-Kernel -User –Update`
- **Note**
- *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3.
-
-
-
- **Note**
- Adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code) section.
-
-
+ **Note**
+ *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3.
+
+ **Note**
+ Adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code) section.
6. Remove the unsigned policy rule option:
@@ -1286,13 +1153,9 @@ If you do not have a code signing certificate, see the [Create a Device Guard co
**Note**
The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the machine you use to sign the policy.
-
+9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see the [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy) section.
-9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see the [Deploy and manage code integrity policies with Group Policy](#deploy-manage-code-gp) section.
-
-###
-
-**Disable unsigned code integrity policies**
+### Disable unsigned code integrity policies
There may come a time when an administrator wants to disable a code integrity policy. For unsigned code integrity policies, this process is simple. Depending on how the code integrity policy was deployed, unsigned policies can be disabled in one of two ways. If a code integrity policy was manually enabled and copied to the code integrity folder location, simply delete the file and restart the machine. The following locations can contain executing code integrity policies:
@@ -1302,9 +1165,7 @@ There may come a time when an administrator wants to disable a code integrity po
If the code integrity policy was deployed by using Group Policy, the GPO that is currently enabling and deploying the policy must be set to disabled. Then, the code integrity policy will be disabled on the next computer restart.
-###
-
-**Disable signed code integrity policies within Windows**
+### Disable signed code integrity policies within Windows
Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed code integrity policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed code integrity policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps:
@@ -1315,15 +1176,12 @@ For reference, signed code integrity policies should be replaced and removed fro
- <OS Volume>\\Windows\\System32\\CodeIntegrity\\
-
1. Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
**Note**
To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
-
-
2. Restart the client computer.
3. Verify that the new signed policy exists on the client.
@@ -1331,8 +1189,6 @@ For reference, signed code integrity policies should be replaced and removed fro
**Note**
If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
-
-
4. Delete the new policy.
5. Restart the client computer.
@@ -1353,17 +1209,13 @@ If the signed code integrity policy has been deployed using by using Group Polic
**Note**
If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
-
-
4. Set the GPO to disabled.
5. Delete the new policy.
6. Restart the client computer.
-###
-
-**Disable signed code integrity policies within the BIOS**
+### Disable signed code integrity policies within the BIOS
There may be a time when signed code integrity policies cause a boot failure. Because code integrity policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed code integrity policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows:
@@ -1378,15 +1230,11 @@ There may be a time when signed code integrity policies cause a boot failure. Be
Code integrity policies can easily be deployed and managed with Group Policy. A Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
**Note**
-This walkthrough requires that you have previously created a code integrity policy and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see the [Create code integrity polices from golden PCs](#create-code-golden) section.
-
-
+This walkthrough requires that you have previously created a code integrity policy and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see the [Create code integrity polices from golden PCs](#create-code-integrity-polices-from-golden-pcs) section.
**Note**
Signed code integrity policies can cause boot failures when deployed. Microsoft recommends that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment.
-
-
To deploy and manage a code integrity policy with Group Policy:
1. On a domain controller on a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC** or searching for “Group Policy Management” in Windows Search.
@@ -1396,11 +1244,9 @@ To deploy and manage a code integrity policy with Group Policy:
**Note**
The DG Enabled PCs OU is just an example of where to link the test GPO created in this section. Any OU name can be used. Also, security group filtering is an option when considering policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section.
-
+ 
- 
-
- Figure 24. Create a GPO
+ Figure 24. Create a GPO
3. Name new GPO **Contoso GPO Test**. This example uses Contoso GPO Test as the name of the GPO. You can choose any name that you prefer for this example.
@@ -1426,12 +1272,9 @@ To deploy and manage a code integrity policy with Group Policy:
**Note**
You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the Windows 10 client computers. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
-
-
-7. Close the Group Policy Management Editor, and then restart the Windows 10 test machine. Restarting the client computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity)section.
-
-## Create a Device Guard code signing certificate
+7. Close the Group Policy Management Editor, and then restart the Windows 10 test machine. Restarting the client computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies)section.
+## Create a Device Guard code signing certificate
To sign catalog files or code integrity policies internally, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip these steps and proceed to the sections that outline the steps to sign catalog files and code integrity policies. If you have not purchased a certificate but have an internal CA, complete these steps to create a code signing certificate:
@@ -1500,8 +1343,6 @@ Now that the template is available to be issued, you must request one from the W
**Note**
If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client.
-
-
This certificate must be installed in the user’s personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the machine on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
1. Right-click the certificate, point to **All Tasks**, and then click **Export**.
@@ -1517,23 +1358,12 @@ When the certificate has been exported, import it into the personal store for th
## Related topics
-[AppLocker overview](http://go.microsoft.com/fwlink/p/?LinkId=624172)
+[AppLocker overview](applocker-overview.md)
[Code integrity](http://go.microsoft.com/fwlink/p/?LinkId=624173)
-[Credential guard](http://go.microsoft.com/fwlink/p/?LinkId=624529)
-
-[Device Guard certification and compliance](http://go.microsoft.com/fwlink/p/?LinkId=624840)
+[Credential guard](credential-guard.md)
[Driver compatibility with Device Guard in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=624843)
[Dropping the Hammer Down on Malware Threats with Windows 10’s Device Guard](http://go.microsoft.com/fwlink/p/?LinkId=624844)
-
-
-
-
-
-
-
-
-
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index 3324e10449..7da90bbb2a 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -17,7 +17,8 @@
#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
-### [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)
+### [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md)
+### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
### [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index 8767cf30ff..81182141c2 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -10,145 +10,54 @@ author: jdeckerMS
# Change history for Manage and update Windows 10
-
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## May 2016
-New or changed topic | Description |
----|---|
-[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher |
+| New or changed topic | Description |
+| ---|---|
+| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher |
+| [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) | Added section on how to turn off Live Tiles |
+| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | New telemetry content |
+
## April 2016
-
-
-
-
-
-
-
-| [Administrative tools in Windows 10](administrative-tools-in-windows-10.md) |
-Added screenshots of Control Panel and the administrative tools folder. |
-
-
-| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) |
-Added the font streaming section. |
-
-
-| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) |
-Made corrections to script and instructions for Shell Launcher. |
-
-
-
-
-
+| New or changed topic | Description |
+| ---|---|
+| [Administrative tools in Windows 10](administrative-tools-in-windows-10.md) | Added screenshots of Control Panel and the administrative tools folder. |
+| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added the font streaming section. |
+| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Made corrections to script and instructions for Shell Launcher. |
## March 2016
-
-
-
-
-
-
-
-
-| [Application development for Windows as a service](application-development-for-windows-as-a-service.md) |
-New |
-
-
-| [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) |
-New |
-
-
-| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |
-Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. |
-
-
-
-
-
+| New or changed topic | Description |
+| ---|---|
+| [Application development for Windows as a service](application-development-for-windows-as-a-service.md) | New |
+| [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) | New |
+| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. |
## February 2016
-
-
-
-
-
-
-
-
-| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) |
-Added call history and email to the Settings > Privacy section.
-Added the Turn off Windows Mail application Group Policy to the Mail synchronization section. |
-
-
-| [Customize and export Start layout](customize-and-export-start-layout.md) |
-Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
-
-
-| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) |
-Added instructions for replacing markup characters with escape characters in Start layout XML |
-
-
-| [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) |
-New |
-
-
-| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) |
-New |
-
-
-| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) |
-Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
-
-
-
-
+| New or changed topic | Description |
+| ---|---|
+| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added call history and email to the Settings > Privacy section.
Added the Turn off Windows Mail application Group Policy to the Mail synchronization section. |
+| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
+| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Added instructions for replacing markup characters with escape characters in Start layout XML |
+| [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | New |
+| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | New |
+| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
## December 2015
-
-
-
-
-
-
-
-
-| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |
-New |
-
-
-| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |
-New |
-
-
-| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) |
- |
-
-
-
-
-
+| New or changed topic | Description |
+| ---|---|
+| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | New |
+| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | New |
+|[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | New |
## November 2015
-
| New or changed topic | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) | New |
@@ -166,11 +75,8 @@ New or changed topic | Description |
| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Updated |
| [New policies for Windows 10](new-policies-for-windows-10.md) | Updated |
-
-
## Related topics
-
[Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
[Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
@@ -179,11 +85,4 @@ New or changed topic | Description |
[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
-
-
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
new file mode 100644
index 0000000000..df77f2d6aa
--- /dev/null
+++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
@@ -0,0 +1,1271 @@
+---
+title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10)
+description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
+ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
+keywords: privacy, stop data flow to Microsoft
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+---
+
+# Configure Windows 10 devices to stop data flow to Microsoft
+
+**Applies to**
+
+- Windows 10
+
+If you're looking for content on what each telemetry level means and how to configure it in your organization, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md).
+
+Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
+
+If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
+
+Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all.
+
+In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
+
+We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization.
+
+Here's what's covered in this article:
+
+- [Info management settings](#bkmk-othersettings)
+
+ - [1. Cortana](#bkmk-cortana)
+
+ - [1.1 Cortana Group Policies](#bkmk-cortana-gp)
+
+ - [1.2 Cortana MDM policies](#bkmk-cortana-mdm)
+
+ - [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
+
+ - [2. Date & Time](#bkmk-datetime)
+
+ - [3. Device metadata retrieval](#bkmk-devinst)
+
+ - [4. Font streaming](#font-streaming)
+
+ - [5. Insider Preview builds](#bkmk-previewbuilds)
+
+ - [6. Internet Explorer](#bkmk-ie)
+
+ - [6.1 Internet Explorer Group Policies](#bkmk-ie-gp)
+
+ - [6.2 ActiveX control blocking](#bkmk-ie-activex)
+
+ - [7. Live Tiles](#live-tiles)
+
+ - [8. Mail synchronization](#bkmk-mailsync)
+
+ - [9. Microsoft Edge](#bkmk-edge)
+
+ - [9.1 Microsoft Edge Group Policies](#bkmk-edgegp)
+
+ - [9.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
+
+ - [9.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
+
+ - [10. Network Connection Status Indicator](#bkmk-ncsi)
+
+ - [11. Offline maps](#bkmk-offlinemaps)
+
+ - [12. OneDrive](#bkmk-onedrive)
+
+ - [13. Preinstalled apps](#bkmk-preinstalledapps)
+
+ - [14. Settings > Privacy](#bkmk-settingssection)
+
+ - [14.1 General](#bkmk-priv-general)
+
+ - [14.2 Location](#bkmk-priv-location)
+
+ - [14.3 Camera](#bkmk-priv-camera)
+
+ - [14.4 Microphone](#bkmk-priv-microphone)
+
+ - [14.5 Speech, inking, & typing](#bkmk-priv-speech)
+
+ - [14.6 Account info](#bkmk-priv-accounts)
+
+ - [14.7 Contacts](#bkmk-priv-contacts)
+
+ - [14.8 Calendar](#bkmk-priv-calendar)
+
+ - [14.9 Call history](#bkmk-priv-callhistory)
+
+ - [14.10 Email](#bkmk-priv-email)
+
+ - [14.11 Messaging](#bkmk-priv-messaging)
+
+ - [14.12 Radios](#bkmk-priv-radios)
+
+ - [14.13 Other devices](#bkmk-priv-other-devices)
+
+ - [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
+
+ - [14.15 Background apps](#bkmk-priv-background)
+
+ - [15. Software Protection Platform](#bkmk-spp)
+
+ - [16. Sync your settings](#bkmk-syncsettings)
+
+ - [17. Teredo](#bkmk-teredo)
+
+ - [18. Wi-Fi Sense](#bkmk-wifisense)
+
+ - [19. Windows Defender](#bkmk-defender)
+
+ - [20. Windows Media Player](#bkmk-wmp)
+
+ - [21. Windows spotlight](#bkmk-spotlight)
+
+ - [22. Windows Store](#bkmk-windowsstore)
+
+ - [23. Windows Update Delivery Optimization](#bkmk-updates)
+
+ - [23.1 Settings > Update & security](#bkmk-wudo-ui)
+
+ - [23.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
+
+ - [23.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
+
+ - [23.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
+
+ - [24. Windows Update](#bkmk-wu)
+
+## What's new in Windows 10, version 1511
+
+
+Here's a list of changes that were made to this article for Windows 10, version 1511:
+
+- Added the following new sections:
+
+ - [Mail synchronization](#bkmk-mailsync)
+
+ - [Offline maps](#bkmk-offlinemaps)
+
+ - [Windows spotlight](#bkmk-spotlight)
+
+ - [Windows Store](#bkmk-windowsstore)
+
+- Added the following Group Policies:
+
+ - Open a new tab with an empty tab
+
+ - Configure corporate Home pages
+
+ - Let Windows apps access location
+
+ - Let Windows apps access the camera
+
+ - Let Windows apps access the microphone
+
+ - Let Windows apps access account information
+
+ - Let Windows apps access contacts
+
+ - Let Windows apps access the calendar
+
+ - Let Windows apps access messaging
+
+ - Let Windows apps control radios
+
+ - Let Windows apps access trusted devices
+
+ - Do not show feedback notifications
+
+ - Turn off Automatic Download and Update of Map Data
+
+ - Force a specific default lock screen image
+
+- Added the AllowLinguisticDataCollection MDM policy.
+
+- Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall.
+
+- Changed the Windows Update section to apply system-wide settings, and not just per user.
+
+## Info management settings
+
+
+This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
+
+The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
+
+- [1. Cortana](#bkmk-cortana)
+
+- [2. Date & Time](#bkmk-datetime)
+
+- [3. Device metadata retrieval](#bkmk-devinst)
+
+- [4. Font streaming](#font-streaming)
+
+- [5. Insider Preview builds](#bkmk-previewbuilds)
+
+- [6. Internet Explorer](#bkmk-ie)
+
+- [7. Live Tiles](#live-tiles)
+
+- [8. Mail synchronization](#bkmk-mailsync)
+
+- [9. Microsoft Edge](#bkmk-edge)
+
+- [10. Network Connection Status Indicator](#bkmk-ncsi)
+
+- [11. Offline maps](#bkmk-offlinemaps)
+
+- [12. OneDrive](#bkmk-onedrive)
+
+- [13. Preinstalled apps](#bkmk-preinstalledapps)
+
+- [14. Settings > Privacy](#bkmk-settingssection)
+
+- [15. Software Protection Platform](#bkmk-spp)
+
+- [16. Sync your settings](#bkmk-syncsettings)
+
+- [17. Teredo](#bkmk-teredo)
+
+- [18. Wi-Fi Sense](#bkmk-wifisense)
+
+- [19. Windows Defender](#bkmk-defender)
+
+- [20. Windows Media Player](#bkmk-wmp)
+
+- [21. Windows spotlight](#bkmk-spotlight)
+
+- [22. Windows Store](#bkmk-windowsstore)
+
+- [23. Windows Update Delivery Optimization](#bkmk-updates)
+
+- [24. Windows Update](#bkmk-wu)
+
+
+See the following table for a summary of the management settings. For more info, see its corresponding section.
+
+
+
+### 1. Cortana
+
+Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683).
+
+### 1.1 Cortana Group Policies
+
+Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**.
+
+| Policy | Description |
+|------------------------------------------------------|---------------------------------------------------------------------------------------|
+| Allow Cortana | Choose whether to let Cortana install and run on the device. |
+| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results. |
+| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
Default: Disabled|
+| Don't search the web or display web results in Search| Choose whether to search the web from Cortana. |
+| Set what information is shared in Search | Control what information is shared with Bing in Search. |
+
+When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
+
+1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
+
+2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
+
+3. On the **Rule Type** page, click **Program**, and then click **Next**.
+
+4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**.
+
+5. On the **Action** page, click **Block the connection**, and then click **Next**.
+
+6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**.
+
+7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.**
+
+8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**.
+
+9. Configure the **Protocols and Ports** page with the following info, and then click **OK**.
+
+ - For **Protocol type**, choose **TCP**.
+
+ - For **Local port**, choose **All Ports**.
+
+ - For **Remote port**, choose **All ports**.
+
+**Note**
+If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
+
+### 1.2 Cortana MDM policies
+
+The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Experience/AllowCortana | Choose whether to let Cortana install and run on the device. |
+| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results.
Default: Allowed|
+
+### 1.3 Cortana Windows Provisioning
+
+To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**.
+
+### 2. Date & Time
+
+You can prevent Windows from setting the time automatically.
+
+- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically**
+
+ -or-
+
+- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**.
+
+### 3. Device metadata retrieval
+
+To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
+
+### 4. Font streaming
+
+Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
+
+To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
+
+**Note**
+This may change in future versions of Windows.
+
+### 5. Insider Preview builds
+
+To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
+
+- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Stop Insider builds**.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
+
+ -or-
+
+- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+
+ - **0**. Users cannot make their devices available for downloading and installing preview software.
+
+ - **1**. Users can make their devices available for downloading and installing preview software.
+
+ - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
+
+ -or-
+
+- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where:
+
+ - **0**. Users cannot make their devices available for downloading and installing preview software.
+
+ - **1**. Users can make their devices available for downloading and installing preview software.
+
+ - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
+
+### 6. Internet Explorer
+
+Use Group Policy to manage settings for Internet Explorer.
+
+### 6.1 Internet Explorer Group Policies
+
+Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**.
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
Default: Enabled
You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.|
+| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
Default: Enabled|
+| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
Default: Disabled You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
+| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
Default: Enabled |
+| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled|
+
+### 6.2 ActiveX control blocking
+
+ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
+
+For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
+
+### 7. Live Tiles
+
+To turn off Live Tiles:
+
+- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
+
+### 8. Mail synchronization
+
+To turn off mail synchronization for Microsoft Accounts that are configured on a device:
+
+- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts.
+
+ -or-
+
+- Remove any Microsoft Accounts from the Mail app.
+
+ -or-
+
+- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device.
+
+To turn off the Windows Mail app:
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application**
+
+### 9. Microsoft Edge
+
+Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
+
+### 9.1 Microsoft Edge Group Policies
+
+Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**.
+
+**Note**
+The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Turn off autofill | Choose whether employees can use autofill on websites.
Default: Enabled |
+| Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers.
Default: Disabled |
+| Turn off password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled |
+| Turn off address bar search suggestions | Choose whether the address bar shows search suggestions.
Default: Enabled |
+| Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled |
+| Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled |
+| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** |
+
+### 9.2 Microsoft Edge MDM policies
+
+The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Browser/AllowAutoFill | Choose whether employees can use autofill on websites.
Default: Allowed |
+| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
Default: Not allowed |
+| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
Default: Allowed |
+| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
Default: Allowed |
+| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed |
+
+### 9.3 Microsoft Edge Windows Provisioning
+
+Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**.
+
+For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
+
+### 10. Network Connection Status Indicator
+
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
+
+You can turn off NCSI through Group Policy:
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
+
+### 11. Offline maps
+
+You can turn off the ability to download and update offline maps.
+
+- In the UI: **Settings** > **System** > **Offline maps** > **Automatically update maps**
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data**
+
+### 12. OneDrive
+
+To turn off OneDrive in your organization:
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage**
+
+### 13. Preinstalled apps
+
+Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
+
+To remove the News app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage**
+
+To remove the Weather app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage**
+
+To remove the Money app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage**
+
+To remove the Sports app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage**
+
+To remove the Twitter app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage**
+
+To remove the XBOX app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage**
+
+To remove the Sway app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage**
+
+To remove the OneNote app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage**
+
+To remove the Get Office app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage**
+
+To remove the Get Skype app:
+
+- Right-click the Sports app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
+
+### 14. Settings > Privacy
+
+Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
+
+- [14.1 General](#bkmk-general)
+
+- [14.2 Location](#bkmk-priv-location)
+
+- [14.3 Camera](#bkmk-priv-camera)
+
+- [14.4 Microphone](#bkmk-priv-microphone)
+
+- [14.5 Speech, inking, & typing](#bkmk-priv-speech)
+
+- [14.6 Account info](#bkmk-priv-accounts)
+
+- [14.7 Contacts](#bkmk-priv-contacts)
+
+- [14.8 Calendar](#bkmk-priv-calendar)
+
+- [14.9 Call history](#bkmk-priv-callhistory)
+
+- [14.10 Email](#bkmk-priv-email)
+
+- [14.11 Messaging](#bkmk-priv-messaging)
+
+- [14.12 Radios](#bkmk-priv-radios)
+
+- [14.13 Other devices](#bkmk-priv-other-devices)
+
+- [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
+
+- [14.15 Background apps](#bkmk-priv-background)
+
+### 14.1 General
+
+**General** includes options that don't fall into other areas.
+
+To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
+
+**Note**
+When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
+
+
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero).
+
+To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**.
+
+ Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**.
+
+ -or-
+
+- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
+
+ -or-
+
+- Create a provisioning package, using:
+
+ - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen**
+
+ - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen**
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero).
+
+To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
+
+**Note**
+If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
+
+
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+
+ - **0**. Not allowed
+
+ - **1**. Allowed (default)
+
+To turn off **Let websites provide locally relevant content by accessing my language list**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
+
+### 14.2 Location
+
+In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
+
+To turn off **Location for this device**:
+
+- Click the **Change** button in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
+
+ -or-
+
+- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Turned off and the employee can't turn it back on.
+
+ - **1**. Turned on, but lets the employee choose whether to use it. (default)
+
+ - **2**. Turned on and the employee can't turn it off.
+
+ **Note**
+ You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+
+ -or-
+
+- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where
+
+ - **No**. Turns off location service.
+
+ - **Yes**. Turns on location service. (default)
+
+To turn off **Location**:
+
+- Turn off the feature in the UI.
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+ -or-
+
+To turn off **Location history**:
+
+- Erase the history using the **Clear** button in the UI.
+
+To turn off **Choose apps that can use your location**:
+
+- Turn off each app using the UI.
+
+### 14.3 Camera
+
+In the **Camera** area, you can choose which apps can access a device's camera.
+
+To turn off **Let apps use my camera**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+ -or-
+
+- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Apps can't use the camera.
+
+ - **1**. Apps can use the camera.
+
+ **Note**
+ You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+
+ -or-
+
+- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where:
+
+ - **0**. Apps can't use the camera.
+
+ - **1**. Apps can use the camera.
+
+To turn off **Choose apps that can use your camera**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.4 Microphone
+
+In the **Microphone** area, you can choose which apps can access a device's microphone.
+
+To turn off **Let apps use my microphone**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can use your microphone**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.5 Speech, inking, & typing
+
+In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
+
+**Note**
+For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
+
+
+
+To turn off the functionality:
+
+- Click the **Stop getting to know me** button, and then click **Turn off**.
+
+ -or-
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning**
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero).
+
+ -and-
+
+ Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
+
+### 14.6 Account info
+
+In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
+
+To turn off **Let apps access my name, picture, and other account info**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose the apps that can access your account info**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.7 Contacts
+
+In the **Contacts** area, you can choose which apps can access an employee's contacts list.
+
+To turn off **Choose apps that can access contacts**:
+
+- Turn off the feature in the UI for each app.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.8 Calendar
+
+In the **Calendar** area, you can choose which apps have access to an employee's calendar.
+
+To turn off **Let apps access my calendar**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can access calendar**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.9 Call history
+
+In the **Call history** area, you can choose which apps have access to an employee's call history.
+
+To turn off **Let apps access my call history**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.10 Email
+
+In the **Email** area, you can choose which apps have can access and send email.
+
+To turn off **Let apps access and send email**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.11 Messaging
+
+In the **Messaging** area, you can choose which apps can read or send messages.
+
+To turn off **Let apps read or send messages (text or MMS)**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can read or send messages**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.12 Radios
+
+In the **Radios** area, you can choose which apps can turn a device's radio on or off.
+
+To turn off **Let apps control radios**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can control radios**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.13 Other devices
+
+In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
+
+To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**:
+
+- Turn off the feature in the UI.
+
+To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.14 Feedback & diagnostics
+
+In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
+
+To change how frequently **Windows should ask for my feedback**:
+
+**Note**
+Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
+
+
+
+- To change from **Automatically (Recommended)**, use the drop-down list in the UI.
+
+ -or-
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications**
+
+ -or-
+
+- Create the registry keys (REG\_DWORD type):
+
+ - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds
+
+ - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod
+
+ Based on these settings:
+
+ | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod |
+ |---------------|-----------------------------|-----------------------------|
+ | Automatically | Delete the registry setting | Delete the registry setting |
+ | Never | 0 | 0 |
+ | Always | 100000000 | Delete the registry setting |
+ | Once a day | 864000000000 | 1 |
+ | Once a week | 6048000000000 | 1 |
+
+
+
+To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**:
+
+- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**.
+
+ **Note**
+ You can't use the UI to change the telemetry level to **Security**.
+
+
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry**
+
+ -or-
+
+- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Maps to the **Security** level.
+
+ - **1**. Maps to the **Basic** level.
+
+ - **2**. Maps to the **Enhanced** level.
+
+ - **3**. Maps to the **Full** level.
+
+ -or-
+
+- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where:
+
+ - **0**. Maps to the **Security** level.
+
+ - **1**. Maps to the **Basic** level.
+
+ - **2**. Maps to the **Enhanced** level.
+
+ - **3**. Maps to the **Full** level.
+
+### 14.15 Background apps
+
+In the **Background Apps** area, you can choose which apps can run in the background.
+
+To turn off **Let apps run in the background**:
+
+- Turn off the feature in the UI for each app.
+
+### 15. Software Protection Platform
+
+Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy:
+
+**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation**
+
+The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
+
+### 16. Sync your settings
+
+You can control if your settings are synchronized:
+
+- In the UI: **Settings** > **Accounts** > **Sync your settings**
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**
+
+ -or-
+
+- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
+
+ -or-
+
+- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where
+
+ - **No**. Settings are not synchronized.
+
+ - **Yes**. Settings are synchronized. (default)
+
+To turn off Messaging cloud sync:
+
+- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
+
+### 17. Teredo
+
+You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
+
+- From an elevated command prompt, run **netsh interface teredo set state disabled**
+
+### 18. Wi-Fi Sense
+
+Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
+
+To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**.
+
+ -or-
+
+- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero).
+
+ -or-
+
+- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909).
+
+ -or-
+
+- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910).
+
+When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
+
+### 19. Windows Defender
+
+You can opt of the Microsoft Antimalware Protection Service.
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS**
+
+ -or-
+
+- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+ -or-
+
+- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero).
+
+You can stop sending file samples back to Microsoft.
+
+- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
+
+ -or-
+
+- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Always prompt.
+
+ - **1**. (default) Send safe samples automatically.
+
+ - **2**. Never send.
+
+ - **3**. Send all samples automatically.
+
+ -or-
+
+- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send.
+
+You can stop downloading definition updates:
+
+- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
+
+ -and-
+
+- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing.
+
+You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
+
+### 20. Windows Media Player
+
+To remove Windows Media Player:
+
+- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**.
+
+ -or-
+
+- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
+
+### 21. Windows spotlight
+
+Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy.
+
+- Configure the following in **Settings**:
+
+ - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**.
+
+ - **Personalization** > **Start** > **Occasionally show suggestions in Start**.
+
+ - **System** > **Notifications & actions** > **Show me tips about Windows**.
+
+ -or-
+
+- Apply the Group Policies:
+
+ - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
+ - Add a location in the **Path to local lock screen image** box.
+
+ - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
+
+ **Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**.
+
+
+
+ - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**.
+
+ - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**.
+
+For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md).
+
+### 22. Windows Store
+
+You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**.
+
+### 23. Windows Update Delivery Optimization
+
+Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
+
+By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
+
+Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
+
+### 23.1 Settings > Update & security
+
+You can set up Delivery Optimization from the **Settings** UI.
+
+- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
+
+### 23.2 Delivery Optimization Group Policies
+
+You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**.
+
+| Policy | Description |
+|---------------------------|-----------------------------------------------------------------------------------------------------|
+| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including None. Turns off Delivery Optimization.
Group. Gets or sends updates and apps to PCs on the same local network domain.
Internet. Gets or sends updates and apps to PCs on the Internet.
LAN. Gets or sends updates and apps to PCs on the same NAT only.
|
+| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates.
** Note** This ID must be a GUID.|
+| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).|
+| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.|
+| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
+
+### 23.3 Delivery Optimization MDM policies
+
+The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Policy | Description |
+|---------------------------|-----------------------------------------------------------------------------------------------------|
+| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including 0. Turns off Delivery Optimization.
1. Gets or sends updates and apps to PCs on the same NAT only.
2. Gets or sends updates and apps to PCs on the same local network domain.
3. Gets or sends updates and apps to PCs on the Internet.
|
+| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
** Note** This ID must be a GUID.|
+| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).|
+| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.|
+| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
+
+
+### 23.4 Delivery Optimization Windows Provisioning
+
+If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
+
+Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization.
+
+1. Open Windows ICD, and then click **New provisioning package**.
+
+2. In the **Name** box, type a name for the provisioning package, and then click **Next.**
+
+3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**.
+
+4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies.
+
+For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
+
+### 24. Windows Update
+
+You can turn off Windows Update by setting the following registry entries:
+
+- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+
+ -and-
+
+- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+
+You can turn off automatic updates by doing one of the following. This is not recommended.
+
+- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
+
+ -or-
+
+- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Notify the user before downloading the update.
+
+ - **1**. Auto install the update and then notify the user to schedule a device restart.
+
+ - **2** (default). Auto install and restart.
+
+ - **3**. Auto install and restart at a specified time.
+
+ - **4**. Auto install and restart without end-user control.
+
+ - **5**. Turn off automatic updates.
+
+To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md
new file mode 100644
index 0000000000..58de9307b7
--- /dev/null
+++ b/windows/manage/configure-windows-telemetry-in-your-organization.md
@@ -0,0 +1,295 @@
+---
+description: Use this article to make informed decisions about how you can configure telemetry in your organization.
+title: Configure Windows telemetry in your organization (Windows 10)
+keywords: privacy
+---
+
+# Configure Windows telemetry in your organization
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+- Windows Server 2016 Technical Preview
+
+Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services.
+
+**Note**
+This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server.
+
+It describes the types of telemetry we gather and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers.
+
+We understand that the privacy and security of our customers’ information is important and we have taken a thoughtful and comprehensive approach to customer privacy and the protection of their data with Windows 10, Windows Server 2016 Technical Preview, and System Center 2016.
+
+## Overview
+
+In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC) on Windows Server, and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using Settings > Privacy, Group Policy, or MDM.
+
+Microsoft is committed to improving customer experiences in a mobile-first and cloud-first world, and it all starts with our customers. Telemetry is one critical way Microsoft is using data to improve our products and services. Telemetry gives every enterprise customer a voice that helps us shape future versions of Windows, Windows Server and System Center, allowing us to respond quickly to your feedback and providing new features and improved quality to our customers.
+
+Our goal is to leverage the aggregated data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, and gaining insights into driver reliability issues affecting other customers.
+
+For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for youcr organization.
+
+## How is telemetry data handled by Microsoft?
+
+### Data collection
+
+Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology to gather and store telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
+
+1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
+2. Events are gathered using public operating system event logging and tracing APIs.
+3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings.
+4. The Connected User Experience and Telemetry component transmits telemetry data over HTTPS to Microsoft and uses certificate pinning.
+
+Info collected at the Enhanced and Full levels of telemetry is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
+
+### Data transmission
+
+All telemetry data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
+
+### Endpoints
+
+The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
+
+The Connected User Experience and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com.
+
+The Connected User Experience and Telemetry component also connects to settings-win.data.microsoft.com to download configuration information.
+
+[Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) connects to watson.telemetry.microsoft.com.
+
+[Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) connects to oca.telemetry.microsoft.com.
+
+### Data use and access
+
+Data gathered from telemetry is used by Microsoft teams primarily to improve our customer experiences, and for security, health, quality, and performance analysis. The principle of least privileged guides access to telemetry data. Only Microsoft personnel with a valid business need are permitted access to the telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the Privacy Statement. We do share business reports with OEMs and third party partners that include aggregated, anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
+
+### Retention
+
+Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Store purchase history.
+
+## Telemetry levels
+
+
+This section explains the different telemetry levels in Windows 10, Windows Server 2016 Technical Preview, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016 Technical Preview.
+
+The telemetry data is categorized into four levels:
+
+- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
+
+- **Basic**. Basic device info, including: quality-related data, app compat, app usage data, and data from the **Security** level.
+
+- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
+
+- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels.
+
+The levels are cumulative and are illustrated in the following diagram. These levels apply to all editions of Windows Server 2016 Technical Preview.
+
+
+
+### Security level
+
+The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions.
+
+**Note**
+If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
+
+Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered.
+
+
+
+The data gathered at this level includes:
+
+- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
+
+- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
+
+ **Note**
+ You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
+
+
+
+- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
+
+ **Note**
+ This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
+
+ Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
+
+
+
+For servers with default telemetry settings and no Internet connectivity, you should set the telemetry level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
+
+No user content, such as user files or communications, is gathered at the **Security** telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
+
+### Basic level
+
+The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
+
+The data gathered at this level includes:
+
+- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Previewinstances in the ecosystem, including:
+
+ - Device attributes, such as camera resolution and display type
+
+ - Internet Explorer version
+
+ - Battery attributes, such as capacity and type
+
+ - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
+
+ - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
+
+ - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
+
+ - Operating system attributes, such as Windows edition and virtualization state
+
+ - Storage attributes, such as number of drives, type, and size
+
+- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
+
+- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
+
+- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
+
+ - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade.This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
+
+ - **App usage data**. Includes how an app is used, including how long an app is used for, when the app has focus, and when the app is started
+
+ - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
+
+ - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
+
+ - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
+
+ - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
+
+- **Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
+
+### Enhanced level
+
+The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experiencewith the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
+
+This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
+
+The data gathered at this level includes:
+
+- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
+
+- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
+
+- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
+
+- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
+
+If the Connected User Experience and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experience and Telemetry component at the **Enhanced** telemetry level will only gather data about the events associated with the specific issue.
+
+### Full level
+
+The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels.
+
+Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
+
+If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** telemetry level and have exhibited the problem.
+
+However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
+
+- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
+
+- Ability to get registry keys.
+
+- All crash dump types, including heap dumps and full dumps.
+
+### Manage your telemetry settings
+
+We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
+
+**Important**
+These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
+
+You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
+
+The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced.**
+
+### Configure the operating system telemetry level
+
+You can configure your operating system telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any devicelevel settings.
+
+Use the appropriate value in the table below when you configure the management policy.
+
+| Value | Level | Data gathered |
+|-------|----------|---------------------------------------------------------------------------------------------------------------------------|
+| **0** | Security | Security data only. |
+| **1** | Basic | Security data, and basic system and quality data. |
+| **2** | Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. |
+| **3** | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. |
+
+
+
+### Use Group Policy to set the telemetry level
+
+Use a Group Policy object to set your organization’s telemetry level.
+
+1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
+
+2. Double-click **Allow Telemetry**.
+
+3. In the **Options** box, select the level that you want to configure, and then click **OK**.
+
+### Use MDM to set the telemetry level
+
+Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
+
+### Use Registry Editor to set the telemetry level
+
+Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
+
+1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
+
+2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
+
+3. Type **AllowTelemetry**, and then press ENTER.
+
+4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
+
+5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
+
+### Configure System Center 2016 telemetry
+
+For System Center 2016 Technical Preview, you can turn off System Center telemetry by following these steps:
+
+- Turn off telemetry by using the System Center UI Console settings workspace.
+
+- For information about turning off telemetry for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505).
+
+### Additional telemetry controls
+
+There are a few more settings that you can turn off that may send telemetry information:
+
+- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
+
+- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
+
+- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
+
+- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
+
+ **Note**
+ Microsoft do not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
+
+
+
+## Examples of how Microsoft uses the telemetry data
+
+
+### Drive higher application and driver quality in the ecosystem
+
+Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers’ deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsoft’s ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications
+
+### Reduce your total cost of ownership and downtime
+
+Telemetry provides a view of which features and services customers use most. For example, the telemetry data provides us with a heat map of the most commonly deployed Windows Server roles, most used Windows features, and which ones are used the least. This helps us make informed decisions on where we should invest our engineering resources to build a leaner operating system. For System Center, understanding the customer environment for management and monitoring will help drive the support compatibilities matrix, such as host and guest OS. This can help you use existing hardware to meet your business needs and reduce your total cost of ownership, as well as reducing downtime associated with security updates.
+
+### Build features that address our customers’ needs
+
+Telemetry also helps us better understand how customers deploy components, use features, and use services to achieve their business goals. Getting insights from that information helps us prioritize our engineering investments in areas that can directly affect our customers’ experiences and workloads. Some examples include customer usage of containers, storage, and networking configurations associated with Windows Server roles like Clustering and Web. Another example could be to find out when is CPU hyper-threading turned off and the resulting impact. We use the insights to drive improvements and intelligence into some of our management and monitoring solutions, to help customers diagnose quality issues, and save money by making fewer help calls to Microsoft.
\ No newline at end of file
diff --git a/windows/manage/disconnect-your-organization-from-microsoft.md b/windows/manage/disconnect-your-organization-from-microsoft.md
index 5bfad5466a..2adc6e5005 100644
--- a/windows/manage/disconnect-your-organization-from-microsoft.md
+++ b/windows/manage/disconnect-your-organization-from-microsoft.md
@@ -1,1809 +1,4 @@
---
-title: Configure telemetry and other settings in your organization (Windows 10)
-description: Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
-ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
-ms.prod: W10
-ms.mktglfcycl: manage
-ms.sitesec: library
-author: brianlic-msft
----
-
-# Configure telemetry and other settings in your organization
-
-
-**Applies to**
-
-- Windows 10
-
-Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
-
-If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
-
-**Note** Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services. We discuss separately the network connections that Windows features and components make directly to Microsoft Services. It is used to provide a service to the user as part of Windows.
-
-
-
-Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all.
-
-In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
-
-We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization.
-
-Here's what's covered in this article:
-
-- [Info management settings](#bkmk-othersettings)
-
- - [1. Cortana](#bkmk-cortana)
-
- - [1.1 Cortana Group Policies](#bkmk-cortana-gp)
-
- - [1.2 Cortana MDM policies](#bkmk-cortana-mdm)
-
- - [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
-
- - [2. Date & Time](#bkmk-datetime)
-
- - [3. Device metadata retrieval](#bkmk-devinst)
-
- - [4. Font streaming](#font-streaming)
-
- - [5. Insider Preview builds](#bkmk-previewbuilds)
-
- - [6. Internet Explorer](#bkmk-ie)
-
- - [6.1 Internet Explorer Group Policies](#bkmk-ie-gp)
-
- - [6.2 ActiveX control blocking](#bkmk-ie-activex)
-
- - [7. Mail synchronization](#bkmk-mailsync)
-
- - [8. Microsoft Edge](#bkmk-edge)
-
- - [8.1 Microsoft Edge Group Policies](#bkmk-edgegp)
-
- - [8.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
-
- - [8.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
-
- - [9. Network Connection Status Indicator](#bkmk-ncsi)
-
- - [10. Offline maps](#bkmk-offlinemaps)
-
- - [11. OneDrive](#bkmk-onedrive)
-
- - [12. Preinstalled apps](#bkmk-preinstalledapps)
-
- - [13. Settings > Privacy](#bkmk-settingssection)
-
- - [13.1 General](#bkmk-general)
-
- - [13.2 Location](#bkmk-priv-location)
-
- - [13.3 Camera](#bkmk-priv-camera)
-
- - [13.4 Microphone](#bkmk-priv-microphone)
-
- - [13.5 Speech, inking, & typing](#bkmk-priv-speech)
-
- - [13.6 Account info](#bkmk-priv-accounts)
-
- - [13.7 Contacts](#bkmk-priv-contacts)
-
- - [13.8 Calendar](#bkmk-priv-calendar)
-
- - [13.9 Call history](#bkmk-priv-callhistory)
-
- - [13.10 Email](#bkmk-priv-email)
-
- - [13.11 Messaging](#bkmk-priv-messaging)
-
- - [13.12 Radios](#bkmk-priv-radios)
-
- - [13.13 Other devices](#bkmk-priv-other-devices)
-
- - [13.14 Feedback & diagnostics](#bkmk-priv-feedback)
-
- - [13.15 Background apps](#bkmk-priv-background)
-
- - [14. Software Protection Platform](#bkmk-spp)
-
- - [15. Sync your settings](#bkmk-syncsettings)
-
- - [16. Teredo](#bkmk-teredo)
-
- - [17. Wi-Fi Sense](#bkmk-wifisense)
-
- - [18. Windows Defender](#bkmk-defender)
-
- - [19. Windows Media Player](#bkmk-wmp)
-
- - [20. Windows spotlight](#bkmk-spotlight)
-
- - [21. Windows Store](#bkmk-windowsstore)
-
- - [22. Windows Update Delivery Optimization](#bkmk-updates)
-
- - [22.1 Settings > Update & security](#bkmk-wudo-ui)
-
- - [22.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
-
- - [22.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
-
- - [22.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
-
- - [23. Windows Update](#bkmk-wu)
-
-- [Manage your telemetry settings](#bkmk-utc)
-
-- [How telemetry works](#bkmk-moreutc)
-
-## What's new in Windows 10, version 1511
-
-
-Here's a list of changes that were made to this article for Windows 10, version 1511:
-
-- Added the following new sections:
-
- - [Mail synchronization](#bkmk-mailsync)
-
- - [Offline maps](#bkmk-offlinemaps)
-
- - [Windows spotlight](#bkmk-spotlight)
-
- - [Windows Store](#bkmk-windowsstore)
-
-- Added the following Group Policies:
-
- - Open a new tab with an empty tab
-
- - Configure corporate Home pages
-
- - Let Windows apps access location
-
- - Let Windows apps access the camera
-
- - Let Windows apps access the microphone
-
- - Let Windows apps access account information
-
- - Let Windows apps access contacts
-
- - Let Windows apps access the calendar
-
- - Let Windows apps access messaging
-
- - Let Windows apps control radios
-
- - Let Windows apps access trusted devices
-
- - Do not show feedback notifications
-
- - Turn off Automatic Download and Update of Map Data
-
- - Force a specific default lock screen image
-
-- Added the AllowLinguisticDataCollection MDM policy.
-
-- Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall.
-
-- Added steps in the [Live tiles](#bkmk-livetiles) section on how to remove the Money and Sports apps.
-
-- Changed the Windows Update section to apply system-wide settings, and not just per user.
-
-## Info management settings
-
-
-This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
-
-The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
-
-- [1. Cortana](#bkmk-cortana)
-
-- [2. Date & Time](#bkmk-datetime)
-
-- [3. Device metadata retrieval](#bkmk-devinst)
-
-- [4. Font streaming](#font-streaming)
-
-- [5. Insider Preview builds](#bkmk-previewbuilds)
-
-- [6. Internet Explorer](#bkmk-ie)
-
-- [7. Mail synchronization](#bkmk-mailsync)
-
-- [8. Microsoft Edge](#bkmk-edge)
-
-- [9. Network Connection Status Indicator](#bkmk-ncsi)
-
-- [10. Offline maps](#bkmk-offlinemaps)
-
-- [11. OneDrive](#bkmk-onedrive)
-
-- [12. Preinstalled apps](#bkmk-preinstalledapps)
-
-- [13. Settings > Privacy](#bkmk-settingssection)
-
-- [14. Software Protection Platform](#bkmk-spp)
-
-- [15. Sync your settings](#bkmk-syncsettings)
-
-- [16. Teredo](#bkmk-teredo)
-
-- [17. Wi-Fi Sense](#bkmk-wifisense)
-
-- [18. Windows Defender](#bkmk-defender)
-
-- [19. Windows Media Player](#bkmk-wmp)
-
-- [20. Windows spotlight](#bkmk-spotlight)
-
-- [21. Windows Store](#bkmk-windowsstore)
-
-- [22. Windows Update](#bkmk-wu)
-
-- [23. Windows Update Delivery Optimization](#bkmk-updates)
-
-See the following table for a summary of the management settings. For more info, see its corresponding section.
-
-
-
-### 1. Cortana
-
-Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683).
-
-### 1.1 Cortana Group Policies
-
-Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**.
-
-
-
-
-
-
-
-
-
-
-
-Allow Cortana |
-Choose whether to let Cortana install and run on the device.
-Default: Enabled |
-
-
-Allow search and Cortana to use location |
-Choose whether Cortana and Search can provide location-aware search results.
-Default: Enabled |
-
-
-Do not allow web search |
-Choose whether to search the web from Windows Desktop Search.
-Default: Disabled |
-
-
-Don't search the web or display web results in Search |
-Choose whether to search the web from Cortana.
-Default: Disabled |
-
-
-Set what information is shared in Search |
-Control what information is shared with Bing in Search. |
-
-
-
-
-
-
-When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
-
-1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
-
-2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
-
-3. On the **Rule Type** page, click **Program**, and then click **Next**.
-
-4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**.
-
-5. On the **Action** page, click **Block the connection**, and then click **Next**.
-
-6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**.
-
-7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.**
-
-8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**.
-
-9. Configure the **Protocols and Ports** page with the following info, and then click **OK**.
-
- - For **Protocol type**, choose **TCP**.
-
- - For **Local port**, choose **All Ports**.
-
- - For **Remote port**, choose **All ports**.
-
-**Note**
-If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
-
-
-
-### 1.2 Cortana MDM policies
-
-The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
-
-
-
-
-
-
-
-
-
-
-
-Experience/AllowCortana |
-Choose whether to let Cortana install and run on the device.
-Default: Allowed |
-
-
-Search/AllowSearchToUseLocation |
-Choose whether Cortana and Search can provide location-aware search results.
-Default: Allowed |
-
-
-
-
-
-
-### 1.3 Cortana Windows Provisioning
-
-To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**.
-
-### 2. Date & Time
-
-You can prevent Windows from setting the time automatically.
-
-- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically**
-
- -or-
-
-- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**.
-
-### 3. Device metadata retrieval
-
-To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
-
-### 4. Font streaming
-
-Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
-
-To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
-
-**Note**
-This may change in future versions of Windows.
-
-
-
-### 5. Insider Preview builds
-
-To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
-
-- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Stop Insider builds**.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
-
- -or-
-
-- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
-
- - **0**. Users cannot make their devices available for downloading and installing preview software.
-
- - **1**. Users can make their devices available for downloading and installing preview software.
-
- - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
-
- -or-
-
-- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where:
-
- - **0**. Users cannot make their devices available for downloading and installing preview software.
-
- - **1**. Users can make their devices available for downloading and installing preview software.
-
- - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
-
-### 6. Internet Explorer
-
-Use Group Policy to manage settings for Internet Explorer.
-
-### 6.1 Internet Explorer Group Policies
-
-Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**.
-
-
-
-
-
-
-
-
-
-
-
-Turn on Suggested Sites |
-Choose whether an employee can configure Suggested Sites.
-Default: Enabled
-You can also turn this off in the UI by clearing the Internet Options > Advanced > Enable Suggested Sites check box. |
-
-
-Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar |
-Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
-Default: Enabled |
-
-
-Turn off the auto-complete feature for web addresses |
-Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
-Default: Disabled
-You can also turn this off in the UI by clearing the Internet Options > Advanced > Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog check box. |
-
-
-Disable Periodic Check for Internet Explorer software updates |
-Choose whether Internet Explorer periodically checks for a new version.
-Default: Enabled |
-
-
-Turn off browser geolocation |
-Choose whether websites can request location data from Internet Explorer.
-Default: Disabled |
-
-
-
-
-
-
-### 6.2 ActiveX control blocking
-
-ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
-
-For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
-
-### 7. Mail synchronization
-
-To turn off mail synchronization for Microsoft Accounts that are configured on a device:
-
-- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts.
-
- -or-
-
-- Remove any Microsoft Accounts from the Mail app.
-
- -or-
-
-- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device.
-
-To turn off the Windows Mail app:
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application**
-
-### 8. Microsoft Edge
-
-Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
-
-### 8.1 Microsoft Edge Group Policies
-
-Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**.
-
-**Note**
-The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Turn off autofill |
-Choose whether employees can use autofill on websites.
-Default: Enabled |
-
-
-Allow employees to send Do Not Track headers |
-Choose whether employees can send Do Not Track headers.
-Default: Disabled |
-
-
-Turn off password manager |
-Choose whether employees can save passwords locally on their devices.
-Default: Enabled |
-
-
-Turn off address bar search suggestions |
-Choose whether the address bar shows search suggestions.
-Default: Enabled |
-
-
-Turn off the SmartScreen Filter |
-Choose whether SmartScreen is turned on or off.
-Default: Enabled |
-
-
-Open a new tab with an empty tab |
-Choose whether a new tab page appears.
-Default: Enabled |
-
-
-Configure corporate Home pages |
-Choose the corporate Home page for domain-joined devices.
-Set this to about:blank |
-
-
-
-
-
-
-### 8.2 Microsoft Edge MDM policies
-
-The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
-
-
-
-
-
-
-
-
-
-
-
-Browser/AllowAutoFill |
-Choose whether employees can use autofill on websites.
-Default: Allowed |
-
-
-Browser/AllowDoNotTrack |
-Choose whether employees can send Do Not Track headers.
-Default: Not allowed |
-
-
-Browser/AllowPasswordManager |
-Choose whether employees can save passwords locally on their devices.
-Default: Allowed |
-
-
-Browser/AllowSearchSuggestionsinAddressBar |
-Choose whether the address bar shows search suggestions.
-Default: Allowed |
-
-
-Browser/AllowSmartScreen |
-Choose whether SmartScreen is turned on or off.
-Default: Allowed |
-
-
-
-
-
-
-### 8.3 Microsoft Edge Windows Provisioning
-
-Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**.
-
-For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
-
-### 9. Network Connection Status Indicator
-
-Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
-
-You can turn off NCSI through Group Policy:
-
-- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
-
-### 10. Offline maps
-
-You can turn off the ability to download and update offline maps.
-
-- In the UI: **Settings** > **System** > **Offline maps** > **Automatically update maps**
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data**
-
-### 11. OneDrive
-
-To turn off OneDrive in your organization:
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage**
-
-### 12. Preinstalled apps
-
-Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
-
-To remove the News app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage**
-
-To remove the Weather app:
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage**
-
-To remove the Money app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage**
-
-To remove the Sports app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage**
-
-To remove the Twitter app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage**
-
-To remove the XBOX app:
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage**
-
-To remove the Sway app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage**
-
-To remove the OneNote app:
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage**
-
-To remove the Get Office app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage**
-
-To remove the Get Skype app:
-
-- Right-click the Sports app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
-
-### 13. Settings > Privacy
-
-Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
-
-- [13.1 General](#bkmk-general)
-
-- [13.2 Location](#bkmk-priv-location)
-
-- [13.3 Camera](#bkmk-priv-camera)
-
-- [13.4 Microphone](#bkmk-priv-microphone)
-
-- [13.5 Speech, inking, & typing](#bkmk-priv-speech)
-
-- [13.6 Account info](#bkmk-priv-accounts)
-
-- [13.7 Contacts](#bkmk-priv-contacts)
-
-- [13.8 Calendar](#bkmk-priv-calendar)
-
-- [13.9 Call history](#bkmk-priv-callhistory)
-
-- [13.10 Email](#bkmk-priv-email)
-
-- [13.11 Messaging](#bkmk-priv-messaging)
-
-- [13.12 Radios](#bkmk-priv-radios)
-
-- [13.13 Other devices](#bkmk-priv-other-devices)
-
-- [13.14 Feedback & diagnostics](#bkmk-priv-feedback)
-
-- [13.15 Background apps](#bkmk-priv-background)
-
-### 13.1 General
-
-**General** includes options that don't fall into other areas.
-
-To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
-
-**Note**
-When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
-
-
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
-
- -or-
-
-- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero).
-
-To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**.
-
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**.
-
- -or-
-
-- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
-
- -or-
-
-- Create a provisioning package, using:
-
- - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen**
-
- - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen**
-
- -or-
-
-- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero).
-
-To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
-
-**Note**
-If the telemetry level is set to either [Basic](#bkmk-utc-basic) or [Security](#bkmk-utc-security), this is turned off automatically.
-
-
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
-
- - **0**. Not allowed
-
- - **1**. Allowed (default)
-
-To turn off **Let websites provide locally relevant content by accessing my language list**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
-
-### 13.2 Location
-
-In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
-
-To turn off **Location for this device**:
-
-- Click the **Change** button in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
-
- -or-
-
-- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
-
- - **0**. Turned off and the employee can't turn it back on.
-
- - **1**. Turned on, but lets the employee choose whether to use it. (default)
-
- - **2**. Turned on and the employee can't turn it off.
-
- **Note**
- You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
-
-
-
- -or-
-
-- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where
-
- - **No**. Turns off location service.
-
- - **Yes**. Turns on location service. (default)
-
-To turn off **Location**:
-
-- Turn off the feature in the UI.
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
-
- - Set the **Select a setting** box to **Force Deny**.
-
- -or-
-
-To turn off **Location history**:
-
-- Erase the history using the **Clear** button in the UI.
-
-To turn off **Choose apps that can use your location**:
-
-- Turn off each app using the UI.
-
-### 13.3 Camera
-
-In the **Camera** area, you can choose which apps can access a device's camera.
-
-To turn off **Let apps use my camera**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera**
-
- - Set the **Select a setting** box to **Force Deny**.
-
- -or-
-
-- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
-
- - **0**. Apps can't use the camera.
-
- - **1**. Apps can use the camera.
-
- **Note**
- You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
-
-
-
- -or-
-
-- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where:
-
- - **0**. Apps can't use the camera.
-
- - **1**. Apps can use the camera.
-
-To turn off **Choose apps that can use your camera**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.4 Microphone
-
-In the **Microphone** area, you can choose which apps can access a device's microphone.
-
-To turn off **Let apps use my microphone**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-To turn off **Choose apps that can use your microphone**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.5 Speech, inking, & typing
-
-In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
-
-**Note**
-For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
-
-
-
-To turn off the functionality:
-
-- Click the **Stop getting to know me** button, and then click **Turn off**.
-
- -or-
-
-- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning**
-
- -or-
-
-- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero).
-
- -and-
-
- Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
-
-### 13.6 Account info
-
-In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
-
-To turn off **Let apps access my name, picture, and other account info**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-To turn off **Choose the apps that can access your account info**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.7 Contacts
-
-In the **Contacts** area, you can choose which apps can access an employee's contacts list.
-
-To turn off **Choose apps that can access contacts**:
-
-- Turn off the feature in the UI for each app.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-### 13.8 Calendar
-
-In the **Calendar** area, you can choose which apps have access to an employee's calendar.
-
-To turn off **Let apps access my calendar**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-To turn off **Choose apps that can access calendar**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.9 Call history
-
-In the **Call history** area, you can choose which apps have access to an employee's call history.
-
-To turn off **Let apps access my call history**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-### 13.10 Email
-
-In the **Email** area, you can choose which apps have can access and send email.
-
-To turn off **Let apps access and send email**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-### 13.11 Messaging
-
-In the **Messaging** area, you can choose which apps can read or send messages.
-
-To turn off **Let apps read or send messages (text or MMS)**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-To turn off **Choose apps that can read or send messages**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.12 Radios
-
-In the **Radios** area, you can choose which apps can turn a device's radio on or off.
-
-To turn off **Let apps control radios**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-To turn off **Choose apps that can control radios**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.13 Other devices
-
-In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
-
-To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**:
-
-- Turn off the feature in the UI.
-
-To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-### 13.14 Feedback & diagnostics
-
-In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
-
-To change how frequently **Windows should ask for my feedback**:
-
-**Note**
-Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
-
-
-
-- To change from **Automatically (Recommended)**, use the drop-down list in the UI.
-
- -or-
-
-- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications**
-
- -or-
-
-- Create the registry keys (REG\_DWORD type):
-
- - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds
-
- - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod
-
- Based on these settings:
-
- | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod |
- |---------------|-----------------------------|-----------------------------|
- | Automatically | Delete the registry setting | Delete the registry setting |
- | Never | 0 | 0 |
- | Always | 100000000 | Delete the registry setting |
- | Once a day | 864000000000 | 1 |
- | Once a week | 6048000000000 | 1 |
-
-
-
-To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**:
-
-- To change from [Enhanced](#bkmk-utc-enhanced), use the drop-down list in the UI. The other levels are **Basic** and **Full**. For more info about these levels, see [How telemetry works](#bkmk-moreutc).
-
- **Note**
- You can't use the UI to change the telemetry level to [Security](#bkmk-utc-security).
-
-
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry**
-
- -or-
-
-- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
-
- - **0**. Maps to the [Security](#bkmk-utc-security) level.
-
- - **1**. Maps to the [Basic](#bkmk-utc-basic) level.
-
- - **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level.
-
- - **3**. Maps to the [Full](#bkmk-utc-full) level.
-
- -or-
-
-- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where:
-
- - **0**. Maps to the [Security](#bkmk-utc-security) level.
-
- - **1**. Maps to the [Basic](#bkmk-utc-basic) level.
-
- - **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level.
-
- - **3**. Maps to the [Full](#bkmk-utc-full) level.
-
-### 13.15 Background apps
-
-In the **Background Apps** area, you can choose which apps can run in the background.
-
-To turn off **Let apps run in the background**:
-
-- Turn off the feature in the UI for each app.
-
-### 14. Software Protection Platform
-
-Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy:
-
-**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation**
-
-The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
-
-### 15. Sync your settings
-
-You can control if your settings are synchronized:
-
-- In the UI: **Settings** > **Accounts** > **Sync your settings**
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**
-
- -or-
-
-- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
-
- -or-
-
-- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where
-
- - **No**. Settings are not synchronized.
-
- - **Yes**. Settings are synchronized. (default)
-
-To turn off Messaging cloud sync:
-
-- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
-
-### 16. Teredo
-
-You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
-
-- From an elevated command prompt, run **netsh interface teredo set state disabled**
-
-### 17. Wi-Fi Sense
-
-Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
-
-To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**.
-
- -or-
-
-- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero).
-
- -or-
-
-- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909).
-
- -or-
-
-- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed.](http://go.microsoft.com/fwlink/p/?LinkId=620910)
-
-When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
-
-### 18. Windows Defender
-
-You can opt of the Microsoft Antimalware Protection Service.
-
-- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS**
-
- -or-
-
-- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
-
- -or-
-
-- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero).
-
-You can stop sending file samples back to Microsoft.
-
-- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
-
- -or-
-
-- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
-
- - **0**. Always prompt.
-
- - **1**. (default) Send safe samples automatically.
-
- - **2**. Never send.
-
- - **3**. Send all samples automatically.
-
- -or-
-
-- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send.
-
-You can stop downloading definition updates:
-
-- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
-
- -and-
-
-- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing.
-
-You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
-
-### 19. Windows Media Player
-
-To remove Windows Media Player:
-
-- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**.
-
- -or-
-
-- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
-
-### 20. Windows spotlight
-
-Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy.
-
-- Configure the following in **Settings**:
-
- - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**.
-
- - **Personalization** > **Start** > **Occasionally show suggestions in Start**.
-
- - **System** > **Notifications & actions** > **Show me tips about Windows**.
-
- -or-
-
-- Apply the Group Policies:
-
- - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
- - Add a location in the **Path to local lock screen image** box.
-
- - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
-
- **Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**.
-
-
-
- - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**.
-
- - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**.
-
-For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md).
-
-### 21. Windows Store
-
-You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**.
-
-### 22. Windows Update Delivery Optimization
-
-Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization’s PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
-
-By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
-
-Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
-
-### 22.1 Settings > Update & security
-
-You can set up Delivery Optimization from the **Settings** UI.
-
-- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
-
-### 22.2 Delivery Optimization Group Policies
-
-You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**.
-
-
-
-
-
-
-
-
-
-
-
-Download Mode |
-Lets you choose where Delivery Optimization gets or sends updates and apps, including
-
-None. Turns off Delivery Optimization. Group. Gets or sends updates and apps to PCs on the same local network domain. Internet. Gets or sends updates and apps to PCs on the Internet. LAN. Gets or sends updates and apps to PCs on the same NAT only. |
-
-
-Group ID |
-Lets you provide a Group ID that limits which PCs can share apps and updates.
-
- Note
- This ID must be a GUID.
-
-
- |
-
-
-Max Cache Age |
-Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
-The default value is 259200 seconds (3 days). |
-
-
-Max Cache Size |
-Lets you specify the maximum cache size as a percentage of disk size.
-The default value is 20, which represents 20% of the disk. |
-
-
-Max Upload Bandwidth |
-Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
-The default value is 0, which means unlimited possible bandwidth. |
-
-
-
-
-
-
-### 22.3 Delivery Optimization MDM policies
-
-The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
-
-
-
-
-
-
-
-
-
-
-
-DeliveryOptimization/DODownloadMode |
-Lets you configure where Delivery Optimization gets or sends updates and apps, including:
-
-0. Turns off Delivery Optimization. 1. Gets or sends updates and apps to PCs on the same NAT only. 2. Gets or sends updates and apps to PCs on the same local network domain. 3. Gets or sends updates and apps to PCs on the Internet. |
-
-
-DeliveryOptimization/DOGroupID |
-Lets you provide a Group ID that limits which PCs can share apps and updates.
-
- Note
- This ID must be a GUID.
-
-
- |
-
-
-DeliveryOptimization/DOMaxCacheAge |
-Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
-The default value is 259200 seconds (3 days). |
-
-
-DeliveryOptimization/DOMaxCacheSize |
-Lets you specify the maximum cache size as a percentage of disk size.
-The default value is 20, which represents 20% of the disk. |
-
-
-DeliveryOptimization/DOMaxUploadBandwidth |
-Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
-The default value is 0, which means unlimited possible bandwidth. |
-
-
-
-
-
-
-### 22.4 Delivery Optimization Windows Provisioning
-
-If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
-
-Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization.
-
-1. Open Windows ICD, and then click **New provisioning package**.
-
-2. In the **Name** box, type a name for the provisioning package, and then click **Next.**
-
-3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**.
-
-4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies.
-
-For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
-
-### 23. Windows Update
-
-You can turn off Windows Update by setting the following registry entries:
-
-- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
-
- -and-
-
-- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
-
-You can turn off automatic updates by doing one of the following. This is not recommended.
-
-- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
-
- -or-
-
-- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
-
- - **0**. Notify the user before downloading the update.
-
- - **1**. Auto install the update and then notify the user to schedule a device restart.
-
- - **2** (default). Auto install and restart.
-
- - **3**. Auto install and restart at a specified time.
-
- - **4**. Auto install and restart without end-user control.
-
- - **5**. Turn off automatic updates.
-
-To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
-
-## Manage your telemetry settings
-
-
-You can manage your telemetry settings using the management tools you're already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device-level settings.
-
-You can set your organization's devices to use 1 of 4 telemetry levels:
-
-- [Security](#bkmk-utc-security) (only available on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core (IoT Core) editions)
-
-- [Basic](#bkmk-utc-basic)
-
-- [Enhanced](#bkmk-utc-enhanced)
-
-- [Full](#bkmk-utc-full)
-
-For more info about these telemetry levels, see [Telemetry levels](#bkmk-telemetrylevels). If you choose Express settings during installation, your device is configured for the Full telemetry level. In Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core, unattended installations configure your device for the Enhanced telemetry level.
-
-**Important**
-These telemetry levels only apply to Windows components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. App publishers must let people know about how they use their telemetry, ways to opt in or opt out, and they must separately document their privacy policies.
-
-
-
-### Use Group Policy to set the telemetry level
-
-Use a Group Policy object to set your organization’s telemetry level.
-
-1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
-
-2. Double-click **Allow Telemetry**.
-
-3. In the **Options** box, select the level that you want to configure, and then click **OK**.
-
-### Use MDM to set the telemetry level
-
-Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy, using one of these telemetry values:
-
-- **0**. Maps to the [Security](#bkmk-utc-security) level.
-
-- **1**. Maps to the [Basic](#bkmk-utc-basic) level.
-
-- **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level.
-
-- **3**. Maps to the [Full](#bkmk-utc-full) level.
-
-### Use Windows Provisioning to set the telemetry level
-
-Use Windows Provisioning and the Windows Imaging and Configuration Designer (Windows ICD) tool - part of the [Windows Assessment and Deployment Kit (Windows ADK) toolkit](http://go.microsoft.com/fwlink/p/?LinkId=526803) - to create a provisioning package and runtime setting that sets your organization's telemetry level.
-
-After you create the provisioning package, you can email it to your employees, put it on a network share, or integrate the package directly into a custom image using Windows ICD.
-
-**To use Windows ICD to integrate your package into a custom image**
-
-1. Open Windows ICD, and then click **New provisioning package**.
-
-2. In the **Name** box, type a name for the provisioning package, and then click **Next**.
-
-3. Click **Common to all Windows editions** > **Next** > **Finish**.
-
-4. Go to **Runtime settings** > **Policies** > **System** > **AllowTelemetry** to configure the policies. You can set it to one of the following:
-
- - **Disabled \[Enterprise SKU Only\]**. Maps to the [Security](#bkmk-utc-security) level.
-
- - **Basic**. Maps to the [Basic](#bkmk-utc-basic) level.
-
- - **Full**. Maps to the [Enhanced](#bkmk-utc-enhanced) level
-
- - **Diagnostic**. Maps to the [Full](#bkmk-utc-full) level.
-
-5. After you've added all of your settings to the provisioning package, click **Export** > **Provisioning package**.
-
-6. On the **Describe the provisioning package** step, in the **Owner** box, click **IT Admin** > **Next**.
-
-7. On the **Select security details for the provisioning package** step, if you want to protect the package with a password, select the **Encrypt package** check box. If you'd like to sign the package with a certificate, select the **Sign package** check box and select the certificate to use. Click **Next**.
-
-8. On the **Select where to save the provisioning package** step, if you want to save it somewhere other than the Windows ICD project folder, choose a new location, and then click **Next**.
-
-9. On the **Build the provisioning package** step, click **Build**.
-
-### Use Registry Editor to set the telemetry level
-
-Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry.
-
-If a management policy already exists (from Group Policy, MDM, or Windows Provisioning), it will override this registry setting.
-
-1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
-
-2. Right-click **DataCollection**, click **New**, and then click **DWORD (32-bit) Value**.
-
-3. Type **AllowTelemetry**, and then press ENTER.
-
-4. Double-click **AllowTelemetry** and set the value to one of the following levels, and the click **OK**.
-
- - **0**. This setting maps to the [Security](#bkmk-utc-security) level.
-
- - **1**. This setting maps to the [Basic](#bkmk-utc-basic) level.
-
- - **2**. This setting maps to the [Enhanced](#bkmk-utc-enhanced) level
-
- - **3**. This setting maps to the [Full](#bkmk-utc-full) level.
-
-5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
-
-### Additional telemetry controls
-
-There are a few more settings that you can turn off that may send telemetry information:
-
-- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
-
-- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
-
-- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
-
-- Turn off Linguistic Data Collection in **Settings** > **Privacy**. At telemetry levels Enhanced and Full, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. For more info, see the **Get to know me** setting in the [Speech, inking, & typing](#bkmk-priv-speech) section of this article and the **Send Microsoft info about how I write to help us improve typing and writing in the future** setting in the [General](#bkmk-priv-general) section of this article.
-
- **Note**
- Microsoft doesn't intentionally gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
-
-
-
-## How telemetry works
-
-
-Windows uses telemetry information to analyze and fix software problems. It also helps Microsoft improve its software and provide updates that enhance the security and reliability of devices within your organization.
-
-### Telemetry levels
-
-This section explains the different telemetry levels in Windows 10. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the Security level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core.
-
-- **Security**. Information that's required to help keep Windows secure, including info about theConnected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core.
-
-- **Basic**. Basic device info, including: quality-related info, app compat, and info from the Security level.
-
-- **Enhanced** Additional insights, including: how Windows and Windows apps are used, how they perform, advanced reliability info, and info from both the Basic and the Security levels.
-
-- **Full**. All info necessary to identify and help to fix problems, plus info from the Security, Basic, and Enhanced levels.
-
-As a diagram:
-
-
-
-### Security level
-
-The Security level gathers only telemetry info that's required to keep Windows devices secure. This level is only available on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions.
-
-**Note**
-If your organization relies on Windows Update for updates, you shouldn't use the Security level. Because no Windows Update information is gathered at this level, Microsoft can't tell whether an update successfully installed.
-
-You can continue to use Windows Server Update Services and System Center Configuration Manager while using the Security level.
-
-
-
-Security level info includes:
-
-- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data collected by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
-
-- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
-
- **Note**
- You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users.
-
-
-
-- **Windows Defender**. Windows Defender requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. To configure this, see [Windows Defender](#bkmk-defender).
-
- **Note**
- This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off.
-
- Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates; moreover, Window Defender requires updated anti-malware signatures in order to provide security functionality.
-
-
-
-No user content, such as user files or communications, is gathered at the Security telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer's registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
-
-To set the telemetry level to Security, use a management policy (Group Policy or MDM) or by manually changing the setting in the registry. For more info, see the [Manage your telemetry settings](#bkmk-utc) section of this article.
-
-### Basic level
-
-The Basic level gathers a limited set of info that’s critical for understanding the device and its configuration. This level also includes the Security level info. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version.
-
-Basic level info includes:
-
-- **Basic device info**. Helps provide an understanding about the various types of devices in the Windows 10 ecosystem, including:
-
- - Device attributes, such as camera resolution and display type
-
- - Internet Explorer version
-
- - Battery attributes, such as capacity and type
-
- - Networking attributes, such as mobile operator network and IMEI number
-
- - Processor and memory attributes, such as number of cores, speed, and firmware
-
- - Operating system attributes, such as Windows edition and IsVirtualDevice
-
- - Storage attributes, such as number of drives and memory size
-
-- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including uploaded events, dropped events, and the last upload time.
-
-- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the amount of time a connected standby device was able to fullsleep, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
-
-- **App compat info**. Helps provide understanding about which apps are installed on a device and to help identify potential compatibility problems.
-
- - **General app info and app info for Internet Explorer add-ons**. Includes a list of apps and Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. This app info includes the app name, publisher, version, and basic details about which files have been blocked from usage.
-
- - **System info**. Helps provide understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as info about the processor and BIOS.
-
- - **Accessory device info**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
-
- - **Driver info**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This info can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
-
-- **Store**. Provides info about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
-
-### Enhanced level
-
-The Enhanced level gathers info about how Windows and apps are used and how they perform. This level also includes info from both the Basic and Security levels. This level helps to improve experiences by analyzing user interaction with the operating system and apps. Info from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
-
-Enhanced level info includes:
-
-- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, and other components.
-
-- **Operating system app events**. A set of events resulting from Microsoft apps that were downloaded from the Store or pre-installed with Windows, including Photos, Mail, and Microsoft Edge.
-
-- **Device-specific events**. Contains info about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
-
-If the Connected User Experience and Telemetry component detects a problem that requires gathering more detailed instrumentation, then the Connected User Experience and Telemetry component will only gather info about the events associated with the specific issue, for no more than 2 weeks. Also, if the operating system or an app crashes or hangs, Microsoft will gather the memory contents of the faulting process only at the time of the crash or hang.
-
-### Full level
-
-The Full level gathers info necessary to identify and to help fix problems, following the approval process described below. This level also includes info from the Basic, Enhanced, and Security levels.
-
-Additionally, at this level, devices opted in to the Windows Insider Program will send events that can show Microsoft how pre-release binaries and features are performing. All devices in the Windows Insider Program are automatically set to this level.
-
-If a device experiences problems that are difficult to identify or repeat using Microsoft's internal testing, additional info becomes necessary. This info can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the Full telemetry level and have exhibited the problem.
-
-However, before more info is gathered, Microsoft's privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
-
-- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
-
-- Ability to get registry keys.
-
-- Ability to gather user content, such as documents, if they might have been the trigger for the issue.
-
-### How is telemetry information handled by Microsoft?
-
-### Collection
-
-Information gathered by the Connected User Experience and Telemetry component complies with Microsoft's security and privacy policies, as well as international laws and regulations. Only those who can demonstrate a valid business need can access the telemetry info.
-
-### Data Transfer
-
-All telemetry info is encrypted during transfer from the device to the Microsoft Data Management Service. Data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as gaming achievements, are always sent immediately. Normal events are not uploaded on metered networks. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
-
-### Microsoft Data Management Service
-
-The Microsoft Data Management Service routes information to internal cloud storage, where it's compiled into business reports for analysis and research. Sensitive info is stored in a separate data store that's locked down to a small subset of Microsoft employees in the Windows Devices Group. The privacy governance team permits access only to people with a valid business justification. The Connected User Experiences and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com. The Connected User Experience and Telemetry component connects to settings-win.data.microsoft.com to collect its settings.
-
-### Usage
-
-Information is used by teams within Microsoft to provide, improve, and personalize experiences, and for security, health, quality, and performance analysis.
-
-An example of personalization is to create individually tailored in-product messages.
-
-Microsoft doesn't share organization-specific customer information with third parties, except at the customer's direction or for the limited purposes described in the privacy statement. However, we do share business reports with partners that include aggregated, anonymous telemetry information. Decisions to share info are made by an internal team that includes privacy, legal, and data management professionals.
-
-### Retention
-
-Microsoft believes in and practices information minimization, so we only gather the info we need, and we only store it for as long as it's needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, particularly if there is a regulatory requirement to do so. Info is typically gathered at a fractional sampling rate, which for some client services, can be as low as 1%.
-
-
-
-
-
+title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10)
+redirect_url: http://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft
+---
\ No newline at end of file
diff --git a/windows/manage/images/settings-table.png b/windows/manage/images/settings-table.png
index 1a4aff8def..527d92d9b2 100644
Binary files a/windows/manage/images/settings-table.png and b/windows/manage/images/settings-table.png differ
diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md
index ffe9e7c732..6371799d7f 100644
--- a/windows/manage/lock-down-windows-10.md
+++ b/windows/manage/lock-down-windows-10.md
@@ -43,23 +43,27 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
-[Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) |
-Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
+[Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) |
+Use this article to make informed decisions about how you can configure Windows telemetry in your organization. |
+[Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) |
+Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
+
+
[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) |
IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. |
-
+
[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |
Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.
The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. |
-
+
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) |
Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. |
-
+
[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) |
There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset. |
diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md
index 51db604bd5..a188d6d0a1 100644
--- a/windows/plan/TOC.md
+++ b/windows/plan/TOC.md
@@ -9,6 +9,7 @@
### [Integration with management solutions](integration-with-management-solutions-.md)
## [Guidance for education environments](windows-10-guidance-for-education-environments.md)
### [Chromebook migration guide](chromebook-migration-guide.md)
+### [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Windows To Go: feature overview](windows-to-go-overview.md)
### [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
### [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
index 82a16df6da..7d8965c6d6 100644
--- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md
+++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
@@ -13,13 +13,19 @@ author: TrudyHa
This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## May 2016
+
+
+| New or changed topic | Description |
+|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
+| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | New|
+
## December 2015
| New or changed topic | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) | New |
-
## November 2015
diff --git a/windows/plan/deploy-windows-10-in-a-school.md b/windows/plan/deploy-windows-10-in-a-school.md
new file mode 100644
index 0000000000..2c9039447a
--- /dev/null
+++ b/windows/plan/deploy-windows-10-in-a-school.md
@@ -0,0 +1,1264 @@
+---
+title: Deploy Windows 10 in a school (Windows 10)
+description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy.
+keywords: configure, tools, device, school
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pgtyp: edu
+ms.sitesec: library
+author: craigash
+---
+
+# Deploy Windows 10 in a school
+
+
+**Applies to**
+
+- Windows 10
+
+This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system.
+
+## Prepare for school deployment
+
+Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. Just as with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you will configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school.
+
+### Plan a typical school configuration
+
+As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
+
+
+
+*Figure 1. Typical school configuration for this guide*
+
+Figure 2 shows the classroom configuration this guide uses.
+
+
+
+*Figure 2. Typical classroom configuration in a school*
+
+This school configuration has the following characteristics:
+- It contains one or more admin devices.
+- It contains two or more classrooms.
+- Each classroom contains one teacher device.
+- The classrooms connect to each other through multiple subnets.
+- All devices in each classroom connect to a single subnet.
+- All devices have high-speed, persistent connections to each other and to the Internet.
+- All teachers and students have access to Windows Store or Windows Store for Business.
+- All devices receive software updates from Intune (or another device management system).
+- You install a 64-bit version of Windows 10 on the admin device.
+- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
+- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
+- You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device.
+
+ **Note** In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
+- The devices use Azure AD in Office 365 Education for identity management.
+- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/).
+- Use [Intune](http://technet.microsoft.com/library/jj676587.aspx), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](http://technet.microsoft.com/en-us/library/cc725828%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) in AD DS to manage devices.
+- Each device supports a one-student-per-device or multiple-students-per-device scenario.
+- The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical.
+- To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment Boot (PXE Boot).
+- The devices can be a mixture of different Windows 10 editions, such as Windows 10 Home, Windows 10 Pro, and Windows 10 Education.
+
+Office 365 Education allows:
+
+- Students and faculty to use Microsoft Office Online to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser.
+- Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students.
+- Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, administration, and faculty.
+- Teachers to employ Sway to create interactive educational digital storytelling.
+- Students and faculty to use email and calendars, with mailboxes up to 50 GB per user.
+- Faculty to use advanced email features like email archiving and legal hold capabilities.
+- Faculty to help prevent unauthorized users from accessing documents and email by using Azure Rights Management.
+- Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center.
+- Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business or Skype.
+- Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business.
+- Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites.
+- Students and faculty to use Office 365 Video to manage videos.
+- Students and faculty to use Yammer to collaborate through private social networking.
+- Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices).
+
+For more information about Office 365 Education features and a FAQ, go to [Office 365 Education](https://products.office.com/en-us/academic).
+
+## How to configure a school
+
+Now that you have the plan (blueprint) for your classroom, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge.
+
+The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
+
+You can use MDT as a stand-alone tool or integrate it with Microsoft System Center Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with System Center Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as System Center Configuration Manager) but result in fully automated deployments.
+
+MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps and migration of user settings on existing devices.
+
+LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section.
+
+The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
+
+The configuration process requires the following devices:
+
+- **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK and MDT on this device.
+- **Faculty devices.** These are the devices that the teachers and other faculty use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices.
+- **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them.
+
+The high-level process for deploying and configuring devices within individual classrooms and the school as a whole is as follows and illustrated in Figure 3:
+
+1. Prepare the admin device for use, which includes installing the Windows ADK and MDT.
+2. On the admin device, create and configure the Office 365 Education subscription that you will use for each classroom in the school.
+3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration).
+4. On the admin device, create and configure a Windows Store for Business portal.
+5. On the admin device, prepare for management of the Windows 10 devices after deployment.
+6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
+7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration.
+
+
+
+*Figure 3. How school configuration works*
+
+Each of the steps illustrated in Figure 3 directly correspond to the remaining high-level sections in this guide.
+
+### Summary
+
+In this section, you looked at the final configuration of your individual classrooms and the school as a whole upon completion of this guide. You also learned the high-level steps you need to perform to deploy the faculty and student devices in your school.
+
+## Prepare the admin device
+
+Now, you’re ready to prepare the admin device for use in the school. This process includes installing the Windows ADK, installing the MDT, and creating the MDT deployment share.
+
+### Install the Windows ADK
+
+The first step in preparing the admin device is to install the Windows ADK. The Windows ADK contains the deployment tools that MDT uses, including the Windows Preinstallation Environment (Windows PE), the Windows User State Migration Tool (USMT), and Deployment Image Servicing and Management.
+
+When you install the Windows ADK on the admin device, select the following features:
+
+- Deployment tools
+- Windows Preinstallation Environment (Windows PE)
+- User State Migration Tool (USMT)
+
+For more information about installing the Windows ADK, see [Step 2-2: Install the Windows ADK](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#InstallWindowsADK).
+
+### Install MDT
+
+Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment and is a free tool available directly from Microsoft.
+
+You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems.
+
+**Note** If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system.
+
+For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/en-us/library/dn759415.aspx#InstallingaNewInstanceofMDT).
+
+Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices.
+
+### Create a deployment share
+
+MDT includes the Deployment Workbench, a graphical user interface that you can use to manage MDT deployment shares. A deployment share is a shared folder that contains all the MDT deployment content. The LTI Deployment Wizard accesses the deployment content over the network or from a local copy of the deployment share (known as MDT deployment media).
+
+For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#CreateMDTDeployShare).
+
+### Summary
+
+In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later in the LTI deployment process.
+
+## Create and configure Office 365
+
+Office 365 is one of the core components of your classroom environment. You create and manage student identities in Office 365, and students and teachers use the suite as their email, contacts, and calendar system. Teachers and students use Office 365 collaboration features such as SharePoint, OneNote, and OneDrive for Business.
+
+As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](http://www.microsoft.com/en-us/education/products/office-365-deployment-resources/default.aspx).
+
+### Select the appropriate Office 365 Education license plan
+
+Complete the following steps to select the appropriate Office 365 Education license plan for your school:
+
+
+- Determine the number of faculty members and students who will use the classroom.
Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan.
+
+- Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 1 lists the advantages and disadvantages of standard and Office 365 ProPlus plans.
+
+*Table 1. Comparison of standard and Microsoft Office 365 ProPlus plans*
+
+
+
+
+
+
+
+
+
+
+
+| Standard | - Less expensive than Office 365 ProPlus
- Can be run from any device
- No installation necessary
| - Must have an Internet connection to use it
- Does not support all the features found in Office 365 ProPlus
|
+| Office ProPlus | - Only requires an Internet connection every 30 days (for activation)
- Supports full set of Office features
| - Requires installation
- Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online)
|
+
+
+
+
+The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
+
+- Determine whether students or faculty need Azure Rights Management.
You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management](https://technet.microsoft.com/library/jj585024.aspx).
+- Record the Office 365 Education license plans needed for the classroom in Table 2.
+
+*Table 2. Office 365 Education license plans needed for the classroom*
+
+
+
+
+
+
+
+
+
+
+ | Office 365 Education for students |
+ | Office 365 Education for faculty |
+ | Azure Rights Management for students |
+ | Azure Rights Management for faculty |
+
+
+
+You will use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide.
+
+### Create a new Office 365 Education subscription
+
+To create a new Office 365 Education subscription for use in the classroom, use your educational institution’s email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions.
+
+**Note** If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Add domains and subdomains](#add-domains-and-subdomains).
+
+#### To create a new Office 365 subscription
+
+1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar.
+
+ **Note** If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window in one of the following:
+ - Microsoft Edge by opening the Microsoft Edge app, either pressing Ctrl+Shift+P or clicking or tapping **More actions**, and then clicking or tapping **New InPrivate window**.
+ - Internet Explorer 11 by opening Internet Explorer 11, either pressing Ctrl+Shift+P or clicking or tapping **Settings**, clicking or tapping **Safety**, and then clicking or tapping **InPrivate Browsing**.
+
+2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You will receive an email in your school email account.
+3. Click the hyperlink in the email in your school email account.
+4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you are automatically signed in as the administrative user you specified when you created the subscription.
+
+### Add domains and subdomains
+
+Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains.
+
+#### To add additional domains and subdomains
+
+1. In the Office 365 admin center, in the list view, click **DOMAINS**.
+2. In the details pane, above the list of domains, on the menu bar, click **Add domain**.
+3. In the Add a New Domain in Office 365 Wizard, on the **Verify domain wizard** page, click **Let’s get started**.
+4. On the **Verify domain** wizard page, in the **Enter a domain you already own** box, type your domain name, and then click **Next**.
+5. Sign in to your domain name management provider (for example, Network Solutions or GoDaddy), and then complete the steps for your provider.
+6. Repeat these steps for each domain and subdomain you want faculty and students to use for your institution.
+
+### Configure automatic tenant join
+
+To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
+
+**Note** By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled.
+
+Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
+
+- If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant.
+- If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it.
+
+You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365.
+
+**Note** You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
+
+All new Office 365 Education subscriptions have automatic tenant join enabled by default, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 3. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+
+*Table 3. Windows PowerShell commands to enable or disable Automatic Tenant Join*
+
+
+| Action | Windows PowerShell command |
+|------- |----------------------------|
+| Enable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $true`|
+| Disable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $false`|
+
+**Note** If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
+
+### Disable automatic licensing
+
+To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval.
+
+**Note** By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
+
+Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 4. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+
+*Table 4. Windows PowerShell commands to enable or disable automatic licensing*
+
+| Action | Windows PowerShell command|
+| -------| --------------------------|
+| Enable |`Set-MsolCompanySettings -AllowAdHocSubscriptions $true`|
+|Disable | `Set-MsolCompanySettings -AllowAdHocSubscriptions $false`|
+
+### Enable Azure AD Premium
+
+When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium.
+
+Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access).
+
+The Azure AD Premium features that are not in Azure AD Basic include:
+
+- Allow designated users to manage group membership
+- Dynamic group membership based on user metadata
+- Multifactor authentication (MFA)
+- Identify cloud apps that your users run
+- Automatic enrollment in a mobile device management (MDM) system (such as Intune)
+- Self-service recovery of BitLocker
+- Add local administrator accounts to Windows 10 devices
+- Azure AD Connect health monitoring
+- Extended reporting capabilities
+
+You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users.
+
+You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process.
+
+For more information about:
+
+- Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/).
+- How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx#create_tenant3).
+
+### Summary
+You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365.
+
+## Select an Office 365 user account–creation method
+
+
+Now that you have an Office 365 subscription, you need to determine how you will create your Office 365 user accounts. Use the following methods to create Office 365 user accounts:
+
+- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain.
+- **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain.
+
+### Method 1: Automatic synchronization between AD DS and Azure AD
+
+In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
+
+**Note** Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx?f=255&MSPPError=-2147217396).
+
+
+
+*Figure 4. Automatic synchronization between AD DS and Azure AD*
+
+For more information about how to perform this step, see the [Integrate on-premises AD DS with Azure AD](#integrate-on-premises-ad-ds-with-azure-ad) section in this guide.
+
+### Method 2: Bulk import into Azure AD from a .csv file
+
+In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
+
+
+
+*Figure 5. Bulk import into Azure AD from other sources*
+
+To implement this method, perform the following steps:
+
+1. Export the student information from the source. Ultimately, you want to format the student information in the format the bulk-import feature requires.
+2. Bulk-import the student information into Azure AD. For more information about how to perform this step, see the [Bulk-import user accounts into Office 365](#bulk-import-user-accounts-into-office-365) section.
+
+### Summary
+
+In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Azure AD (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts.
+
+## Integrate on-premises AD DS with Azure AD
+
+You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
+
+**Note** If your institution does not have an on-premises AD DS domain, you can skip this section.
+
+### Select synchronization model
+
+Before you deploy AD DS and Azure AD synchronization, you need to determine where you want to deploy the server that runs Azure AD Connect.
+
+You can deploy the Azure AD Connect tool by using one of the following methods:
+
+- **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
+
+ 
+
+ *Figure 6. Azure AD Connect on premises*
+
+- **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
+
+ 
+
+ *Figure 7. Azure AD Connect in Azure*
+
+This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/en-us/library/dn635310.aspx).
+
+### Deploy Azure AD Connect on premises
+
+In this synchronization model (illustrated in Figure 6), you run Azure AD Connect on premises on a physical device or VM. Azure AD Connect synchronizes AD DS user and group accounts with Azure AD. Azure AD Connect includes a wizard that helps you configure Azure AD Connect for your AD DS domain and Office 365 subscription. First, you install Azure AD Connect; then, you run the wizard to configure it for your institution.
+
+#### To deploy AD DS and Azure AD synchronization
+
+1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/).
+2. On the VM or physical device that will run Azure AD Connect, sign in with a domain administrator account.
+3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect).
+4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure features](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#configure-sync-features).
+
+Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
+
+### Verify synchronization
+
+Azure AD Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Azure AD in the Office 365 admin console.
+
+#### To verify AD DS and Azure AD synchronization
+
+1. Open https://portal.office.com in your web browser.
+2. Using the administrative account that you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section, sign in to Office 365.
+3. In the list view, expand **USERS**, and then click **Active Users**.
+4. In the details pane, view the list of users. The list of users should mirror the users in AD DS.
+5. In the list view, click **GROUPS**.
+6. In the details pane, view the list of security groups. The list of users should mirror the security groups in AD DS.
+7. In the details pane, double-click one of the security groups.
+8. The list of security group members should mirror the group membership for the corresponding security group in AD DS.
+9. Close the browser.
+
+Now that you have verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium.
+
+### Summary
+
+In this section, you selected your synchronization model, deployed Azure AD Connect, and verified that Azure AD is synchronizing properly.
+
+## Bulk-import user and group accounts into AD DS
+
+You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS.
+
+**Note** If your institution doesn’t have an on-premises AD DS domain, you can skip this section.
+
+### Select the bulk import method
+
+Several methods are available to bulk-import user accounts into AD DS domains. Table 5 lists the methods that the Windows Server operating system supports natively. In addition, you can use partner solutions to bulk-import user and group accounts into AD DS.
+
+*Table 5. AD DS bulk-import account methods*
+
+|Method | Description and reason to select this method |
+|-------| ---------------------------------------------|
+|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
+|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/en-us/scriptcenter/dd939958.aspx).|
+|Windows PowerShell| This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
+
+### Create a source file that contains the user and group accounts
+
+After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods.
+
+*Table 6. Source file format for each bulk import method*
+
+| Method | Source file format |
+|--------| -------------------|
+|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
+|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).|
+| Windows PowerShell| Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
+
+### Import the user accounts into AD DS
+
+With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method.
+
+**Note** Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts.
+
+For more information about how to import user accounts into AD DS by using:
+
+- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).
+- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).
+- Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).
+
+### Summary
+
+In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you have Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
+
+## Bulk-import user accounts into Office 365
+
+You can bulk-import user and group accounts directly into Office 365, reducing the time and effort required to create users. First, you bulk-import the user accounts into Office 365. Then, you create the security groups for your institution. Finally, you create the email distribution groups your institution requires.
+
+### Create user accounts in Office 365
+
+Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom.
+
+You can use the Office 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users).
+
+The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 2. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts.
+
+For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US).
+
+**Note** If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
+
+The email accounts are assigned temporary passwords upon creation. You must communicate these temporary passwords to your users before they can sign in to Office 365.
+
+### Create Office 365 security groups
+
+Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources.
+
+**Note** If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+
+For information about creating security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
+
+You can add and remove users from security groups at any time.
+
+**Note** Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect.
+
+### Create email distribution groups
+
+Microsoft Exchange Online uses an email distribution group as a single email recipient for multiple users. For example, you could create an email distribution group that contains all students. Then, you could send a message to the email distribution group instead of individually addressing the message to each student.
+
+You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group.
+
+**Note** Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps.
+
+For information about how to create security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
+
+### Summary
+
+Now, you have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium.
+
+## Assign user licenses for Azure AD Premium
+
+Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. Educational institutions can obtain Azure AD Basic licenses at no cost and Azure AD Premium licenses at a reduced cost.
+
+You can assign Azure AD Premium licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium only to those users.
+
+For more information about:
+
+- Azure AD editions, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/).
+- How to assign user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
+
+## Create and configure a Windows Store for Business portal
+
+Windows Store for Business allows you to create your own private portal to manage Windows Store apps in your institution. With Windows Store for Business, you can do the following:
+
+- Find and acquire Windows Store apps.
+- Manage apps, app licenses, and updates.
+- Distribute apps to your users.
+
+For more information about Windows Store for Business, see [Windows Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview).
+
+The following section shows you how to create a Windows Store for Business portal and configure it for your school.
+
+### Create and configure your Windows Store for Business portal
+
+To create and configure your Windows Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Windows Store for Business. Windows Store for Business automatically creates a portal for your institution and uses your account as its administrator.
+
+#### To create and configure a Windows Store for Business portal
+
+1. In Microsoft Edge or Internet Explorer, type `http://microsoft.com/business-store` in the address bar.
+2. On the **Windows Store for Business** page, click **Sign in with an organizational account**.
**Note** If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+3. On the Windows Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in.
+4. On the **Windows Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept**
+5. In the **Welcome to the Windows Store for Business** dialog box, click **OK**.
+
+After you create the Windows Store for Business portal, configure it by using the commands in the settings menu listed in Table 7. Depending on your institution, you may (or may not) need to change these settings to further customize your portal.
+
+*Table 7. Menu selections to configure Windows Store for Business settings*
+
+| Menu selection | What you can do in this menu |
+|---------------| -------------------|
+|Account information|Displays information about your Windows Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Windows Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).|
+|Device Guard signing|Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).|
+|LOB publishers| Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).|
+|Management tools| Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).|
+|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).|
+|Permissions|Allows you to grant other users in your organization the ability to buy, manage, and administer your Windows Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).|
+|Private store|Allows you to change the organization name used in your Windows Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).|
+
+### Find, acquire, and distribute apps in the portal
+
+Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business.
+
+**Note** Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business.
+
+You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users.
+
+For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business).
+
+### Summary
+
+At the end of this section, you should have a properly configured Windows Store for Business portal. You have also found and acquired your apps from Windows Store. Finally, you should have deployed all your Windows Store apps to your users. Now, you’re ready to deploy Windows Store apps to your users.
+
+## Plan for deployment
+
+You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process.
+
+### Select the operating systems
+
+Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of:
+
+- New devices or refreshing existing devices, you will complete replace the existing operating system on a device with Windows 10.
+- Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10.
+
+Depending on your school’s requirements, you may need any combination of the following Windows 10 editions:
+
+- **Windows 10 Home**. Use this operating system to upgrade existing eligible institution-owned and personal devices that are running Windows 8.1 Home or Windows 7 Home to Windows 10 Home.
+- **Windows 10 Pro**. Use this operating system to:
+ - Upgrade existing eligible institution-owned and personal devices running Windows 8.1 Pro or Windows 7 Professional to Windows 10 Pro.
+ - Deploy new instances of Windows 10 Pro to devices so that new devices have a known configuration.
+- **Windows 10 Education**. Use this operating system to:
+ - Upgrade institution-owned devices to Windows 10 Education.
+ - Deploy new instances of Windows 10 Education so that new devices have a known configuration.
+
+**Note** Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business. These features are not available in Windows 10 Home.
+
+One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32 bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
+
+**Note** On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources.
+
+Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture.
+
+### Select an image approach
+
+A key operating system image decision is whether to use a “thin” or “thick” image. *Thin images* contain only the operating system, and MDT installs the necessary device drivers and apps after the operating system has been installed. *Thick images* contain the operating system, “core” apps (such as Office), and device drivers. With thick images, MDT installs any device drivers and apps not included in the thick image after the operating system has been installed.
+
+The advantage to a thin image is that the final deployment configuration is dynamic, and you can easily change the configuration without having to capture another image. The disadvantage of a thin image is that it takes longer to complete the deployment.
+
+The advantage of a thick image is that the deployment takes less time than it would for a thin image. The disadvantage of a thick image is that you need to capture a new image each time you want to make a change to the operating system, apps, or other software in the image.
+
+### Select a method to initiate deployment
+
+The MDT deployment process is highly automated, requiring minimal information to deploy or upgrade Windows 10, but you must manually initiate the MDT deployment process. To do so, use the method listed in Table 8 that best meets the needs of your institution.
+
+*Table 8. Methods to initiate MDT deployment*
+
+
+
+
+
+
+
+
+
+
+
+
+| Windows Deployment Services |
+This method:
+
+- Uses diskless booting to initiate MDT deployment.
+- Works only with devices that support PXE boot.
+- Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
+- Deploys images more slowly than when using local media.
+- Requires that you deploy a Windows Deployment Services server.
+
+
+Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server. |
+
+
+
+| Bootable media |
+This method:
+
+- Initiates MDT deployment by booting from local media, including from USB drives, DVD-ROM, or CD-ROM.
+- Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
+- Deploys images more slowly than when using local media.
+- Requires no additional infrastructure.
+
+
+Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media. |
+
+
+
+| MDT deployment media |
+This method:
+
+- Initiates MDT deployment by booting from a local USB hard disk.
+- Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
+- Deploys images more quickly than network-based methods do.
+- Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
+
+
+Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share, you must regenerate the MDT deployment media and update the USB hard disk. |
+
+
+
+
+### Summary
+
+At the end of this section, you should know the Windows 10 editions and processor architecture that you want to deploy (and will import later in the process). You also determined whether you want to use thin or thick images. Finally, you selected the method for initiating your LTI deployment. Now, you can prepare for Windows 10 deployment.
+
+## Prepare for deployment
+
+To deploy Windows 10 to devices, using the LTI deployment method in MDT. In this section, you prepare your MDT environment and Windows Deployment Services for Windows 10 deployment.
+
+### Configure the MDT deployment share
+
+The first step in preparation for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 9 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 9.
+
+*Table 9. Tasks to configure the MDT deployment share*
+
+
+
+
+
+
+
+
+
+
+
+| 1. Import operating systems |
+Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench). |
+
+
+
+| 2. Import device drives |
+Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
+
+Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench).
+
+ |
+
+
+
+| 3. Create MDT applications for Windows Store apps |
+Create an MDT application for each Windows Store app you want to deploy. You can deploy Windows Store apps by using *sideloading*, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.
+
+Prior to sideloading the .appx files, obtain the Windows Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Windows Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Windows Store or Windows Store for Business.
+
+If you have Intune, you can deploy Windows Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows Store apps, and you can use it for ongoing management of Windows Store apps. This is the preferred method of deploying and managing Windows Store apps.
+
+In addition, you must prepare your environment for sideloading (deploying) Windows Store apps. For more information about how to:
+
+- Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](https://technet.microsoft.com/en-us/itpro/windows/deploy/sideload-apps-in-windows-10).
+- Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
+
+
+
+ |
+
+
+
+| 4. Create MDT applications for Windows desktop apps
+ |
+You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
+
+To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219423.aspx?f=255&MSPPError=-2147217396).
+
+If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
+
+**Note** You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
+
+For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
+
+ |
+
+
+
+| 5. Create task sequences.
+ |
+You must create a separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64 bit versions of Windows 10. To do so, you must create task sequences that will:
+
+- Deploy Windows 10 Education 64-bit to devices.
+- Deploy Windows 10 Education 32-bit to devices.
+- Upgrade existing devices to Windows 10 Education 64-bit.
+- Upgrade existing devices to Windows 10 Education 32-bit.
+
+
+Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench).
+
+ |
+
+
+
+| 6. Update the deployment share.
+ |
+Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64 bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
+
+For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench). |
+
+
+
+
+### Configure Window Deployment Services for MDT
+
+You can use Windows Deployment Services in conjunction with MDT to automatically initiate boot images on target computers. These boot images can be Windows PE images (which you generated in Step 6 in Table 9) or custom images that can deploy operating systems directly to the target computers.
+
+#### To configure Windows Deployment Services for MDT
+
+1. Set up and configure Windows Deployment Services.Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution. For more information about how to perform this step, see the following resources:
+
+ - [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx)
+ - The Windows Deployment Services Help file, included in Windows Deployment Services
+ - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/en-us/library/jj648426.aspx)
+
+2. Add LTI boot images (Windows PE images) to Windows Deployment Services.
The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/en-us/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices).
+
+### Summary
+
+Now, Windows Deployment Services is ready to initiate the LTI deployment process in MDT. You have set up and configured Windows Deployment Services and added the LTI boot images, which you generated in the previous section, to Windows Deployment Services. Now, you’re ready to prepare to manage the devices in your institution.
+
+## Prepare for device management
+
+Before you deploy Windows 10 in your institution, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant.
+
+### Select the management method
+
+If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is virtually impossible as the number of devices in the school increases.
+
+For a school, there are many ways to manage devices. Table 10 lists the methods that this guide describes and recommends. Use the information in Table 10 to determine which combination of management methods is right for your institution.
+
+*Table 10. School management methods*
+
+
+
+
+
+
+
+
+
+
+
+
+| Group Policy |
+
+Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you:
+
+- Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
+- Want more granular control of device and user settings.
+- Have an existing AD DS infrastructure.
+- Typically manage on-premises devices.
+- Can manage a required setting only by using Group Policy.
+
+
+The advantages of this method include:
+
+- No cost beyond the AD DS infrastructure.
+- A larger number of settings (compared to Intune).
+
+The disadvantages of this method are:
+
+- Can only manage domain-joined (institution-owned devices).
+- Requires an AD DS infrastructure (if the institution does not have AD DS already).
+- Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess).
+
+ |
+
+
+
+| Intune |
+Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
+Select this method when you:
+
+- Want to manage institution-owned and personal devices (does not require that the device be domain joined).
+- Don’t require the level of granular control over device and user settings (compared to Group Policy).
+- Don’t have an existing AD DS infrastructure.
+- Need to manage devices regardless of where they are (on or off premises).
+- Can manage a required setting only by using Intune.
+
+
+The advantages of this method are:
+
+- You can manage institution-owned and personal devices.
+- It doesn’t require that devices be domain joined.
+- It doesn’t require any on-premises infrastructure.
+- It can manage devices regardless of their location (on or off premises).
+
+
+The disadvantages of this method are:
+
+- Carries an additional cost for subscription.
+- Doesn’t have a granular level control over device and user settings (compared to Group Policy).
+
+
+ |
+
+
+
+
+
+### Select Microsoft-recommended settings
+
+Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings.
+
+*Table 11. Recommended settings for educational institutions*
+
+
+
+
+
+
+
+
+
+
+
+
+
+| Use of Microsoft accounts |
+You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
+**Note** Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
+**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/en-us/library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.
+**Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Restrict local administrator accounts on the devices |
+Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).
+**Intune**. Not available.
+ |
+
+
+
+| Restrict the local administrator accounts on the devices |
+Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).
+**Intune**. Not available.
+ |
+
+
+
+| Manage the built-in administrator account created during device deployment |
+When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.
+**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/en-us/library/jj852165.aspx).
+**Intune**. Not available.
+ |
+
+
+
+| Control Windows Store access |
+You can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise.
+**Group Policy**. You can disable the Windows Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Windows Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP).
+**Intune**. You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Use of Remote Desktop connections to devices |
+Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.
+**Group Policy**. You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
+**Intune**. Not available.
+ |
+
+
+
+| Use of camera |
+A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.
+**Group Policy**. Not available.
+**Intune**. You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Use of audio recording |
+Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
+**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com/en-us/library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/en-us/library/ee791899.aspx).
+**Intune**. You can enable or disable the camera by using the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Use of screen capture |
+Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.
+**Group Policy**. Not available.
+**Intune**. You can enable or disable the camera by using the **Allow screen capture** policy setting in the **System** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Use of location services |
+Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.
+**Group Policy**. You can enable or disable location services by using the **Turn off location** Group Policy setting in User Configuration\Windows Components\Location and Sensors.
+**Intune**. You can enable or disable the camera by using the **Allow geolocation** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Changing wallpaper |
+Displaying a custom wallpaper can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or the device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on your devices.
+**Group Policy**. You can configure the wallpaper by using the **Desktop WallPaper** setting in User Configuration\Administrative Templates\Desktop\Desktop.
+**Intune**. Not available.
+ |
+
+
+
+
+
+### Configure settings by using Group Policy
+
+Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+
+For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/en-us/library/cc754948.aspx).
+
+#### To configure Group Policy settings
+
+1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/en-us/library/cc738830.aspx).
+2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/en-us/library/cc739902.aspx).
+3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/en-us/library/cc738954(v=ws.10).aspx).
+
+### Configure settings by using Intune
+
+Now, you’re ready to configure settings by using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+
+For more information about Intune, see [Documentation for Microsoft Intune](https://docs.microsoft.com/en-us/intune/).
+
+#### To configure Intune settings
+
+1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](https://docs.microsoft.com/en-us/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune).
+2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646962.aspx).
+3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com/en-us/library/dn646984.aspx).
+4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646959.aspx).
+
+### Deploy apps by using Intune
+
+You can use Intune to deploy Windows Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices) Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or are managed by another solution.
+
+For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/).
+
+### Summary
+
+In this section, you prepared your institution for device management. You determined whether you want to use Group Policy or Intune to manage your devices. You identified the configuration settings that you want to use to manage your users and devices. Finally, you configured the Group Policy and Intune settings in Group Policy and Intune, respectively.
+
+## Deploy Windows 10 to devices
+
+You’re ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device that’s eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows to Windows 10.
+
+### Prepare for deployment
+
+Prior to deployment of Windows 10, ensure that you complete the tasks listed in Table 12. Most of these tasks are already complete, but use this step to make sure.
+
+*Table 12. Deployment preparation checklist*
+
+|Task | |
+| ---| --- |
+| |The target devices have sufficient system resources to run Windows 10. |
+| | Identify the necessary devices drivers, and import them to the MDT deployment share.|
+| | Create an MDT application for each Windows Store and Windows desktop app.|
+| | Notify the students and faculty about the deployment.|
+
+### Perform the deployment
+
+Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated.
+
+**Note** To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx).
+
+In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems.
+
+#### To deploy Windows 10
+
+1. **Initiate the LTI deployment process**. Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide.
+2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/library/dn759415.aspx#Running%20the%20Deployment%20Wizard).
+
+### Set up printers
+
+After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section.
+
+**Note** If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section.
+
+#### To set up printers
+
+1. Review the printer manufacturer’s instructions for installing the printer drivers.
+2. On the admin device, download the printer drivers.
+3. Copy the printer drivers to a USB drive.
+4. On a device, use the same account you used to set up Windows 10 in the [Perform the deployment](#perform-the-deployment) section to sign in to the device.
+5. Insert the USB drive in the device.
+6. Follow the printer manufacturer’s instructions to install the printer drivers from the USB drive.
+7. Verify that the printer drivers were installed correctly by printing a test page.
+8. Complete steps 1–8 for each printer.
+
+### Verify deployment
+
+As a final quality control step, verify the device configuration to ensure that all apps run. Microsoft recommends that you perform all the tasks that the user would perform. Specifically, verify the following:
+
+- The device can connect to the Internet and view the appropriate web content in Microsoft Edge.
+- Windows Update is active and current with software updates.
+- Windows Defender is active and current with malware signatures.
+- The SmartScreen Filter is active.
+- All Windows Store apps are properly installed and updated.
+- All Windows desktop apps are properly installed and updated.
+- Printers are properly configured.
+
+When you have verified that the first device is properly configured, you can move to the next device and perform the same steps.
+
+### Summary
+
+You prepared the devices for deployment by verifying that they have adequate system resources and that the resources in the devices have corresponding Windows 10 device drivers. You performed device deployment over the network or by using local MDT media. Next, you configured the appropriate printers on the devices. Finally, you verified that the devices are properly configured and ready for use.
+
+## Maintain Windows devices and Office 365
+
+After the initial deployment, you will need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule:
+
+- **Monthly.** These tasks help ensure that the devices are current with software updates and properly protected against viruses and malware.
+- **New semester or academic year.** Perform these tasks prior to the start of a new curriculum—for example, at the start of a new academic year or semester. These tasks help ensure that the classroom environments are ready for the next group of students.
+- **As required (ad hoc).** Perform these tasks as necessary in a classroom. For example, a new version of an app may be available, or a student may inadvertently corrupt a device so that you must restore it to the default configuration.
+
+Table 13 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks.
+
+*Table 13. School and individual classroom maintenance tasks, with resources and the schedule for performing them*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Verify that Windows Update is active and current with operating system and software updates.
+For more information about completing this task when you have:
+
+- Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).
+- Group Policy, see [Windows Update for Business](https://technet.microsoft.com/itpro/windows/plan/windows-update-for-business).
+- Windows Server Update Services (WSUS), see [Windows Server Update Services](https://msdn.microsoft.com/en-us/library/bb332157.aspx?f=255&MSPPError=-2147217396).
+- Neither Intune, Group Policy, or WSUS, see [Update Windows 10](http://windows.microsoft.com/en-id/windows-10/update-windows-10)
+
+ |
+X |
+X |
+X |
+
+
+
+Verify that Windows Defender is active and current with malware signatures.
+For more information about completing this task, see [Turn Windows Defender on or off](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab01) and [Updating Windows Defender](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab03). |
+X |
+X |
+X |
+
+
+
+Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
+For more information about completing this task, see [How do I find and remove a virus?](http://windows.microsoft.com/en-US/windows-8/how-find-remove-virus)
+ |
+X |
+X |
+X |
+
+
+
+Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
+For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing). |
+ |
+X |
+X |
+
+
+
+Refresh the operating system and apps on devices.
+For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.
+
+ |
+ |
+X |
+X |
+
+
+
+Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum.
+For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
+
+ |
+ |
+X |
+X |
+
+
+
+Install new or update existing Windows Store apps that are used in the curriculum.
+Windows Store apps are automatically updated from Windows Store. The menu bar in the Windows Store app shows whether any Windows Store app updates are available for download.
+You can also deploy Windows Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
+
+ |
+ |
+X |
+X |
+
+
+
+Remove unnecessary user accounts (and corresponding licenses) from Office 365.
+For more information about how to:
+
+- Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e?ui=en-US&rs=en-US&ad=US).
+- Unassign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
+
+
+ |
+ |
+X |
+X |
+
+
+
+Add new accounts (and corresponding licenses) to Office 365.
+For more information about how to:
+
+- Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
+- Assign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
+
+ |
+ |
+X |
+X |
+
+
+
+Create or modify security groups and manage group membership in Office 365.
+For more information about how to:
+
+- Create or modify security groups, see [View, create, and delete Groups in the Office 365 admin center](https://support.office.com/en-us/article/View-create-and-delete-groups-in-the-Office-365-admin-center-a6360120-2fc4-46af-b105-6a04dc5461c7).
+- Manage group membership, see [Manage Group membership in the Office 365 admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).
+
+
+ |
+ |
+X |
+X |
+
+
+
+Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
+For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Manage Distribution Groups](https://technet.microsoft.com/library/bb124513.aspx) and [Groups in Exchange Online and SharePoint Online](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB#__groups_in_exchange).
+
+ |
+ |
+X |
+X |
+
+
+
+Install new student devices
+Follow the same steps described in the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.
+
+ |
+ |
+ |
+X |
+
+
+
+
+
+### Summary
+
+Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By performing these maintenance tasks you help ensure that your school stays secure and is configured as you specified.
+
+##Related resources
+
+- [Try it out: Windows 10 deployment (for educational institutions)](http://go.microsoft.com/fwlink/p/?LinkId=623254)
+- [Try it out: Windows 10 in the classroom](http://go.microsoft.com/fwlink/p/?LinkId=623255)
+- [Chromebook migration guide](http://go.microsoft.com/fwlink/p/?LinkId=623249)
+
+
diff --git a/windows/plan/images/deploy-win-10-school-figure1.png b/windows/plan/images/deploy-win-10-school-figure1.png
new file mode 100644
index 0000000000..66113dcce1
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure1.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure2.png b/windows/plan/images/deploy-win-10-school-figure2.png
new file mode 100644
index 0000000000..0227f8dbaa
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure2.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure3.png b/windows/plan/images/deploy-win-10-school-figure3.png
new file mode 100644
index 0000000000..1b39b5cc14
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure3.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure4.png b/windows/plan/images/deploy-win-10-school-figure4.png
new file mode 100644
index 0000000000..09552a448a
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure4.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure5.png b/windows/plan/images/deploy-win-10-school-figure5.png
new file mode 100644
index 0000000000..550386f1ce
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure5.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure6.png b/windows/plan/images/deploy-win-10-school-figure6.png
new file mode 100644
index 0000000000..09552a448a
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure6.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure7.png b/windows/plan/images/deploy-win-10-school-figure7.png
new file mode 100644
index 0000000000..8e7581007a
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure7.png differ