packages and deploy each one to a different group of users**:<br>Create and deploy the following packages:<br>- A package that contains only Office - deploy to computers whose users need only Office.<br>- A package that contains Office, Visio, and Project - deploy to computers whose users need all three applications.<br><br>**To create only one package for the whole organization, or create a package intended for users who share computers**:<br>Follow these steps:<br>1. Create a package that contains Office, Visio, and Project.<br>2. Deploy the package to all users.<br>3. Use [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) to prevent specific users from using Visio and Project. |
+
+## Related topics
+
+- [Deploying App-V for Windows 10](appv-deploying-appv.md)
+- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
+- [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
+- [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117)
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
--- a/windows/manage/appv-for-windows.md
+++ b/windows/manage/appv-for-windows.md
@ -35,6 +35,7 @@ The topics in this section provide information and step-by-step procedures to he
 - [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md)
 - [Deploying the App-V Server](appv-deploying-the-appv-server.md)
 - [App-V Deployment Checklist](appv-deployment-checklist.md)
+- [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
 - [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
 - [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)

--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@ -12,6 +12,12 @@ author: jdeckerMS

 This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).

+## October 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. |
+
 ## September 2016

 | New or changed topic | Description |
--- a/windows/manage/lock-down-windows-10-to-specific-apps.md
+++ b/windows/manage/lock-down-windows-10-to-specific-apps.md
@ -18,6 +18,8 @@ localizationpriority: high

 -   Windows 10

+>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+
 Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.

 You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](../keep-secure/applocker-overview.md). AppLocker rules specify which apps are allowed to run on the device.
--- a/windows/manage/lockdown-xml.md
+++ b/windows/manage/lockdown-xml.md
@ -88,7 +88,7 @@ The following example is a complete lockdown XML file that disables Action Cente

 ![XML for Apps](images/AppsXML.png)

-The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. If you don't include the Apps setting in the file, all apps on the device are available to the user.
+The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. 

 You provide the product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you should also provide the App User Model ID (AUMID) to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)

--- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@ -270,11 +270,11 @@ Fonts that are included in Windows but that are not stored on the local device c

 If you're running Windows 10, version 1607 or Windows Server 2016, disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**.

+If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
+
 > [!NOTE]  
 > After you apply this policy, you must restart the device for it to take effect.

-If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
-

 ### <a href="" id="bkmk-previewbuilds"></a>6. Insider Preview builds

@ -1353,3 +1353,5 @@ You can turn off automatic updates by doing one of the following. This is not re
    -   **5**. Turn off automatic updates.

 To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
+
+To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying.
--- a/windows/manage/mandatory-user-profile.md
+++ b/windows/manage/mandatory-user-profile.md
@ -18,7 +18,7 @@ author: jdeckerMS
 > [!NOTE]
 > When a mandatory profile is applied to a PC running Windows 10, version 1511, some features such as Universal Windows Platform (UWP) apps, the Start menu, Cortana, and Search, will not work correctly. This will be fixed in a future update. 

-A mandatory user profile is a roaming user profile that has been pre-configured by an administrators to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. 
+A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. 

 Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. 

--- a/windows/manage/stop-employees-from-using-the-windows-store.md
+++ b/windows/manage/stop-employees-from-using-the-windows-store.md
@ -18,7 +18,9 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile

-IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.
+>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+
+IT pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.

 ## Options to configure access to Windows Store

--- a/windows/manage/uev-troubleshooting.md
+++ b/windows/manage/uev-troubleshooting.md
@ -14,8 +14,11 @@ ms.prod: w10
 **Applies to**
 -   Windows 10, version 1607

+
 For information that can help with troubleshooting UE-V for Windows 10, see:

+- [UE-V FAQ Wiki](http://social.technet.microsoft.com/wiki/contents/articles/35333.ue-v-important-changes-in-ue-v-functionality-after-the-windows-10-anniversary-update.aspx)
+
 - [UE-V: List of Microsoft Support Knowledge Base Articles](http://social.technet.microsoft.com/wiki/contents/articles/14271.ue-v-list-of-microsoft-support-knowledge-base-articles.aspx)

 - [User Experience Virtualization Release Notes](uev-release-notes-1607.md)
--- a/windows/manage/waas-overview.md
+++ b/windows/manage/waas-overview.md
@ -81,7 +81,7 @@ To align with the new method of delivering feature updates and quality updates i
 The concept of servicing branches is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).

 >[!NOTE]
->Servicing branches are not the only way to separate groups of machines when consuming updates. Each branch can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing branches, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). 
+>Servicing branches are not the only way to separate groups of devices when consuming updates. Each branch can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing branches, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). 


 ### Current Branch
@ -110,6 +110,9 @@ Specialized systems—such as PCs that control medical equipment, point-of-sale

 Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSB releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.

+>[!NOTE]
+>Windows 10 LTSB will support the currently released silicon at the time of release of the LTSB. As future silicon generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
+
 LTSB is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, it’s important to remember that Microsoft has positioned the LTSB model primarily for specialized devices.

 >[!NOTE]
--- a/windows/manage/waas-wufb-intune.md
+++ b/windows/manage/waas-wufb-intune.md
@ -47,7 +47,7 @@ In this example, you use two security groups to manage your updates: **Ring 3 Br

 5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.

-6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**.
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**.

 7. In the **Value** box, type **1**, and then click **OK**.

@ -78,7 +78,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to enable the CB
    
 4.	In **Setting name**, type **Enable Clients for CBB**, and then in the **Data type** list, select **Integer**.

-6.	In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**.
+6.	In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**.

 7.	Click **OK** to save the setting.

@ -86,7 +86,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to enable the CB

 9.	For this setting, in **Setting name**, type **Defer Updates for 1 Week**, and then in the **Data type** list, select **Integer**.

-11.	In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**. 
+11.	In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**. 

 12.	In the **Value** box, type **1**.

@ -96,7 +96,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to enable the CB

 15.	For this setting, in **Setting name**, type **Defer Upgrades for 1 Month**, and then in the **Data type** list, select **Integer**.

-17.	In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**.
+17.	In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**.

 18.	In the **Value** box, type **1**.

@ -134,7 +134,7 @@ In this example, you use three security groups from Table 1 in [Build deployment

 4. In **Setting name**, type **Enable Clients for CB**, and then select **Integer** from the **Data type** list.

-6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.

 7. In the **Value** box, type **0**, and then click **OK**.

@ -146,7 +146,7 @@ In this example, you use three security groups from Table 1 in [Build deployment
 8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 14 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. 

 8. In **Setting name**, type **Defer feature updates for 14 days**, and then select **Integer** from the **Data type** list.
-10.	In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatePeriodInDays**.
+10.	In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
 11.	In the **Value** box, type **14**, and then click **OK**.

    ![Settings for this policy](images/waas-wufb-intune-step11a.png)
@ -174,7 +174,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e

 4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.

-6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.

 7. In the **Value** box, type **1**, and then click **OK**.

@ -186,7 +186,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e

 8. In **Setting name**, type **Defer feature updates for 0 days**, and then select **Integer** from the **Data type** list.

-10.	In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatePeriodInDays**.
+10.	In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.

 11.	In the **Value** box, type **0**, and then click **OK**.

@ -216,7 +216,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to receive CBB f

 4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.

-6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.

 7. In the **Value** box, type **1**, and then click **OK**.

@ -228,7 +228,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to receive CBB f

 8. In **Setting name**, type **Defer quality updates for 7 days**, and then select **Integer** from the **Data type** list.

-10.	In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatePeriodInDays**.
+10.	In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays**.

 11.	In the **Value** box, type **7**, and then click **OK**.

@ -236,7 +236,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to receive CBB f

 8. In **Setting name**, type **Defer feature updates for 30 days**, and then select **Integer** from the **Data type** list.

-10.	In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatePeriodInDays**.
+10.	In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.

 11.	In the **Value** box, type **30**, and then click **OK**.

--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@ -197,7 +197,7 @@ Event ID 6416 has been added to track when an external device is detected throug
 The following sections describe the new and changed functionality in the TPM for Windows 10:
 -   [Device health attestation](#bkmk-dha)
 -   [Microsoft Passport](microsoft-passport.md) support
-   [Device Guard](device-guard-overview.md) support
+-   [Device Guard](../keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) support
 -   [Credential Guard](../keep-secure/credential-guard.md) support

 ### <a href="" id="bkmk-dha"></a>Device health attestation
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@ -57,7 +57,7 @@ Windows 10, version 1607, provides administrators with increased control over up
 - Quality Updates can be deferred up to 30 days and paused for 35 days
 - Feature Updates can be deferred up to 180 days and paused for 60 days
 - Update deferrals can be applied to both Current Branch (CB) and Current Branch for Business (CBB)
- Drivers can be excluded from udpates
+- Drivers can be excluded from updates

 ## Security