Merge remote-tracking branch 'refs/remotes/origin/master' into rs3

devices/surface-hub/install-apps-on-surface-hub.md

@@ -18,7 +18,7 @@ ms.localizationpriority: medium
 You can install additional apps on your Surface Hub to fit your team or organization's needs. There are different methods for installing apps depending on whether you are developing and testing an app, or deploying a released app. This topic describes methods for installing apps for either scenario.
 
 A few things to know about apps on Surface Hub:
-- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://www.microsoft.com/surface/support/surface-hub/surface-hub-apps).
+- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://support.microsoft.com/help/4040382/surface-Apps-that-work-with-Microsoft-Surface-Hub).
 - Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631).
 - By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.- When submitting an app to the Microsoft Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub.
 - You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Microsoft Store to download and install apps.

windows/application-management/enterprise-background-activity-controls.md

@@ -59,5 +59,6 @@ The Universal Windows Platform ensures that consumers will have great battery li
 
 ## See also
 
-[Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground)
+- [Run in the background indefinitely](https://docs.microsoft.com/windows/uwp/launch-resume/run-in-the-background-indefinetly)
+- [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground)
 [Optimize background activity](https://docs.microsoft.com/windows/uwp/debug-test-perf/optimize-background-activity)

windows/client-management/connect-to-remote-aadj-pc.md

@@ -25,7 +25,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
 
 ## Set up
 
-- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
+- Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
 - Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC.
 - On the PC that you want to connect to:
   1. Open system properties for the remote PC. 

windows/client-management/mdm/TOC.md

@@ -2,6 +2,7 @@
 ## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md)
 ## [Mobile device enrollment](mobile-device-enrollment.md)
 ### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)
+### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)
 ### [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
 ### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
 ### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)

windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -0,0 +1,121 @@
+---
+title: Enroll a Windows 10 device automatically using Group Policy
+description: Enroll a Windows 10 device automatically using Group Policy
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 10/02/2017
+---
+
+# Enroll a Windows 10 device automatically using Group Policy
+
+Starting in Windows 10, version 1709 you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain joined devices. 
+
+Requirements:
+- AD-joined PC running Windows 10, version 1709
+- Enterprise has MDM service already configured 
+- Enterprise AD must be registered with Azure AD
+
+> [!Tip]  
+> [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
+
+To verify if the device is Azure AD registered, run `dsregcmd /status` from the command line.
+
+Here is a partial screenshot of the result:
+
+![device status result](images/autoenrollment-device-status.png)
+
+The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1611, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.
+
+> [!Note]  
+> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation. 
+
+When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure  Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
+
+In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy is take precedence over MDM). In the future release of Windows 10, we are considering a feature that allows the admin to control which policy takes precedence.
+
+For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
+
+## Configure the auto-enrollment Group Policy for a single PC
+
+This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
+
+Requirements:
+- AD-joined PC running Windows 10, version 1709
+- Enterprise has MDM service already configured 
+- Enterprise AD must be registered with Azure AD
+
+1.	Run GPEdit.msc
+
+    Click Start, then in the text box type gpedit. 
+
+    ![GPEdit desktop app search result](images/autoenrollment-gpedit.png)
+
+2. Under **Best match**, click **Edit group policy** to launch it.
+
+3.  In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
+
+    ![MDM policies](images/autoenrollment-mdm-policies.png)
+
+4.	Double-click **Auto MDM Enrollment with AAD Token**.
+
+    ![MDM autoenrollment policy](images/autoenrollment-policy.png)
+
+5.	Click **Enable**, then click **OK**.
+
+     A task is created and scheduled to run every 5 minutes for the duration of 1 day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." 
+
+     To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
+
+     If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
+
+     ![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png)
+
+6.	To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account.
+
+7.	Click **Info** to see the MDM enrollment information.
+
+    ![Work School Settings](images/autoenrollment-settings-work-school.png)
+
+    If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app).
+
+
+### Task Scheduler app
+
+1. Click **Start**, then in the text box type **task scheduler**.
+
+   ![Task Scheduler search result](images/autoenrollment-task-schedulerapp.png)
+
+2.	Under **Best match**, click **Task Scheduler** to launch it.
+
+3.	In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. 
+
+    ![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png)
+
+    To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. 
+
+    If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy. Note that the GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies.
+
+## Configure the auto-enrollment for a group of devices
+
+Requirements:
+- AD-joined PC running Windows 10, version 1709
+- Enterprise has MDM service already configured (with Intune or a third party service provider)
+- Enterprise AD must be integrated with Azure AD.
+- Ensure that PCs belong to same computer group.
+
+1.	Create a Group Policy Object (GPO) and enable the Group Policy **Auto MDM enrollment with AAD token**.
+2.	Create a Security Group for the PCs.
+3.	Link the GPO.
+4.	Filter using Security Groups.
+5.	Enforce  a GPO link
+
+### Related topics
+
+- [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)
+- [Create and Edit a Group Policy Object](https://technet.microsoft.com/en-us/library/cc754740(v=ws.11).aspx)
+- [Link a Group Policy Object](https://technet.microsoft.com/en-us/library/cc732979(v=ws.11).aspx)
+- [Filter Using Security Groups](https://technet.microsoft.com/en-us/library/cc752992(v=ws.11).aspx)
+- [Enforce a Group Policy Object Link](https://technet.microsoft.com/en-us/library/cc753909(v=ws.11).aspx)

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 09/19/2017
+ms.date: 10/02/2017
 ---
 
 # What's new in MDM enrollment and management
@@ -1013,6 +1013,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <p>For details, see [Managing connection](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)</p>
 </td></tr>
 <tr class="odd">
+<td style="vertical-align:top">[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)</td>
+<td style="vertical-align:top"><p>Added new topic to introduce a new Group Policy for automatic MDM enrollment.</p>
+</td></tr>
+<tr class="odd">
 <td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
 <td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p> 
 <ul>
@@ -1415,6 +1419,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <td style="vertical-align:top"><p>Added RegisterDNS setting in Windows 10, version 1709.</p>
 </td></tr>
 <tr class="odd">
+<td style="vertical-align:top">[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)</td>
+<td style="vertical-align:top"><p>Added new topic to introduce a new Group Policy for automatic MDM enrollment.</p>
+</td></tr>
+<tr class="odd">
 <td style="vertical-align:top">[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)</td>
 <td style="vertical-align:top"><p>New features in the Settings app:</p>
 <ul>

windows/deployment/volume-activation/plan-for-volume-activation-client.md

@@ -75,6 +75,7 @@ Telephone activation is primarily used in situations where a computer is isolate
 
 **Note**  
 A specialized method, Token-based activation, is available for specific situations when approved customers rely on a public key infrastructure in a completely isolated, and usually high-security, environment. For more information, contact your Microsoft Account Team or your service representative.
+Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607).
 
 ### Multiple activation key
 

windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md

@@ -24,7 +24,7 @@ Your environment needs the following hardware to run Application Guard.
 |--------|-----------|
 |64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
 |CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_<br><br>**-AND-**<br><br>One of the following virtualization extensions for VBS:<br><br>VT-x (Intel)<br><br>**-OR-**<br><br>AMD-V|
-|Hardware memory|8 GB minimum, 16 GB recommended|
+|Hardware memory|Microsoft recommends 8GB RAM for optimal performance|
 |Hard disk|5 GB free space, solid state disk (SSD) recommended|
 |Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
 

windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md

@@ -156,7 +156,7 @@ You can use Group Policy to deploy the configuration you've created to multiple
 
 7. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
     - C:\MitigationSettings\Config.XML
-    -  \\Server\Share\Config.xml
+    -  \\\Server\Share\Config.xml
     -  https://localhost:8080/Config.xml
 
 8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx).