From 83e049c9821db1302c20c4d1d671edbf5569c29c Mon Sep 17 00:00:00 2001
From: PaulHarfield <Paul.Harfield@Microsoft.com>
Date: Tue, 11 Apr 2017 12:04:58 +0100
Subject: [PATCH 01/17] Update
 how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md

---
 ...cker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
index d95b1e0364..067ac522b1 100644
--- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
+++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
@@ -55,7 +55,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M
 
     -   Robust error handling
 
-   You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=48698). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
+   You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=54439). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
 
    **WMI deployment methods for MBAM:** The following WMI methods have been added in MBAM 2.5 SP1 to support enabling BitLocker by using the `Invoke-MbamClientDeployment.ps1` PowerShell script.
 

From 8e006b82860bdb7a4e2661aced4e610809798a80 Mon Sep 17 00:00:00 2001
From: Greg Lindsay <greglin@microsoft.com>
Date: Wed, 12 Apr 2017 16:51:28 -0700
Subject: [PATCH 02/17] trying anything

---
 windows/deploy/resolve-windows-10-upgrade-errors.md | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deploy/resolve-windows-10-upgrade-errors.md
index ecd6b073b2..651e7413bf 100644
--- a/windows/deploy/resolve-windows-10-upgrade-errors.md
+++ b/windows/deploy/resolve-windows-10-upgrade-errors.md
@@ -559,14 +559,13 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
 </TR>
 
 </TABLE>
-
-
+<BR>
+<BR>
 ### 0x800xxxxx
 
-
-Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
-
-See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
+<BR>Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
+<BR>
+<BR>See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
 
 <TABLE border=1 cellspacing=0 cellpadding=0>
 

From 66526cac5d4af11de69d4ed395ab8dff71ebd704 Mon Sep 17 00:00:00 2001
From: ErikMoreau <ErikMoreau@users.noreply.github.com>
Date: Thu, 13 Apr 2017 09:39:03 +0200
Subject: [PATCH 03/17] fixed some typo's

fixed some typo's
---
 windows/whats-new/whats-new-windows-10-version-1703.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 3995354bb7..f85fb080f1 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -141,7 +141,7 @@ New features for Windows Defender AV in Windows 10, version 1703 include:
 - [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md)
 - [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md)
 
-In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated beahvior monitoring and always-on real-time protection](../keep-secure/configure-real-time-protection-windows-defender-antivirus.md).
+In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](../keep-secure/configure-real-time-protection-windows-defender-antivirus.md).
 
 
 You can read more about ransomware mitigations and detection capability in Windows Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/).
@@ -162,7 +162,7 @@ A new security policy setting
 
 You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). 
 
-For Windows Phone devices, an adminisrator is able to initiate a remote PIN reset through the Intune portal.
+For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
 
 For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**.
 
@@ -174,7 +174,7 @@ For more details, check out [What if I forget my PIN?](../keep-secure/hello-why-
 
 The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](../update/waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](../update/waas-configure-wufb.md#pause-quality-updates).
 
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
 
 ### Windows Insider for Business
 
@@ -237,7 +237,7 @@ For more info, see [Implement server-side support for mobile application managem
 In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
 
 ### Application Virtualization for Windows (App-V)
-Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Addtionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
+Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
 
 For more info, see the following topics:
 - [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-provision-a-vm.md)
@@ -273,7 +273,7 @@ Windows 10 Mobile, version 1703 also includes the following enhancements:
 - OTC update tool
 - Continuum display management
    - Individually turn off the monitor or phone screen when not in use
-   - Indivudally adjust screen time-out settings
+   - Indiviudally adjust screen time-out settings
 - Continuum docking solutions
    - Set Ethernet port properties
    - Set proxy properties for the Ethernet port

From 6a5bf1e24bae4166ccdf83f00f02a7d6bf762a95 Mon Sep 17 00:00:00 2001
From: Jeremy Murrah <murrahjm@gmail.com>
Date: Thu, 13 Apr 2017 07:15:33 -0500
Subject: [PATCH 04/17] Typo in Configuration Designer Wizards feature table

Connect to Wi-Fi network feature, "Wi-Fi" was spelled "Wi-Fit"
---
 windows/configure/provisioning-packages.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configure/provisioning-packages.md b/windows/configure/provisioning-packages.md
index 8732d8c5a3..18a290180a 100644
--- a/windows/configure/provisioning-packages.md
+++ b/windows/configure/provisioning-packages.md
@@ -71,7 +71,7 @@ The following table describes settings that you can configure using the wizards
 
 <table><tr><td align="left">**Step**</td><td align="left">**Description**</td><td>**Desktop</br>wizard**</td><td align="center">**Mobile</br>wizard**</td><td>**Kiosk</br>wizard**</td></tr>
 <tr><td valign="top">Set up device</td><td valign="top">Assign device name,</br>enter product key to upgrade Windows,</br>configure shared used,</br>remove pre-installed software</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</br>(Only device name and upgrade key)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
-<tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fit network</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
+<tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fi network</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
 <tr><td valign="top">Account management</td><td valign="top">Enroll device in Active Directory,</br>enroll device in Azure Active Directory,</br>or create a local administrator account</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
 <tr><td valign="top">Bulk Enrollment in Azure AD</td><td valign="top">Enroll device in Azure Active Directory</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup).</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td></tr>
 <tr><td valign="top">Add applications</td><td valign="top">Install applications using the provisioning package.</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>

From e15e18995fc0911aa5e681498ab45bf9cc1da4bc Mon Sep 17 00:00:00 2001
From: Greg Lindsay <greglin@microsoft.com>
Date: Thu, 13 Apr 2017 10:16:59 -0700
Subject: [PATCH 05/17] removing some tags

---
 windows/deploy/resolve-windows-10-upgrade-errors.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deploy/resolve-windows-10-upgrade-errors.md
index 651e7413bf..4070ea0d81 100644
--- a/windows/deploy/resolve-windows-10-upgrade-errors.md
+++ b/windows/deploy/resolve-windows-10-upgrade-errors.md
@@ -559,13 +559,13 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
 </TR>
 
 </TABLE>
-<BR>
-<BR>
+
+
 ### 0x800xxxxx
 
-<BR>Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
-<BR>
-<BR>See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
+Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
+
+See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
 
 <TABLE border=1 cellspacing=0 cellpadding=0>
 

From 3c8bfbeb6ba2877f5996e2d9cd45e8775da974e8 Mon Sep 17 00:00:00 2001
From: Greg Lindsay <greglin@microsoft.com>
Date: Thu, 13 Apr 2017 10:48:03 -0700
Subject: [PATCH 06/17] sheesh

---
 windows/deploy/resolve-windows-10-upgrade-errors.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deploy/resolve-windows-10-upgrade-errors.md
index 4070ea0d81..fa30d78c38 100644
--- a/windows/deploy/resolve-windows-10-upgrade-errors.md
+++ b/windows/deploy/resolve-windows-10-upgrade-errors.md
@@ -563,6 +563,8 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
 
 ### 0x800xxxxx
 
+<table></table>
+
 Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
 
 See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:

From 22ea370324a4b41c68a3ed25d42766f04457e435 Mon Sep 17 00:00:00 2001
From: Greg Lindsay <greglin@microsoft.com>
Date: Thu, 13 Apr 2017 10:56:04 -0700
Subject: [PATCH 07/17] frustrating

---
 .../deploy/resolve-windows-10-upgrade-errors.md   | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deploy/resolve-windows-10-upgrade-errors.md
index fa30d78c38..9eff4116e8 100644
--- a/windows/deploy/resolve-windows-10-upgrade-errors.md
+++ b/windows/deploy/resolve-windows-10-upgrade-errors.md
@@ -559,16 +559,29 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
 </TR>
 
 </TABLE>
+</TABLE>
 
 
 ### 0x800xxxxx
 
-<table></table>
+### one
+
+### two
+
+
+## three
+
+
+
 
 Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
 
 See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
 
+
+
+
+
 <TABLE border=1 cellspacing=0 cellpadding=0>
 
 <TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>

From 8d5b683611d6cc782f090488b9dcccc20b94707d Mon Sep 17 00:00:00 2001
From: Greg Lindsay <greglin@microsoft.com>
Date: Thu, 13 Apr 2017 11:06:07 -0700
Subject: [PATCH 08/17] frustrating

---
 .../resolve-windows-10-upgrade-errors.md      | 22 +++----------------
 1 file changed, 3 insertions(+), 19 deletions(-)

diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deploy/resolve-windows-10-upgrade-errors.md
index 9eff4116e8..afbd46133d 100644
--- a/windows/deploy/resolve-windows-10-upgrade-errors.md
+++ b/windows/deploy/resolve-windows-10-upgrade-errors.md
@@ -559,28 +559,12 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
 </TR>
 
 </TABLE>
-</TABLE>
-
-
-### 0x800xxxxx
-
-### one
-
-### two
-
-
-## three
-
-
-
-
-Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
-
-See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
-
 
+This is some text.
 
+This is text on a separate line.
 
+This is where the H3 should be.
 
 <TABLE border=1 cellspacing=0 cellpadding=0>
 

From 9d0c41852c2975062a3c696785121c6d620a426e Mon Sep 17 00:00:00 2001
From: Greg Lindsay <greglin@microsoft.com>
Date: Thu, 13 Apr 2017 11:10:56 -0700
Subject: [PATCH 09/17] I think I got it!

---
 windows/deploy/resolve-windows-10-upgrade-errors.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deploy/resolve-windows-10-upgrade-errors.md
index afbd46133d..8d1b88a4ba 100644
--- a/windows/deploy/resolve-windows-10-upgrade-errors.md
+++ b/windows/deploy/resolve-windows-10-upgrade-errors.md
@@ -553,18 +553,18 @@ Disconnect all peripheral devices that are connected to the system, except for t
 
 For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135).
 
-<P>Ensure you select the option to "Download and install updates (recommended)."
+<BR><BR>Ensure you select the option to "Download and install updates (recommended)."
 </TABLE>
 </TD>
 </TR>
 
 </TABLE>
 
-This is some text.
+### 0x800xxxxx
 
-This is text on a separate line.
+Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
 
-This is where the H3 should be.
+See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
 
 <TABLE border=1 cellspacing=0 cellpadding=0>
 

From fa735b8220a1ad17ebeb8c0df9d4fc9bf84d5ad7 Mon Sep 17 00:00:00 2001
From: Greg Lindsay <greglin@microsoft.com>
Date: Thu, 13 Apr 2017 11:27:52 -0700
Subject: [PATCH 10/17] forcing H3

---
 windows/deploy/resolve-windows-10-upgrade-errors.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deploy/resolve-windows-10-upgrade-errors.md
index 8d1b88a4ba..32fc7bbdae 100644
--- a/windows/deploy/resolve-windows-10-upgrade-errors.md
+++ b/windows/deploy/resolve-windows-10-upgrade-errors.md
@@ -560,13 +560,13 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
 
 </TABLE>
 
-### 0x800xxxxx
+<h3 id="0x800xxxxx">0x800xxxxx</h3>
 
-Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
+<P>Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
 
-See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
+<P>See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
 
-<TABLE border=1 cellspacing=0 cellpadding=0>
+<P><TABLE border=1 cellspacing=0 cellpadding=0>
 
 <TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
 

From 22d57acc53395841b6a46ea8e97024107a74312e Mon Sep 17 00:00:00 2001
From: Justinha <Justinha@Microsoft.com>
Date: Thu, 13 Apr 2017 11:42:39 -0700
Subject: [PATCH 11/17] added table with no header

---
 .../bitlocker-group-policy-settings.md         | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md
index 252b46ba59..89478e334a 100644
--- a/windows/keep-secure/bitlocker-group-policy-settings.md
+++ b/windows/keep-secure/bitlocker-group-policy-settings.md
@@ -360,15 +360,15 @@ This policy setting is applied when you turn on BitLocker. The startup PIN must
 
 This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows.
 
-|                    |                      |
-|--------------------|----------------------|
-| Policy description | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. |
-| Introduced         | Windows 10, version 1703 |
-| Drive type         | Operating system drives  |
-| Policy path        | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
-| Conflicts          | None                     |
-| When enabled       | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. |
-| When disabled or not configured | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
+|   |   |
+| - | - |
+| **Policy description** | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. |
+| **Introduced**         | Windows 10, version 1703 |
+| **Drive type**         | Operating system drives  |
+| **Policy path**        | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+| **Conflicts**          | None                     |
+| **When enabled**       | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. |
+| **When disabled or not configured** | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
 
 **Reference**
 

From 238e8648a310d63445bd078f4c273df4ed73b016 Mon Sep 17 00:00:00 2001
From: James Mitchell Ullman <jmullman@gmail.com>
Date: Thu, 13 Apr 2017 14:48:55 -0400
Subject: [PATCH 12/17] Fixed schema reference heading

Line 101: removed T at beginning of heading
Line 101: added x to the word "synta"
---
 windows/deploy/usmt-best-practices.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deploy/usmt-best-practices.md b/windows/deploy/usmt-best-practices.md
index 6e06f8c3d9..4e43629a12 100644
--- a/windows/deploy/usmt-best-practices.md
+++ b/windows/deploy/usmt-best-practices.md
@@ -98,7 +98,7 @@ As the authorized administrator, it is your responsibility to protect the privac
     <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migapp">
     ```
 
--   **TUse the XML Schema (MigXML.xsd) when authoring .xml files to validate synta**
+-   **Use the XML Schema (MigXML.xsd) when authoring .xml files to validate syntax**
 
     The MigXML.xsd schema file should not be included on the command line or in any of the .xml files.
 

From ab42302e07f9d16e0cce6d20081c2a830de8cc50 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 13 Apr 2017 13:13:43 -0700
Subject: [PATCH 13/17] removed en-us

---
 ...cker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
index 067ac522b1..f0d6942f8b 100644
--- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
+++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
@@ -55,7 +55,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M
 
     -   Robust error handling
 
-   You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=54439). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
+   You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=54439). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
 
    **WMI deployment methods for MBAM:** The following WMI methods have been added in MBAM 2.5 SP1 to support enabling BitLocker by using the `Invoke-MbamClientDeployment.ps1` PowerShell script.
 

From 7cfccdd8a0c0cbb62f05d4a3721844ac05398713 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Thu, 13 Apr 2017 13:44:24 -0700
Subject: [PATCH 14/17] add two topics

---
 .openpublishing.redirection.json | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 6edf0bae08..03af544266 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -166,6 +166,16 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/manage/lockdown-features-windows-10.md",
+"redirect_url": "/itpro/windows/configure/lockdown-features-windows-10",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/set-up-shared-or-guest-pc.md",
+"redirect_url": "/itpro/windows/configure/set-up-shared-or-guest-pc",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md",
 "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services",
 "redirect_document_id": false

From f2e704d87e8b7b362ec9cfa08480eaf0e157452a Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Thu, 13 Apr 2017 13:52:27 -0700
Subject: [PATCH 15/17] change to false

---
 .openpublishing.redirection.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 03af544266..e7a87cc50a 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1078,7 +1078,7 @@
 {
 "source_path": "windows/whats-new/lockdown-features-windows-10.md",
 "redirect_url": "/itpro/windows/configure/lockdown-features-windows-10",
-"redirect_document_id": true
+"redirect_document_id": false
 },
 {
 "source_path": "windows/whats-new/microsoft-passport.md",

From eee3044ebbfe664da5867495403ca82acbf9940e Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Thu, 13 Apr 2017 14:06:13 -0700
Subject: [PATCH 16/17] Removed guidance causing dual scan in SCCM

---
 ...as-manage-updates-configuration-manager.md | 77 -------------------
 1 file changed, 77 deletions(-)

diff --git a/windows/update/waas-manage-updates-configuration-manager.md b/windows/update/waas-manage-updates-configuration-manager.md
index 9bdb0238e0..755c3c34a5 100644
--- a/windows/update/waas-manage-updates-configuration-manager.md
+++ b/windows/update/waas-manage-updates-configuration-manager.md
@@ -48,83 +48,6 @@ For the Windows 10 servicing dashboard to display information, you must adhere t
 
 When you have met all these requirements and deployed a servicing plan to a collection, you’ll receive information on the Windows 10 servicing dashboard.
 
-## Enable CBB clients in Windows 10, version 1511
-
-When you use System Center Configuration Manager to manage Windows 10 servicing, you must first set the **Defer Updates or Upgrades** policy on the clients that should be on the Current Branch for Business (CBB) servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you don’t set this policy, Configuration Manager discovers all clients, as it would in Current Branch (CB) mode. 
-
-**To use Group Policy to configure a client for the CBB servicing branch** 
-
->[!NOTE]
->In this example, a specific organizational unit (OU) called **Windows 10 – Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied.
-
-1. On a PC running the Remote Server Administration Tools or on a domain controller, open Group Policy Management Console (GPMC).
-
-2. Expand Forest\Domains\\*Your_Domain*.
-
-4. Right-click the **Windows 10 – Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**. 
-
-    ![Example of UI](images/waas-sccm-fig2.png)   
-
-5.	In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO.
-
-    >[!NOTE]
-    >In this example, you’re linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure.
-
-6.	Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**.
-
-7.	In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
-
-8.	Right-click the **Defer Upgrades and Updates** setting, and then click **Edit**.
-
-    ![Example of UI](images/waas-sccm-fig3.png)  
-    
-9.	Enable the policy, and then click **OK**.
-
-    >[!NOTE]
-    >The additional options in this setting are only for Windows Update for Business, so be sure not to configure them when using System Center Configuration Manager for Windows 10 servicing.
-
-10.	Close the Group Policy Management Editor.
-
-This policy will now be deployed to every device in the **Windows 10 – Current Branch for Business Machines** OU.
-
-
-## Enable CBB clients in Windows 10, version 1607
-
-When you use Configuration Manager to manage Windows 10 servicing, you must first set the **Select when Feature Updates** are received policy on the clients that should be on the CBB servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you don’t set this policy, Configuration Manager discovers all clients, as it would in CB mode. 
-
->[!NOTE]
->System Center Configuration Manager version 1606 is required to manage devices running Windows 10, version 1607.
-
-**To use Group Policy to configure a client for the CBB servicing branch** 
-
->[!NOTE]
->In this example, a specific organizational unit (OU) called **Windows 10 – Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied.
-
-1. On a PC running the Remote Server Administration Tools or on a domain controller, open GPMC.
-
-2. Expand Forest\Domains\\*Your_Domain*.
-
-3. Right-click the **Windows 10 – Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**. 
-
-    ![Example of UI](images/waas-sccm-fig2.png) 
-    
-5.	In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO.
-
-    >[!NOTE]
-    >In this example, you’re linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure.
-
-6.	Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**.
-
-7.	In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Defer Windows Updates.
-
-8.	Right-click the **Select when Feature Updates are received** setting, and then click **Edit**.
- 
-9.	Enable the policy, select the **CBB** branch readiness level, and then click **OK**.
-
-10.	Close the Group Policy Management Editor.
-
-This policy will now be deployed to every device in the **Windows 10 – Current Branch for Business Machines** OU.
-
 ## Create collections for deployment rings
 
 Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 – All Current Branch for Business** and **Ring 4 Broad business users**. You’ll use the **Windows 10 – All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. You’ll use the **Ring 4 Broad business users** collection as a deployment ring for the first CBB users.

From 6b7031b75fe3a35cadfd98ac4c7092b103adf8c2 Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Thu, 13 Apr 2017 14:58:13 -0700
Subject: [PATCH 17/17] updating requirements for WHfB

---
 windows/keep-secure/hello-manage-in-organization.md | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/windows/keep-secure/hello-manage-in-organization.md b/windows/keep-secure/hello-manage-in-organization.md
index 44cef02636..165f6259f6 100644
--- a/windows/keep-secure/hello-manage-in-organization.md
+++ b/windows/keep-secure/hello-manage-in-organization.md
@@ -307,7 +307,7 @@ You’ll need this software to set Windows Hello for Business policies in your e
 <tr class="header">
 <th align="left">Windows Hello for Business mode</th>
 <th align="left">Azure AD</th>
-<th align="left">Active Directory (AD) on-premises (available with production release of Windows Server 2016)</th>
+<th align="left">Active Directory (AD) on-premises (only supported with Windows 10, version 1703 clients)</th>
 <th align="left">Azure AD/AD hybrid (available with production release of Windows Server 2016)</th>
 </tr>
 </thead>
@@ -318,7 +318,6 @@ You’ll need this software to set Windows Hello for Business policies in your e
 <td align="left"><ul>
 <li>Active Directory Federation Service (AD FS) (Windows Server 2016)</li>
 <li>A few Windows Server 2016 domain controllers on-site</li>
-<li>Microsoft System Center 2012 R2 Configuration Manager SP2</li>
 </ul></td>
 <td align="left"><ul>
 <li>Azure AD subscription</li>
@@ -339,7 +338,6 @@ You’ll need this software to set Windows Hello for Business policies in your e
 <li>ADFS (Windows Server 2016)</li>
 <li>Active Directory Domain Services (AD DS) Windows Server 2016 schema</li>
 <li>PKI infrastructure</li>
-<li>Configuration Manager SP2, Intune, or non-Microsoft MDM solution</li>
 </ul></td>
 <td align="left"><ul>
 <li>Azure AD subscription</li>
@@ -355,7 +353,8 @@ Configuration Manager and MDM provide the ability to manage Windows Hello for Bu
 
 Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
 
-
+>[!IMPORTANT]
+>Active Directory on-premises deployment **is not currently available** and will become available with a future update of ADFS on Windows Server 2016. The requirements listed in the above table will apply when this deployment type becomes available.
 
 
 ## How to use Windows Hello for Business with Azure Active Directory

Step	Description	Desktop wizard	Mobile wizard	Kiosk wizard
Set up device	Assign device name, enter product key to upgrade Windows, configure shared used, remove pre-installed software	![yes](images/checkmark.png)	![yes](images/checkmark.png) (Only device name and upgrade key)	![yes](images/checkmark.png)
Set up network	Connect to a Wi-Fit network	![yes](images/checkmark.png)	![yes](images/checkmark.png)	![yes](images/checkmark.png)
Set up network	Connect to a Wi-Fi network	![yes](images/checkmark.png)	![yes](images/checkmark.png)	![yes](images/checkmark.png)
Account management	Enroll device in Active Directory, enroll device in Azure Active Directory, or create a local administrator account	![yes](images/checkmark.png)	![no](images/crossmark.png)	![yes](images/checkmark.png)
Bulk Enrollment in Azure AD	Enroll device in Azure Active Directory Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup).	![no](images/crossmark.png)	![yes](images/checkmark.png)	![no](images/crossmark.png)
Add applications	Install applications using the provisioning package.	![yes](images/checkmark.png)	![no](images/crossmark.png)	![yes](images/checkmark.png)
Windows Hello for Business mode	Azure AD	Active Directory (AD) on-premises (available with production release of Windows Server 2016)	Active Directory (AD) on-premises (only supported with Windows 10, version 1703 clients)	Azure AD/AD hybrid (available with production release of Windows Server 2016)
From 22d57acc53395841b6a46ea8e97024107a74312e Mon Sep 17 00:00:00 2001 From: Justinha Date: Thu, 13 Apr 2017 11:42:39 -0700 Subject: [PATCH 11/17] added table with no header --- .../bitlocker-group-policy-settings.md \| 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md index 252b46ba59..89478e334a 100644 --- a/windows/keep-secure/bitlocker-group-policy-settings.md +++ b/windows/keep-secure/bitlocker-group-policy-settings.md @@ -360,15 +360,15 @@ This policy setting is applied when you turn on BitLocker. The startup PIN must This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows. -\| \| \| -\|--------------------\|----------------------\| -\| Policy description \| This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. \| -\| Introduced \| Windows 10, version 1703 \| -\| Drive type \| Operating system drives \| -\| Policy path \| Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\| -\| Conflicts \| None \| -\| When enabled \| Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. \| -\| When disabled or not configured \| DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.\| +\| \| \| +\| - \| - \| +\| Policy description \| This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. \| +\| Introduced \| Windows 10, version 1703 \| +\| Drive type \| Operating system drives \| +\| Policy path \| Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\| +\| Conflicts \| None \| +\| When enabled \| Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. \| +\| When disabled or not configured \| DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.\| Reference From 238e8648a310d63445bd078f4c273df4ed73b016 Mon Sep 17 00:00:00 2001 From: James Mitchell Ullman Date: Thu, 13 Apr 2017 14:48:55 -0400 Subject: [PATCH 12/17] Fixed schema reference heading Line 101: removed T at beginning of heading Line 101: added x to the word "synta" --- windows/deploy/usmt-best-practices.md \| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deploy/usmt-best-practices.md b/windows/deploy/usmt-best-practices.md index 6e06f8c3d9..4e43629a12 100644 --- a/windows/deploy/usmt-best-practices.md +++ b/windows/deploy/usmt-best-practices.md @@ -98,7 +98,7 @@ As the authorized administrator, it is your responsibility to protect the privac ``` -- TUse the XML Schema (MigXML.xsd) when authoring .xml files to validate synta +- Use the XML Schema (MigXML.xsd) when authoring .xml files to validate syntax The MigXML.xsd schema file should not be included on the command line or in any of the .xml files. From ab42302e07f9d16e0cce6d20081c2a830de8cc50 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 13 Apr 2017 13:13:43 -0700 Subject: [PATCH 13/17] removed en-us --- ...cker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md \| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md index 067ac522b1..f0d6942f8b 100644 --- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md +++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md @@ -55,7 +55,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M - Robust error handling - You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=54439). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server. + You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=54439). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server. WMI deployment methods for MBAM: The following WMI methods have been added in MBAM 2.5 SP1 to support enabling BitLocker by using the `Invoke-MbamClientDeployment.ps1` PowerShell script. From 7cfccdd8a0c0cbb62f05d4a3721844ac05398713 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 13 Apr 2017 13:44:24 -0700 Subject: [PATCH 14/17] add two topics --- .openpublishing.redirection.json \| 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 6edf0bae08..03af544266 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -166,6 +166,16 @@ "redirect_document_id": true }, { +"source_path": "windows/manage/lockdown-features-windows-10.md", +"redirect_url": "/itpro/windows/configure/lockdown-features-windows-10", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/set-up-shared-or-guest-pc.md", +"redirect_url": "/itpro/windows/configure/set-up-shared-or-guest-pc", +"redirect_document_id": true +}, +{ "source_path": "windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md", "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", "redirect_document_id": false From f2e704d87e8b7b362ec9cfa08480eaf0e157452a Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 13 Apr 2017 13:52:27 -0700 Subject: [PATCH 15/17] change to false --- .openpublishing.redirection.json \| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 03af544266..e7a87cc50a 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1078,7 +1078,7 @@ { "source_path": "windows/whats-new/lockdown-features-windows-10.md", "redirect_url": "/itpro/windows/configure/lockdown-features-windows-10", -"redirect_document_id": true +"redirect_document_id": false }, { "source_path": "windows/whats-new/microsoft-passport.md", From eee3044ebbfe664da5867495403ca82acbf9940e Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Thu, 13 Apr 2017 14:06:13 -0700 Subject: [PATCH 16/17] Removed guidance causing dual scan in SCCM --- ...as-manage-updates-configuration-manager.md \| 77 ------------------- 1 file changed, 77 deletions(-) diff --git a/windows/update/waas-manage-updates-configuration-manager.md b/windows/update/waas-manage-updates-configuration-manager.md index 9bdb0238e0..755c3c34a5 100644 --- a/windows/update/waas-manage-updates-configuration-manager.md +++ b/windows/update/waas-manage-updates-configuration-manager.md @@ -48,83 +48,6 @@ For the Windows 10 servicing dashboard to display information, you must adhere t When you have met all these requirements and deployed a servicing plan to a collection, you’ll receive information on the Windows 10 servicing dashboard. -## Enable CBB clients in Windows 10, version 1511 - -When you use System Center Configuration Manager to manage Windows 10 servicing, you must first set the Defer Updates or Upgrades policy on the clients that should be on the Current Branch for Business (CBB) servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you don’t set this policy, Configuration Manager discovers all clients, as it would in Current Branch (CB) mode. - -To use Group Policy to configure a client for the CBB servicing branch - ->[!NOTE] ->In this example, a specific organizational unit (OU) called Windows 10 – Current Branch for Business Machines contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied. - -1. On a PC running the Remote Server Administration Tools or on a domain controller, open Group Policy Management Console (GPMC). - -2. Expand Forest\Domains\\Your_Domain. - -4. Right-click the Windows 10 – Current Branch for Business Machines OU, and then click Create a GPO in this domain, and Link it here. - - ![Example of UI](images/waas-sccm-fig2.png) - -5. In the New GPO dialog box, type Enable Current Branch for Business for the name of the new GPO. - - >[!NOTE] - >In this example, you’re linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure. - -6. Right-click the Enable Current Branch for Business GPO, and then click Edit. - -7. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update. - -8. Right-click the Defer Upgrades and Updates setting, and then click Edit. - - ![Example of UI](images/waas-sccm-fig3.png) - -9. Enable the policy, and then click OK. - - >[!NOTE] - >The additional options in this setting are only for Windows Update for Business, so be sure not to configure them when using System Center Configuration Manager for Windows 10 servicing. - -10. Close the Group Policy Management Editor. - -This policy will now be deployed to every device in the Windows 10 – Current Branch for Business Machines OU. - - -## Enable CBB clients in Windows 10, version 1607 - -When you use Configuration Manager to manage Windows 10 servicing, you must first set the Select when Feature Updates are received policy on the clients that should be on the CBB servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you don’t set this policy, Configuration Manager discovers all clients, as it would in CB mode. - ->[!NOTE] ->System Center Configuration Manager version 1606 is required to manage devices running Windows 10, version 1607. - -To use Group Policy to configure a client for the CBB servicing branch - ->[!NOTE] ->In this example, a specific organizational unit (OU) called Windows 10 – Current Branch for Business Machines contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied. - -1. On a PC running the Remote Server Administration Tools or on a domain controller, open GPMC. - -2. Expand Forest\Domains\\Your_Domain. - -3. Right-click the Windows 10 – Current Branch for Business Machines OU, and then click Create a GPO in this domain, and Link it here. - - ![Example of UI](images/waas-sccm-fig2.png) - -5. In the New GPO dialog box, type Enable Current Branch for Business for the name of the new GPO. - - >[!NOTE] - >In this example, you’re linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure. - -6. Right-click the Enable Current Branch for Business GPO, and then click Edit. - -7. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Defer Windows Updates. - -8. Right-click the Select when Feature Updates are received setting, and then click Edit. - -9. Enable the policy, select the CBB branch readiness level, and then click OK. - -10. Close the Group Policy Management Editor. - -This policy will now be deployed to every device in the Windows 10 – Current Branch for Business Machines OU. - ## Create collections for deployment rings Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: Windows 10 – All Current Branch for Business and Ring 4 Broad business users. You’ll use the Windows 10 – All Current Branch for Business collection for reporting and deployments that should go to all CBB clients. You’ll use the Ring 4 Broad business users collection as a deployment ring for the first CBB users. From 6b7031b75fe3a35cadfd98ac4c7092b103adf8c2 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Thu, 13 Apr 2017 14:58:13 -0700 Subject: [PATCH 17/17] updating requirements for WHfB --- windows/keep-secure/hello-manage-in-organization.md \| 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/hello-manage-in-organization.md b/windows/keep-secure/hello-manage-in-organization.md index 44cef02636..165f6259f6 100644 --- a/windows/keep-secure/hello-manage-in-organization.md +++ b/windows/keep-secure/hello-manage-in-organization.md @@ -307,7 +307,7 @@ You’ll need this software to set Windows Hello for Business policies in your e
Active Directory Federation Service (AD FS) (Windows Server 2016) A few Windows Server 2016 domain controllers on-site - Microsoft System Center 2012 R2 Configuration Manager SP2	Azure AD subscription @@ -339,7 +338,6 @@ You’ll need this software to set Windows Hello for Business policies in your e ADFS (Windows Server 2016) Active Directory Domain Services (AD DS) Windows Server 2016 schema PKI infrastructure - Configuration Manager SP2, Intune, or non-Microsoft MDM solution	Azure AD subscription @@ -355,7 +353,8 @@ Configuration Manager and MDM provide the ability to manage Windows Hello for Bu Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts. - +>[!IMPORTANT] +>Active Directory on-premises deployment is not currently available and will become available with a future update of ADFS on Windows Server 2016. The requirements listed in the above table will apply when this deployment type becomes available. ## How to use Windows Hello for Business with Azure Active Directory