Merge remote-tracking branch 'refs/remotes/origin/master' into sh-7964665

2025-05-13 13:57:22 +00:00 · 2016-10-11 13:18:11 -07:00 · 2016-10-11 13:18:11 -07:00 · e04f93f2cc
commit e04f93f2cc
parent 1515475062 17fc728833
70 changed files with 2024 additions and 2623 deletions
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@ -16,166 +16,43 @@ localizationpriority: medium
 This topic introduces how to create and test the device account that Microsoft Surface Hub uses to communicate with Microsoft Exchange and Skype.
-A "device account" is an account that the Microsoft Surface Hub uses to:
+A **device account** is an Exchange resource account that Surface Hub uses to:
-   sync its meeting calendar,
+-   Display its meeting calendar
-   send mail,
+-   Join Skype for Business calls
-   and enable Skype for Business compatibility.
+-   Send email (for example, email whiteboard content from a meeting)
-People can book this account by scheduling a meeting with it. The Surface Hub will be able to join that meeting and provide various features to the meeting attendees.
+Once the device account is provisioned to a Surface Hub, people can add this account to a meeting invitation the same way that they would invite a meeting room. 
->**Important**  Without a device account, none of these features will work.
+## Configuration overview
- 
+This table explains the main steps and configuration decisions when you create a device account. 
 | Step | Description                     |  Purpose                             |
 |------|---------------------------------|--------------------------------------|
 | 1    | Created a logon-enabled Exchange resource mailbox (Exchange 2013 or later, or Exchange Online) | This resource mailbox allows the device to maintain a meeting calendar, receive meeting requests, and send mail. It must be logon-enabled to be provisioned to a Surface Hub. |
 | 2    | Configure mailbox properties | The mailbox must be configured with the correct properties to enable the best meeting experience on Surface Hub. For more information on mailbox properties, see [Mailbox properties](exchange-properties-for-surface-hub-device-accounts.md). |
 | 3    | Apply a compatible mobile device mailbox policy to the mailbox | Surface Hub is managed using mobile device management (MDM) rather than through mobile device mailbox policies. For compatibility, the device account must have a mobile device mailbox policy where the **PasswordEnabled** setting is set to False. Otherwise, Surface Hub can't sync mail and calendar info. |
 | 4    | Enable mailbox with Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business must be enabled to use conferencing features like video calls, IM, and screen sharing.  |
 | 5    | (Optional) Whitelist ActiveSync Device ID | Your organization may have a global policy that prevents device accounts from syncing mail and calendar info. If so, you need to whitelist the ActiveSync Device ID of your Surface Hub. |
 | 6    | (Optional) Disable password expiration | To simplify management, you can turn off password expiration for the device account and allow Surface Hub to automatically rotate the device account password. For more information about password management, see [Password management](password-management-for-surface-hub-device-accounts.md).  |
-Every device account is unique to a single Surface Hub, and requires some setup:
+## Detailed configuration steps 
-   The device account must be configured correctly, as described in the folllowing sections.
+We recommend setting up your device accounts using remote PowerShell. There are PowerShell scripts available to help create and validate device accounts For more information on PowerShell scripts and instructions, see [Appendix A: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md). 
 -   Your infrastructure must be configured to allow the Surface Hub to validate the device account, and to reach the appropriate Microsoft services.
-You can think of a device account as the resource account that people recognize as a conference room’s or meeting space’s account. When you want to schedule a meeting using that conference room, you invite the account to that meeting. In order to use the Surface Hub most effectively, you do the same with the device account that's assigned to each one.
+For detailed steps using PowerShell to provision a device account, choose an option from the table, based on your organization deployment. 
-If you already have a resource mailbox account set up for the meeting space where you’re putting a Surface Hub, you can change that resource account into a device account. Once that’s done, all you need to do is add the device account to a Surface Hub. See step 2 of either [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) or [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md).
+| Organization deployment             |  Description                  |
 |---------------------------------|--------------------------------------|
 | [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md) | Your organization's environment is deployed entirely on Office 365. |
 | [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync). |
 | [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. |
-The following sections will describe how to create and test a device account before configuring your Surface Hub.
+If you prefer to use a graphical user interface, some steps can be done using UI instead of PowerShell. 
-
+For more information, see [Creating a device account using UI](create-a-device-account-using-office-365.md).
 ### Basic configuration
 These properties represent the minimum configuration for a device account to work on a Surface Hub. Your device account may require further setup, which is covered in [Advanced configuration](#advanced-config).
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Property</th>
 <th align="left">Purpose</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>Exchange mailbox (Exchange 2013 or later, or Exchange Online)</p></td>
 <td align="left"><p>Enabling the account with an Exchange mailbox gives the device account the capability to receive and send both mail and meeting requests, and to display a meetings calendar on the Surface Hub’s welcome screen. The Surface Hub mailbox must be a room mailbox.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Skype for Business-enabled (Lync/Skype for Business 2013 or later or Skype for Business Online)</p></td>
 <td align="left"><p>Skype for Business must be enabled in order to use various conferencing features, like video calls, IM, and screen-sharing.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Password-enabled</p></td>
 <td align="left"><p>The device account must be enabled with a password, or it cannot authenticate with either Exchange or Skype for Business.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Compatible EAS policies</p></td>
 <td align="left"><p>The device account must use a compatible EAS policy in order for it to sync its mail and calendar. In order to implement this policy, the PasswordEnabled property must be set to False. If an incompatible EAS policy is used, the Surface Hub will not be able to use any services provided by Exchange and ActiveSync.</p></td>
 </tr>
 </tbody>
 </table>
 ### <a href="" id="advanced-config"></a>Advanced configuration
 While the properties for the basic configuration will allow the device account to be set up in a simple environment, it is possible your environment has other restrictions on directory accounts that must be met in order for the Surface Hub to successfully use the device account.
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Property</th>
 <th align="left">Purpose</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>Certificate-based authentication</p></td>
 <td align="left"><p>Certificates may be required for both ActiveSync and Skype for Business. To deploy certificates, you need to use provisioning packages or an MDM solution.</p>
 <p>See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Allowed device IDs (ActiveSync Device ID)</p></td>
 <td align="left"><p>Your Exchange ActiveSync setup may require that an account must whitelist device IDs so that ActiveSync can retrieve the device account’s mail and calendar. You must ensure that the Surface Hub’s device ID is added to this whitelist. This can either be configured using PowerShell (by setting the <code>ActiveSyncAllowedDeviceIDs</code> property) or the Exchange administrative portal.</p>
 <p>You can find out how to find and whitelist a device ID with PowerShell in [Allowing device IDs for ActiveSync](appendix-a-powershell-scripts-for-surface-hub.md#whitelisting-device-ids-cmdlet).</p></td>
 </tr>
 </tbody>
 </table>
 ### How do I set up the account?
 The best way to set up device accounts is to configure them using remote PowerShell. We provide several PowerShell scripts that will help create new device accounts, or validate existing resource accounts you have in order to help you turn them into compatible Surface Hub device accounts. These PowerShell scripts, and instructions for their use, are in [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md).
 You can check online for updated versions at [Surface Hub device account scripts](http://aka.ms/surfacehubscripts).
 ### Device account configuration
 Your infrastructure will likely fall into one of three configurations. Which configuration you have will affect how you prepare for device setup.
 -   [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md): Your organization’s environment is deployed entirely on Office 365.
 -   [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md): Your organization has servers that it controls, where Active Directory, Exchange, and Skype for Business (or Lync) are hosted.
 -   [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md): Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365.
 If you prefer to use the Office 365 UI over PowerShell cmdlets, some steps can be performed manually. See [Creating a device account using Office 365](create-a-device-account-using-office-365.md).
 ### Device account resources
 These sections describe resources used by the Surface Hub device account.
 -   [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md): The Exchange properties of the device account must be set to particular values for the Surface Hub to work properly.
 -   [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md): The Surface Hub uses ActiveSync to sync both mail and its meeting calendar.
 -   [Password management](password-management-for-surface-hub-device-accounts.md): Every device account requires a password to authenticate. This section describes your options for managing this password.
 ## In this section
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Topic</th>
 <th align="left">Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>[Online deployment](online-deployment-surface-hub-device-accounts.md)</p></td>
 <td align="left"><p>This topic has instructions for adding a device account for your Surface Hub when you have a pure, online deployment.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md)</p></td>
 <td align="left"><p>This topic explains how you add a device account for your Surface Hub when you have a single-forest, on-premises deployment.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)</p></td>
 <td align="left"><p>A hybrid deployment requires special processing in order to set up a device account for your Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#hybrid-exchange-on-prem), and [Exchange hosted online](#hybrid-exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided PowerShell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Create a device account using UI](create-a-device-account-using-office-365.md)</p></td>
 <td align="left"><p>If you prefer to use a graphical user interface, you can create a device account for your Surface Hub with either the [Office 365 UI](#create-device-acct-o365) or the [Exchange Admin Center](#create-device-acct-eac).</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)</p></td>
 <td align="left"><p>Some Exchange properties of the device account must be set to particular values to have the best meeting experience on Surface Hub. The following table lists various Exchange properties based on PowerShell cmdlet parameters, their purpose, and the values they should be set to.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md)</p></td>
 <td align="left"><p>The Surface Hub's device account uses ActiveSync to sync mail and calendar. This allows people to join and start scheduled meetings from the Surface Hub, and allows them to email any whiteboards they have made during their meeting.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Password management](password-management-for-surface-hub-device-accounts.md)</p></td>
 <td align="left"><p>Every Surface Hub device account requires a password to authenticate and enable features on the device.</p></td>
 </tr>
 </tbody>
 </table>
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@ -169,17 +169,19 @@ On this page, the Surface Hub will ask for credentials for the device account th
 >**Note**  This section does not cover specific errors that can happen during first run. See [Troubleshoot Surface Hub](troubleshoot-surface-hub.md) for more information on errors.
 ![Image showing Enter device account info page.](images/setupdeviceacct.png)
 ### Details
-Use either a **user principal name (UPN)** or a **domain\\user name** as the account identifier in the first entry field.
+Use either a **user principal name (UPN)** or a **domain\\user name** as the account identifier in the first entry field. Use the format that matches your environment, and enter the password.
 | Environment  | Required format for device account|
 | ------------ | ----------------------------------|
 | Device account is hosted only online.  | username@domain.com|
 | Device account is hosted only on-prem.  | DOMAIN\username|
 | Device account is hosted online and on-prem (hybrid).  |  DOMAIN\username|
 -   **User principal name:** This is the UPN of the device account for this Surface Hub. If you’re using Azure Active Directory (Azure AD) or a hybrid deployment, then you must enter the UPN of the device account.
 -   **Domain\\user name:** This is the identity of the device account for this Surface Hub, in domain\\user name format. If you’re using an Active Directory (AD) deployment, then you must enter the account in this format.
 -   **Password:** Enter the device account password.
 Click **Skip setting up a device account** to skip setting up a device account. However, if you don't set up a device account, the device will not be fully integrated into your infrastructure. For example, people won't be able to:
--- a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
+++ b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
@ -11,12 +11,12 @@ localizationpriority: medium
 ---
 # End a Surface Hub meeting with I'm Done
-Surface Hub is a collaboration device designed to be used simultaneously and sequentially by multiple people. At the end of a Surface Hub meeting, one of the attendees can tap or click **I'm Done** to end the meeting. Tapping **I'm Done** tells Surface Hub to clean up info from the current meeting, so that it will be ready for the next meeting. When a meeting attendee taps **I'm Done**, Surface Hub cleans up, or resets, these states. 
+Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **I'm Done** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states:
 - Applications
 - Operating system
 - User interface
-This topic explains what **I'm Done** resets for each of these states. 
+This topic explains what **I'm Done** resets for each of these states.
 ## Applications
 When you start apps on Surface Hub, they are stored in memory and data is stored at the application level. Data is available to all users during that session (or meeting) until date is removed or overwritten. When **I'm done** is selected, Surface Hub application state is cleared out by closing applications, deleting browser history, resetting applications, and removing Skype logs.
@ -35,6 +35,7 @@ Skype does not store personally-identifiable information on Surface Hub. Informa
 ## Operating System
 The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting. 
 ### File System
 Meeting attendees have access to a limited set of directories on the Surface Hub. When **I'm Done** is selected, Surface Hub clears these directories:<br>
 - Music
@ -53,7 +54,7 @@ Surface Hub also clears these directories, since many applications often write t
 - Public Downloads
 ### Credentials
-User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap I’m done.
+User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **I’m done**.
 ## User interface
 User interface (UI) settings are returned to their default values when **I'm Done** is selected. 
@ -69,7 +70,7 @@ User interface (UI) settings are returned to their default values when **I'm Don
 Accessibility features and apps are returned to default settings when **I'm Done** is selected.
 - Filter keys
 - High contrast
- Stickey keys
+- Sticky keys
 - Toggle keys
 - Mouse keys
 - Magnifier
@ -80,12 +81,11 @@ The clipboard is cleared to remove data that was copied to the clipboard during
 ## Frequently asked questions
 **What happens if I forget to tap I'm Done at the end of a meeting, and someone else uses the Surface Hub later?**<br>
-When you don't tap **I"m Done** at the end of your meeting, Surface Hub enters a Resume state. This is similar to leaving content on a whiteboard in a meeting room, and forgetting to erase the whiteboard. When you return to the meeting room, that content will still be on the whiteboard unless someone erarses it. With Surface Hub, meeting content is still available if an attendee doesn't tap **I'm Done**. However, Surface Hub removes all meeting data during daily maintenance. Any meeting that wasn't ended with **I'm Done** will be cleaned up during maintenance. 
+Surface Hub only cleans up meeting content when users tap **I'm Done**. If you leave the meeting without tapping **I'm Done**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one.
 **Are documents recoverable?**<br> 
-Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. 3rd-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. 
+Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting.
 **Do the clean-up actions from I'm Done comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**<br>
 No. Currently, the clean-up actions from **I'm Done** do not comply with this standard.  
-
+  
--- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
@ -13,62 +13,24 @@ localizationpriority: medium
 # Password management (Surface Hub)
 Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. For security reasons, you may want to change (or "rotate") this password regularly. However, if the device account’s password changes, the password that was previously stored on the Surface Hub will be invalid, and all features that depend on the device account will be disabled. You will need to update the device account’s password on the Surface Hub from the Settings app to re-enable these features.
-Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. For security reasons, you may want to change ( or "rotate") this password. However, if the device account’s password changes, the device account on the Surface Hub will be expired, and all features that depend on the device account will be disabled. You can update the device account’s password on the Surface Hub from the Settings app to re-enable these features.
+To simplify password management for your Surface Hub device accounts, there are two options:
-To prevent the device account from expiring, there are two options:
+1.  Turn off password expiration for the device account.
 1.  Set the password on the device account so it doesn't expire.
 2.  Allow the Surface Hub to automatically rotate the device account’s password.
 ## Setting the password so it doesn't expire
 ## Turn off password rotation for the device account
 Set the device account’s **PasswordNeverExpires** property to True. You should verify whether this meets your organization’s security requirements.
 ## Allow the Surface Hub to manage the password
 The Surface Hub can manage a device account’s password by changing it frequently without requiring you to manually update the device account’s information from the Surface Hub. You can enable this feature in **Settings**. Once enabled, the device account's password will change daily.
 Note that when the device account’s password is changed, you will not be shown the new password. If you need to sign in to the account, or to provide the password again (for example, if you want to change the device account settings on the Surface Hub), then you'll need use Active Directory to reset the password.
 For your device account to use password rotation, you must meet enter the device account’s information when you set up your Surface Hub (during First-run experience), or in **Settings**. The format you'll use depends on where your device account it hosted:
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Environment</th>
 <th align="left">Required format for device account</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>Device account is hosted only online</p></td>
 <td align="left"><p>username@contoso.com</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Device account is hosted only on-prem</p></td>
 <td align="left"><p>DOMAIN\username</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Device account is hosted online and on-prem (hybrid)</p></td>
 <td align="left"><p>DOMAIN\username</p></td>
 </tr>
 </tbody>
 </table>
 ## Allow the Surface Hub to automatically rotate the device account’s password
 The Surface Hub can manage a device account’s password by changing it frequently without requiring you to manually update the device account’s information. You can enable this feature in **Settings**. Once enabled, the device account's password will change weekly during maintenance hours.
 Note that when the device account’s password is changed, you will not be shown the new password. If you need to sign in to the account, or to provide the password again (for example, if you want to change the device account settings on the Surface Hub), then you'll need use Active Directory or the Office 365 admin portal to reset the password.
 > [!IMPORTANT]
 > If your organization uses a hybrid topology (some services are hosted on-premises and some are hosted online through Office 365), you must setup the device account in **domain\username** format. Otherwise, password rotation will not work.
--- a/windows/deploy/TOC.md
+++ b/windows/deploy/TOC.md
@ -45,6 +45,7 @@
 ### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 ## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
 ## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
 ## [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md)
 ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
 ## [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
 ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
--- a/windows/deploy/change-history-for-deploy-windows-10.md
+++ b/windows/deploy/change-history-for-deploy-windows-10.md
@ -11,6 +11,11 @@ author: greg-lindsay
 # Change history for Deploy Windows 10
 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 ## October 2016
 | New or changed topic | Description |
 |----------------------|-------------|
 | [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) | New | 
 ## September 2016
 | New or changed topic | Description |
 |----------------------|-------------|
--- a/windows/deploy/index.md
+++ b/windows/deploy/index.md
@ -21,6 +21,7 @@ Learn about deploying Windows 10 for IT professionals.
 |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
 |[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |
 |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
 |[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
 |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
 |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
 | [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) | Create a provisioning package to apply commonly used settings to a PC running Windows 10. |
--- a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@ -40,30 +40,30 @@ In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with
 1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
-    1.  General
+    * General
-    2.  Name: Install Windows 10 Enterprise x64
+    * Name: Install Windows 10 Enterprise x64
-    3.  Limited Collection: All Systems
+    * Limited Collection: All Systems
-    4.  Membership rules:
+    * Membership rules:
-    5.  Direct rule
+    * Direct rule
-    6.  Resource Class: System Resource
+    * Resource Class: System Resource
-    7.  Attribute Name: Name
+    * Attribute Name: Name
-    8.  Value: PC0003
+    * Value: PC0003
-    9.  Select **Resources**
+    * Select **Resources**
-    10. Select **PC0003**
+    * Select **PC0003**
 2.  Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
-**Note**  
+    >[!NOTE] 
-It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
+    >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
@ -82,8 +82,8 @@ Using the Configuration Manager console, in the Software Library workspace, sele
    -   Make available to the following: Configuration Manager clients, media and PXE
-    **Note**  
+    >[!NOTE]  
-    It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
+    >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
@ -110,10 +110,8 @@ Now you can start the computer refresh on PC0003.
 1.  Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**.
-    **Note**  
+    >[!NOTE]  
-    The Client Notification feature is new in Configuration Manager.
+    >The Client Notification feature is new in Configuration Manager.
 2.  On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**.
--- a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
@ -20,7 +20,7 @@ This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (L
 For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-![figure 1](images/mdt-04-fig01.png)
+![The machines used in this topic](images/mdt-04-fig01.png "The machines used in this topic")
 Figure 1. The machines used in this topic.
@ -28,15 +28,21 @@ Figure 1. The machines used in this topic.
 Even though a computer will appear, to the end user, to be upgraded, a computer refresh is not, technically, an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation.
 For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will:
 1.  Back up data and settings locally, in a backup folder.
 2.  Wipe the partition, except for the backup folder.
 3.  Apply the new operating system image.
 4.  Install other applications.
 5.  Restore data and settings.
 During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data.
-**Note**  
+>[!NOTE] 
-In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
+>In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
 ### Multi-user migration
@ -45,8 +51,8 @@ by configuring command-line switches to ScanState (added as rules in MDT).
 As an example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
-**Note**  
+>[!NOTE] 
-You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
+>You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
 ### Support for additional settings
@ -55,12 +61,15 @@ In addition to the command-line switches that control which profiles to migrate,
 ## <a href="" id="sec02"></a>Create a custom User State Migration Tool (USMT) template
 In this section, you learn to migrate additional data using a custom template. You configure the environment to use a custom USMT XML template that will:
 1.  Back up the **C:\\Data** folder (including all files and folders).
 2.  Scan the local disk for PDF documents (\*.pdf files) and restore them into the **C:\\Data\\PDF Documents** folder on the destination machine.
-The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
+    The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
-   [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361)
+
-   [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script
+    * [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361)
-   [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363)
+    * [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script
    * [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363)
 ### Add the custom XML template
@ -77,27 +86,30 @@ In order to use the custom MigContosoData.xml USMT template, you need to copy it
 After adding the additional USMT template and configuring the CustomSettings.ini file to use it, you are now ready to refresh a Windows 7 SP1 client to Windows 10. In these steps, we assume you have a Windows 7 SP1 client named PC0001 in your environment that is ready for a refresh to Windows 10.
-**Note**  
+>[!NOTE]   
-MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+>MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
 ### Upgrade (refresh) a Windows 7 SP1 client
 1.  On PC0001, log on as **CONTOSO\\Administrator**. Start the Lite Touch Deploy Wizard by executing **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. Complete the deployment guide using the following settings:
-    1.  Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
+    
-    2.  Computer name: &lt;default&gt;
+    * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
-    3.  Specify where to save a complete computer backup: Do not back up the existing computer
+    * Computer name: &lt;default&gt;
-        **Note**  
+    * Specify where to save a complete computer backup: Do not back up the existing computer
-        Skip this optional full WIM backup. The USMT backup will still run.
+      >[!NOTE]
      >Skip this optional full WIM backup. The USMT backup will still run.
 2.  Select one or more applications to install: Install - Adobe Reader XI - x86
 3.  The setup now starts and does the following:
    1.  Backs up user settings and data using USMT.
    2.  Installs the Windows 10 Enterprise x64 operating system.
    3.  Installs the added application(s).
    4.  Updates the operating system via your local Windows Server Update Services (WSUS) server.
    5.  Restores user settings and data using USMT.
-![figure 2](images/fig2-taskseq.png)
+3.  The setup now starts and does the following:
    * Backs up user settings and data using USMT.
    * Installs the Windows 10 Enterprise x64 operating system.
    * Installs the added application(s).
    * Updates the operating system via your local Windows Server Update Services (WSUS) server.
    * Restores user settings and data using USMT.
 ![Start the computer refresh from the running Windows 7 client](images/fig2-taskseq.png "Start the computer refresh from the running Windows 7 client")
 Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
@ -109,7 +121,6 @@ Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
 [Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
 [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
 [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
--- a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@ -32,9 +32,9 @@ In this topic, you will create a backup-only task sequence that you run on PC000
 3.  On the **General** page, assign the following settings and click **Next**:
-    1.  Task sequence name: Replace Task Sequence
+    * Task sequence name: Replace Task Sequence
-    2.  Task sequence comments: USMT backup only
+    * Task sequence comments: USMT backup only
 4.  On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
@ -48,9 +48,11 @@ In this topic, you will create a backup-only task sequence that you run on PC000
 9.  On the **Confirmation** page, click **Finish**.
-10. Review the Replace Task Sequence. Note: This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
+10. Review the Replace Task Sequence. 
 >[!NOTE]
 >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
-![figure 34](images/mdt-06-fig42.png)
+![The back-up only task sequence](images/mdt-06-fig42.png "The back-up only task sequence")
 Figure 34. The backup-only task sequence (named Replace Task Sequence).
@ -67,13 +69,13 @@ This section walks you through the process of associating a blank machine, PC000
 4.  On the **Single Computer** page, use the following settings and then click **Next**:
-    1.  Computer Name: PC0006
+    * Computer Name: PC0006
-    2.  MAC Address: &lt;the mac address from step 1&gt;
+    * MAC Address: &lt;the mac address from step 1&gt;
-    3.  Source Computer: PC0004
+    * Source Computer: PC0004
-    ![figure 35](images/mdt-06-fig43.png)
+    ![Create the computer association](images/mdt-06-fig43.png "Create the computer association")
    Figure 35. Creating the computer association between PC0004 and PC0006.
@ -96,25 +98,25 @@ This section walks you through the process of associating a blank machine, PC000
 1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings.
-    1.  General
+    * General
-    2.  Name: USMT Backup (Replace)
+    * Name: USMT Backup (Replace)
-    3.  Limited Collection: All Systems
+    * Limited Collection: All Systems
-    4.  Membership rules:
+    * Membership rules:
-    5.  Direct rule
+    * Direct rule
-    6.  Resource Class: System Resource
+    * Resource Class: System Resource
-    7.  Attribute Name: Name
+    * Attribute Name: Name
-    8.  Value: PC0004
+    * Value: PC0004
-    9.  Select **Resources**
+    * Select **Resources**
-    10. Select **PC0004**
+    * Select **PC0004**
 2.  Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection.
@ -158,10 +160,8 @@ This section assumes that you have a machine named PC0004 with the Configuration
 2.  In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**.
-    **Note**  
+    >[!NOTE]  
-    You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+    >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
 3.  Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**.
@ -173,8 +173,8 @@ This section assumes that you have a machine named PC0004 with the Configuration
 7.  Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
-**Note**  
+    >[!NOTE]  
-It may take a few minutes for the user state store location to be populated.
+    >It may take a few minutes for the user state store location to be populated.
@ -183,21 +183,21 @@ It may take a few minutes for the user state store location to be populated.
 1.  Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
-    1.  Password: P@ssw0rd
+    * Password: P@ssw0rd
-    2.  Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
+    * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
 2.  The setup now starts and does the following:
-    1.  Installs the Windows 10 operating system
+    * Installs the Windows 10 operating system
-    2.  Installs the Configuration Manager client
+    * Installs the Configuration Manager client
-    3.  Joins it to the domain
+    * Joins it to the domain
-    4.  Installs the applications
+    * Installs the applications
-    5.  Restores the PC0004 backup
+    * Restores the PC0004 backup
 When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored.
--- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
@ -19,7 +19,7 @@ author: mtniehaus
 A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it.
 For the purposes of this topic, we will use four machines: DC01, MDT01, PC0002, and PC0007. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. PC0002 is an old machine running Windows 7 SP1. It is going to be replaced by a new Windows 10 machine, PC0007. User State Migration Tool (USMT) will be used to backup and restore data and settings. MDT01, PC0002, and PC0007 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-![figure 1](images/mdt-03-fig01.png)
+![The machines used in this topic](images/mdt-03-fig01.png "The machines used in this topic")
 Figure 1. The machines used in this topic.
@ -30,11 +30,13 @@ When preparing for the computer replace, you need to create a folder in which to
 ### Configure the rules on the Microsoft Deployment Toolkit (MDT) Production share
 1.  On MDT01, using the Deployment Workbench, update the MDT Production deployment share rules.
 2.  Change the **SkipUserData=YES** option to **NO**, and click **OK**.
 ### Create and share the MigData folder
 1.  On MDT01, log on as **CONTOSO\\Administrator**.
 2.  Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
    ``` syntax
    New-Item -Path E:\MigData -ItemType directory
@ -45,75 +47,89 @@ When preparing for the computer replace, you need to create a folder in which to
 ### Create a backup only (replace) task sequence
 1.  On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node and create a new folder named **Other**.
 2.  Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-    1.  Task sequence ID: REPLACE-001
+
-    2.  Task sequence name: Backup Only Task Sequence
+    * Task sequence ID: REPLACE-001
-    3.  Task sequence comments: Run USMT to backup user data and settings
+    * Task sequence name: Backup Only Task Sequence
-    4.  Template: Standard Client Replace Task Sequence
+    * Task sequence comments: Run USMT to backup user data and settings
    * Template: Standard Client Replace Task Sequence
 3.  In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
-    ![figure 2](images/mdt-03-fig02.png)
+    ![The Backup Only Task Sequence action list](images/mdt-03-fig02.png "The Backup Only Task Sequence action list")
    Figure 2. The Backup Only Task Sequence action list.
 ## <a href="" id="sec02"></a>Perform the computer replace
 During a computer replace, these are the high-level steps that occur:
 1.  On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Window Imaging (WIM) backup.
 2.  On the new machine, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
 ### Execute the replace task sequence
 1.  On PC0002, log on as **CONTOSO\\Administrator**.
 2.  Verify that you have write access to the **\\\\MDT01\\MigData$** share.
 3.  Execute **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
 4.  Complete the Windows Deployment Wizard using the following settings:
    1.  Select a task sequence to execute on this computer: Backup Only Task Sequence
-        1.  Specify where to save your data and settings: Specify a location
+        * Specify where to save your data and settings: Specify a location
-        2.  Location: \\\\MDT01\\MigData$\\PC0002
+        * Location: \\\\MDT01\\MigData$\\PC0002
-        **Note**  
+        >[!NOTE]  
-        If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
+        >If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
    2.  Specify where to save a complete computer backup: Do not back up the existing computer
    3.  Password: P@ssw0rd
    The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the machine.
-    ![figure 3](images/mdt-03-fig03.png)
+    ![The new task sequence](images/mdt-03-fig03.png "The new task sequence")
    Figure 3. The new task sequence running the Capture User State action on PC0002.
 5.  On MDT01, verify that you have an USMT.MIG compressed backup file in the **E:\\MigData\\PC0002\\USMT** folder.
-    ![figure 4](images/mdt-03-fig04.png)
+    ![The USMT backup](images/mdt-03-fig04.png "The USMT backup")
    Figure 4. The USMT backup of PC0002.
 ### Deploy the PC0007 virtual machine
 1.  Create a virtual machine with the following settings:
-    1.  Name: PC0007
+
-    2.  Location: C:\\VMs
+    * Name: PC0007
-    3.  Generation: 2
+    * Location: C:\\VMs
-    4.  Memory: 2048 MB
+    * Generation: 2
-    5.  Hard disk: 60 GB (dynamic disk)
+    * Memory: 2048 MB
    * Hard disk: 60 GB (dynamic disk)
 2.  Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server.
-    ![figure 5](images/mdt-03-fig05.png)
+    ![The initial PXE boot process](images/mdt-03-fig05.png "The initial PXE boot process")
    Figure 5. The initial PXE boot process of PC0005.
 3.  After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
-    1.  Password: P@ssw0rd
+
-    2.  Select a task sequence to execute on this computer:
+    * Password: P@ssw0rd
-        1.  Windows 10 Enterprise x64 RTM Custom Image
+    * Select a task sequence to execute on this computer:
-        2.  Computer Name: PC0007
+        * Windows 10 Enterprise x64 RTM Custom Image
-        3.  Applications: Select the Install - Adobe Reader XI - x86 application.
+        * Computer Name: PC0007
        * Applications: Select the Install - Adobe Reader XI - x86 application.
 4.  The setup now starts and does the following:
-    1.  Installs the Windows 10 Enterprise operating system.
+
-    2.  Installs the added application.
+    * Installs the Windows 10 Enterprise operating system.
-    3.  Updates the operating system via your local Windows Server Update Services (WSUS) server.
+    * Installs the added application.
-    4.  Restores the USMT backup from PC0002.
+    * Updates the operating system via your local Windows Server Update Services (WSUS) server.
    * Restores the USMT backup from PC0002.
 ## Related topics
--- a/windows/deploy/resolve-windows-10-upgrade-errors.md
+++ b/windows/deploy/resolve-windows-10-upgrade-errors.md
@ -1,8 +1,8 @@
 ---
-title: Resolve common Windows 10 upgrade errors
+title: Resolve Windows 10 upgrade errors
-description: Resolve common Windows 10 upgrade errors
+description: Resolve Windows 10 upgrade errors
 ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
-keywords: deploy, error, troubleshoot, windows, 10
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@ -11,12 +11,30 @@ author: greg-lindsay
 localizationpriority: high
 ---
-# Resolve common Windows 10 upgrade errors
+# Resolve Windows 10 upgrade errors
 **Applies to**
 -   Windows 10
-This topic provides a brief introduction to Windows 10 installation processes and provides resolution procedures you can use to resolve common problems.
+This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
 ## In this topic
 The following sections and procedures are provided in this guide:
 - [The Windows 10 upgrade process](#the-windows-10-upgrade-process): An explanation of phases used during the upgrade process.<BR>
 - [Quick fixes](#quick-fixes): Steps you can take to eliminate many Windows upgrade errors.<BR>
 - [Upgrade error codes](#upgrade-error-codes): The components of an error code are explained.
    - [Result codes](#result-codes): Information about result codes.
    - [Extend codes](#extend-codes): Information about extend codes.
 - [Log files](#log-files): A list and description of log files useful for troubleshooting.
    - [Log entry structure](#log-entry-structure): The format of a log entry is described.
    - [Analyze log files](#analyze-log-files): General procedures for log file analysis, and an example.
 - [Resolution procedures](#resolution-procedures): Causes and mitigation procedures associated with specific error codes.
    - [0xC1900101](#0xC1900101): Information about the 0xC1900101 result code.
    - [0x800xxxxx](#0x800xxxxx): Information about result codes that start with 0x800.
    - [Other result codes](#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
    - [Other error codes](#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
 ## The Windows 10 upgrade process
@ -30,7 +48,7 @@ The Windows Setup application is used to upgrade a computer to Windows 10, or to
 4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**.
        - Example error: 0x4000D, 0x40017
 5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful.
-        - Example error: 0x50011, 0x50012
+        - Example error: 0x50000
 **Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown):
@ -40,6 +58,37 @@ DU = Driver/device updates.<BR>
 OOBE = Out of box experience.<BR>
 WIM = Windows image (Microsoft)
 ## Quick fixes
 The following steps can resolve many Windows upgrade problems.
 <OL>
 <LI>Check all hard drives for errors and attempt repairs. To automatically repair hard drives, open an elevated command prompt, switch to the drive you wish to repair, and type the following command. You will be required to reboot the computer if the hard drive being repaired is also the system drive.
 <UL>
 <LI>chkdsk /F</LI>
 </UL>
 </LI>
 <LI>Attept to restore and repair system files by typing the following commands at an elevated command prompt. It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image).
 <UL>
 <LI>DISM.exe /Online /Cleanup-image /Restorehealth</LI>
 <LI>sfc /scannow</LI>
 </UL>
 </LI>
 <LI>Update Windows so that all available recommended updates are installed.</LI>
 <LI>Uninstall non-Microsoft antivirus software.
  <UL> 
  <LI>Use Windows Defender for protection during the upgrade. 
  <LI>Verify compatibility information and re-install antivirus applications after the upgrade.</LI></LI>
  </UL>
 <LI>Uninstall all nonessential software.</LI>
 <LI>Remove nonessential external hardware, such as docks and USB devices.</LI> 
 <LI>Update firmware and drivers.</LI>
 <LI>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</LI>
 <LI>Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS.
 </OL>
 ## Upgrade error codes
 If the upgrade process is not successful, Windows Setup will return two codes:
@ -53,11 +102,11 @@ Note: If only a result code is returned, this can be because a tool is being use
 ### Result codes
->A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. <BR>To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Common error codes](#common-error-codes) section later in this topic.
+>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. <BR>To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](#resolution-procedures) section later in this topic.
 Result codes can be matched to the type of error encountered. To match a result code to an error:
-1. Identify the error code type, using the first hexidecimal digit:
+1. Identify the error code type, either Win32 or NTSTATUS, using the first hexidecimal digit:
        <BR>8 = Win32 error code (ex: 0x**8**0070070)
        <BR>C = NTSTATUS value (ex: 0x**C**1900107)
 2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits correspond to the last 16 bits of the [HRESULT](https://msdn.microsoft.com/en-us/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/en-us/library/cc231200.aspx) structure.
@ -67,9 +116,12 @@ For example:
 - 0x80070070 = Win32 = 0070 = 0x00000070 = ERROR_DISK_FULL
 - 0xC1900107 = NTSTATUS = 0107 = 0x00000107 = STATUS_SOME_NOT_MAPPED
 Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot. 
 ### Extend codes
 >Important: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update.
 Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation:
 1. Use the first digit to identify the phase (ex: 0x4000D  = 4).
@ -141,7 +193,7 @@ For example: An extend code of **0x4000D**, represents a problem during phase 4
 ## Log files
-Various log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. The most useful log is **setupact.log**. These logs are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code. 
+Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code. 
 <P>The following table describes some log files and how to use them for troubleshooting purposes:
@ -149,11 +201,13 @@ Various log files are created during each phase of the upgrade process. These lo
 <TR>
 <td BGCOLOR="#a0e4fa"><B>Log file<td BGCOLOR="#a0e4fa"><B>Phase: Location<td BGCOLOR="#a0e4fa"><B>Description<td BGCOLOR="#a0e4fa"><B>When to use
-<TR><TD rowspan=5>setupact.log<TD>Down-Level:<BR>$Windows.~BT\Sources\Panther<TD>Contains information about setup actions during the downlevel phase. <TD>All down-level failures and starting point for rollback investigations.<BR> This is the most important log for diagnosing setup issues.
+<TR><TD rowspan=5>setupact.log<TD>Down-Level:<BR>$Windows.~BT\Sources\Panther<TD>Contains information about setup actions during the downlevel phase. 
-<TR><TD>OOBE:<BR>$Windows.~BT\Sources\Panther<TD>Contains information about actions during the OOBE phase.<TD>Investigating rollbacks that failed during OOBE phase and operations – 0x4001C, 0x4001D, 0x4001E, 0x4001F.
+<TD>All down-level failures and starting point for rollback investigations.<BR> This is the most important log for diagnosing setup issues.
-<TR><TD>Rollback:<BR>$Windows.~BT\Sources\Panther<TD>Contains information about actions during rollback.<TD>Investigating generic rollbacks - 0xC1900101.
+<TR><TD>OOBE:<BR>$Windows.~BT\Sources\Panther\UnattendGC
-<TR><TD>Pre-initialization (prior to downlevel):<BR>$Windows.~BT\Sources\Panther<TD>Contains information about initializing setup.<TD>If setup fails to launch.
+<TD>Contains information about actions during the OOBE phase.<TD>Investigating rollbacks that failed during OOBE phase and operations – 0x4001C, 0x4001D, 0x4001E, 0x4001F.
-<TR><TD>Post-upgrade (after OOBE):<BR>$Windows.~BT\Sources\Panther<TD>Contains information about setup actions during the installation.<TD>Investigate post-upgrade related issues.
+<TR><TD>Rollback:<BR>$Windows.~BT\Sources\Rollback<TD>Contains information about actions during rollback.<TD>Investigating generic rollbacks - 0xC1900101.
 <TR><TD>Pre-initialization (prior to downlevel):<BR>Windows</TD><TD>Contains information about initializing setup.<TD>If setup fails to launch.
 <TR><TD>Post-upgrade (after OOBE):<BR>Windows\Panther<TD>Contains information about setup actions during the installation.<TD>Investigate post-upgrade related issues.
 <TR><TD>setuperr.log<TD>Same as setupact.log<TD>Contains information about setup errors during the installation.<TD>Review all errors encountered during the installation phase.
@ -170,17 +224,126 @@ Event logs (*.evtx)
 <TD>$Windows.~BT\Sources\Rollback<TD>Additional logs collected during rollback.
 <TD>
 Setupmem.dmp: If OS bugchecks during upgrade, setup will attempt to extract a mini-dump.<BR>
-Setupapi: Device install issues – 0x30018<BR>
+Setupapi: Device install issues - 0x30018<BR>
 Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.
 </TABLE>
 ### Log entry structure
-## Common error codes
+A setupact.log or setuperr.log entry includes the following elements:
 <OL>
 <LI><B>The date and time</B> - 2016-09-08 09:20:05.
 <LI><B>The log level</B> - Info, Warning, Error, Fatal Error.
 <LI><B>The logging component</B> - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS.
 <UL>
 <LI>The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are particularly useful for troubleshooting Windows Setup errors.
 </UL>
 <LI><B>The message</B> - Operation completed successfully.
 </OL>
 See the following example:
 | Date/Time | Log level | Component | Message |
 |------|------------|------------|------------|
 |2016-09-08 09:23:50,|  Warning |         MIG  |   Could not replace object C:\Users\name\Cookies. Target Object cannot be removed.|
 ### Analyze log files
 <P>To analyze Windows Setup log files:
 <OL>
 <LI>Determine the Windows Setup error code.
 <LI>Based on the [extend code](#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate.
 <LI>Open the log file in a text editor, such as notepad.
 <LI>Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
 <LI>To find the last occurrence of the result code:
  <OL type="a">
  <LI>Scroll to the bottom of the file and click after the last character.
  <LI>Click **Edit**.
  <LI>Click **Find**.
  <LI>Type the result code.
  <LI>Under **Direction** select **Up**.
  <LI>Click **Find Next**.
  </OL>
 <LI> When you have located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed just prior to generating the result code.
 <LI> Search for the following important text strings:
  <UL>
  <LI><B>Shell application requested abort</B>
  <LI><B>Abandoning apply due to error for object</B>
  </UL>
 <LI> Decode Win32 errors that appear in this section.
 <LI> Write down the timestamp for the observed errors in this section.
 <LI> Search other log files for additional information matching these timestamps or errors.
 </OL>
 For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file:
 >Some lines in the text below are shortened to enhance readability. The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just "CN."
 <P><B>setuperr.log</B> content:
 <pre style="font-size: 10px; overflow-y: visible">
 27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
 27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
 27:08, Error                  Gather failed. Last error: 0x00000000
 27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
 27:09, Error           SP     CMigrateFramework: Gather framework failed. Status: 44
 27:09, Error           SP     Operation failed: Migrate framework (Full). Error: 0x8007042B[gle=0x000000b7]
 27:09, Error           SP     Operation execution failed: 13. hr = 0x8007042B[gle=0x000000b7]
 27:09, Error           SP     CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7]
 </PRE>
 The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]** (shown below):
 <pre style="font-size: 10px; overflow-y: visible">
 27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
 </PRE>
 </B>The error 0x00000570 is a [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable.
 Therefore, Windows Setup failed because it was not able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**.  This file is a local system certificate and can be safely deleted. Searching the setupact.log file for additional details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure:
 <P><B>setupact.log</B> content:
 <pre style="font-size: 10px; overflow-y: visible">
 27:00, Info                   Gather started at 10/5/2016 23:27:00
 27:00, Info [0x080489] MIG    Setting system object filter context (System)
 27:00, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
 27:00, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
 27:00, Info            SP     ExecuteProgress: Elapsed events:1 of 4, Percent: 12
 27:00, Info [0x0802c6] MIG    Processing GATHER for migration unit: <System>\UpgradeFramework (CMXEAgent)
 27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
 27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
 27:08, Info            SP     ExecuteProgress: Elapsed events:2 of 4, Percent: 25
 27:08, Info            SP     ExecuteProgress: Elapsed events:3 of 4, Percent: 37
 27:08, Info [0x080489] MIG    Setting system object filter context (System)
 27:08, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
 27:08, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
 27:08, Info            MIG    COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress.
 27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened-
 27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object.
 27:08, Error                  Gather failed. Last error: 0x00000000
 27:08, Info                   Gather ended at 10/5/2016 23:27:08 with result 44
 27:08, Info                   Leaving MigGather method
 27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
 </PRE>
 <P>This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file. Note: In this example, the full, unshortened file name is  C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f. 
 ## Resolution procedures
 ### 0xC1900101
-A common result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the SafeOS phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as the minidump file (($Windows.~bt\Sources\Rollback\setupmem.dmp), event logs (($Windows.~bt\Sources\Rollback\*.evtx), and the device install log ($Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log). The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018).  To resolve a rollback due to driver conflicts, run setup in the absence of drivers by performing a [clean boot](https://support.microsoft.com/en-us/kb/929135) before initiating the upgrade process. 
+A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:<BR>
 - The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp, 
 - Event logs: $Windows.~bt\Sources\Rollback\*.evtx 
 - The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log
 The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018).  To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/en-us/kb/929135) before initiating the upgrade process. 
 <P>See the following general troubleshooting procedures associated with a result code of 0xC1900101:
@ -222,7 +385,7 @@ A common result code is 0xC1900101. This result code can be thrown at any stage
 <P><TABLE cellspacing=0 cellpadding=0>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
-<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an unspecified error during the WinPE phase.
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.
 <BR>This is generally caused by out-of-date drivers. 
 </TABLE>
 </TD>
@ -251,7 +414,7 @@ A common result code is 0xC1900101. This result code can be thrown at any stage
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A driver has caused an illegal operation.
 <BR>Windows was not able to migrate the driver, resulting in a rollback of the operating system.
-
+<P>This is a safeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. 
 </TABLE>
 </TD>
@ -329,6 +492,10 @@ Disconnect all peripheral devices that are connected to the system, except for t
 <P><TABLE cellspacing=0 cellpadding=0>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A rollback occurred due to a driver configuration issue.
 <P>Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.  
 <P>This can occur due to incompatible drivers.  
 </TABLE>
 </TD>
@ -336,8 +503,10 @@ Disconnect all peripheral devices that are connected to the system, except for t
 <TABLE cellspacing=0 cellpadding=0>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
-<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><p>Review the rollback log and determine the stop code.
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-<BR>The rollback log is located in the **C:\$Windows.~BT\Sources\Panther** folder.  Look for text similar to the following:
+<P>Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors. 
 <p>Review the rollback log and determine the stop code.
 <BR>The rollback log is located in the **C:\$Windows.~BT\Sources\Panther** folder.  An example analysis is shown below. This example is not representative of all cases:
 <p>Info SP     Crash 0x0000007E detected
 <BR>Info SP       Module name           : 
 <BR>Info SP       Bugcheck parameter 1  : 0xFFFFFFFFC0000005
@ -392,9 +561,74 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
 ### 0x800xxxxx
 Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
 <P>See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
 <TABLE border=1 cellspacing=0 cellpadding=0>
 <TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <TABLE cellspacing=0 cellpadding=0>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 8000405 - 0x20007
 </TABLE>
 <P><TABLE cellspacing=0 cellpadding=0>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 An unspecified error occurred with a driver during the SafeOS phase.
 </TABLE>
 </TD>
 <TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <TABLE cellspacing=0 cellpadding=0>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 This error has more than one possible cause. Attempt [quick fixes](#quick-fixes), and if not successful, [analyze log files](#analyze-log-files) in order to determine the problem and solution.
 </TABLE>
 </TD>
 </TR>
 <TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <TABLE cellspacing=0 cellpadding=0>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 800704B8 - 0x3001A
 </TABLE>
 <P><TABLE cellspacing=0 cellpadding=0>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 An extended error has occurred during the first boot phase.
 </TABLE>
 </TD>
 <TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <TABLE cellspacing=0 cellpadding=0>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/en-us/kb/929135).
 </TABLE>
 </TD>
 </TR>
 <TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <TABLE cellspacing=0 cellpadding=0>
@ -409,7 +643,8 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-Here is a cause
+The installation failed during the second boot phase while attempting the MIGRATE_DATA operation. 
 <BR>This issue can occur due to file system, application, or driver issues.
 </TABLE>
 </TD>
@ -420,7 +655,7 @@ Here is a cause
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-Here is a mitigation procedure.
+[Analyze log files](#analyze-log-files) in order to determine the file, application, or driver that is not able to be migrated. Disconnect, update, remove, or replace the device or object.
 </TABLE>
 </TD>
@ -440,8 +675,7 @@ Here is a mitigation procedure.
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-The installation failed during the second boot phase while attempting the MIGRATE_DATA operation. 
+General failure, a device attached to the system is not functioning.  
 <BR>This issue can occur due to an application or driver incompatibility.  
 </TABLE>
 </TD>
@ -452,11 +686,7 @@ The installation failed during the second boot phase while attempting the MIGRAT
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-Clean boot into Windows, and then attempt the upgrade to Windows 10.<BR>
+[Analyze log files](#analyze-log-files) in order to determine the device that is not functioning properly. Disconnect, update, or replace the device.
 For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135).
 <P>Ensure you select the option to "Download and install updates (recommended)."
 </TABLE>
 </TD>
@ -476,7 +706,7 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-Here is a cause.
+The installation failed during the second boot phase while attempting the PRE_OOBE operation.
 </TABLE>
 </TD>
@ -487,70 +717,7 @@ Here is a cause.
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-Here is a mitigation procedure.
+This error has more than one possible cause. Attempt [quick fixes](#quick-fixes), and if not successful, [analyze log files](#analyze-log-files) in order to determine the problem and solution.
 </TABLE>
 </TD>
 </TR>
 <TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <TABLE cellspacing=0 cellpadding=0>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 800704B8 - 0x3001A
 </TABLE>
 <P><TABLE cellspacing=0 cellpadding=0>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 Here is a cause.
 </TABLE>
 </TD>
 <TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <TABLE cellspacing=0 cellpadding=0>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 Here is a mitigation procedure.
 </TABLE>
 </TD>
 </TR>
 <TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <TABLE cellspacing=0 cellpadding=0>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 8000405 - 0x20007
 </TABLE>
 <P><TABLE cellspacing=0 cellpadding=0>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 Here is a cause.
 </TABLE>
 </TD>
 <TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
 <TABLE cellspacing=0 cellpadding=0>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 Here is a mitigation procedure.
 </TABLE>
 </TD>
@ -559,7 +726,7 @@ Here is a mitigation procedure.
 </TABLE>
-## Common errors I've edited but don't know how to classify
+### Other result codes
 <table>
@ -640,12 +807,7 @@ Download and run the media creation tool. See [Download windows 10](https://www.
 </td>
 </tr>
-<tr>
+
 <td>display is not compatible</td>
 <td>The display card installed is not compatible with Windows 10.</td>
 <td>Uninstall the display adapter and start the upgrade again. When setup completes successfully, install the latest display adapter driver using Windows Update or by downloading from the computer manufacturers website. Use compatibility mode if necessary.
 </td>
 </tr>
 <tr>
 <td>0x8007002 </td>
 <td>This error is specific to upgrades using System Center Configuration Manager 2012 R2 SP1 CU3 (5.00.8238.1403)</td>
@ -656,201 +818,73 @@ Download and run the media creation tool. See [Download windows 10](https://www.
 <P>To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.
 </td>
 </tr>
 <tr>
 <td>Error 800705B4: This operation returned because the timeout period expired.</td>
 <td>A time out issue set by the task sequence limitation to 180 mins of run time. This can also occur if the System Center client is corrupted.</td>
 <td>Review the SMSTS.log file and verify the following error is displayed:<BR>
 Command line execution failed (800705B4) TSManager 3/30/2016 10:11:29 PM 8920 (0x22D8)<BR>
 Failed to run the action: Upgrade Windows.<BR>
 <P>To resolve this issue, increase the default task sequence run time and change the task sequence to have the content downloaded locally prior to installation.
 </td>
 </table>
-## Appendix A: Less common errors I haven't edited yet
+### Other error codes
 <TABLE>
 <TR><td BGCOLOR="#a0e4fa">Error Codes<td BGCOLOR="#a0e4fa">Cause<td BGCOLOR="#a0e4fa">Mitigation</TD></TR>
-<TR><TD>0x80070003- 0x20007<TD>This error occurs when there is problem with the Internet connection during the Windows 10 upgrade.<TD>"Since this error indicates that the internet connection ran into a problem, you may attempt to fix the connectivity issues and reattempt the download of the files.
+<TR><TD>0x80070003- 0x20007
-Alternatively, you may re-create installation media using ""Media Creation Tool"" from a different connected system. Refer: https://www.microsoft.com/en-us/software-download/windows10
+<TD>This is a failure during SafeOS phase driver installation. 
-You can either create a USB drive or an ISO.
+<TD>[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
-"</TD></TR>
+</TD></TR>
-<TR><TD>0x8007025D - 0x2000C<TD>This error occurs if the ISO file's metadata is corrupt.<TD>"Re-download the ISO/Media and re-attempt the upgrade.
+<TR><TD>0x8007025D - 0x2000C
 <TD>This error occurs if the ISO file's metadata is corrupt.<TD>"Re-download the ISO/Media and re-attempt the upgrade.
-You may alternatively, re-create installation media using ""Media Creation Tool"" Refer: https://www.microsoft.com/en-us/software-download/windows10
+Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/en-us/software-download/windows10).
-You can either create a USB drive or an ISO using the Media Creation Tool.
+</TD></TR>
-"</TD></TR>
+<TR><TD>0x80070490 - 0x20007<TD>An incompatible device driver is present.
 <TR><TD>0x80070490 - 0x20007<TD>The error comes up during driver installation phase and it means that some of the device driver is incompatible.<TD>"Please ensure that all the devices are working correctly. Please review the Device Manager for any errors and troubleshoot accordingly.
 Refer: https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations
-Additionally, you can review the following logs to verify which I/O device is causing the problem.
+<TD>[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
 ""%systemroot%\$Windows.~BT\Sources\Panther\setupact.log"" 
-If unable to review the logs, post on Windows 10 TechNet Forum (https://social.technet.microsoft.com/Forums/en-us/home?forum=win10itprogeneral&filter=alltypes&sort=lastpostdesc)
+</TD></TR>
-"</TD></TR>
+<TR><TD>0xC1900101 - 0x2000c
-<TR><TD>0xC1900101 - 0x2000B<TD>This error occurs when the device drivers of the hardware connected to the computer prevent the Windows 10 upgrade from building the migration file list.<TD>We recommended you disconnect the devices that aren't in use when you upgrade the computer.</TD></TR>
+<TD>An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.
-<TR><TD>0xC1900101 - 0x2000c<TD>The Setup Platform has encountered an unspecified error during the WINPE Phase. This is generally caused by drivers which are not updated at the time when the upgrade was started.<TD>It is recommended to select "Download and install updates (recommended)" during the upgrade process. Additionally, you can contact the Hardware Vendor and get the updates for the device drivers that are connected to the system. Ensure all the devices other than the Mouse; Keyboard and Display are disconnected during upgrade process. Then start setup again.</TD></TR>
+<TD>Run checkdisk to repair the file system. For more information, see the [quick fixes](#quick-fixes) section in this guide.
-<TR><TD>0xC1900200 - 0x20008<TD>This error occurs when the computer doesn’t meet the minimum requirements to download or upgrade to Windows 10.<TD>"Refer http://www.microsoft.com/en-us/windows/windows-10-specifications?OCID=win10_null_vanity_win10specs and make sure that the machine, on which the upgrade is being initiated, meets the minimum requirement.
+<P>Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.</TD></TR>
 <TR><TD>0xC1900200 - 0x20008
-Secondly use the Windows 10 Compatibility Reports to understand upgrade issues (https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/)
+<TD>The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10.
 "</TD></TR>
 <TR><TD>0x80070004 - 0x3000D<TD>SYSTEM, LOCAL, SELF, System, and Network are reserved names that can’t be used for Computer Name.<TD>"Ensure that you do not use the reserved names as the Computer names. Rename the system to a valid Computer name.
 See KB 3086101 for more details.
 "</TD></TR>
 <TR><TD>0xC1900101 - 0x40001<TD>"This error indicates that we saw an error in the OOBE Phase - Stop 9F. This behavior occurs when device drivers do not handle power state transition requests properly. The error message most often occurs during one of the following actions: 1. Shutting down
 2. Suspending or resuming from Standby mode
 3. Suspending or resuming from Hibernate mode"<TD>"The most common causes for this error would be the connected devices on the machine / device as below and it would have suggested that we disable / disconnect them from the device /machine before performing the upgrade:
 1. Internal WIFI Modem
 2. Any External connected USB devices such as WEBCAMS; Printers; USB Hard Drives
 3. Check to be sure your computer and all devices are on the Hardware Compatibility List (HCL) and have WHQL signed and certified drivers.
-The setup.exe will perform a rollback of the OS and would return to the older OS. Once the rollback is complete if we find the problem causing driver than we need to check for %SystemDrive%\$Windows.~bt\sources\Rollback\setupmem.dmp file and have a Microsoft Support Professional look into the same.
+<TD>See [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications) and verify the computer meets minimum requirements.
-"</TD></TR>
+
-<TR><TD>0xC1900101 - 0x4001E<TD>This error indicates that the installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.<TD>This is a generic error that occurs during the OOBE phase of Setup. We recommend you to review the FAQ for Upgrade to Windows 10 (https://support.microsoft.com/en-us/help/12435/windows-10-upgrade-faq)</TD></TR>
+<BR>Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).</TD></TR>
-<TR><TD>0x80070005 - 0x4000D<TD>This error code means The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation.<TD>This issue may occur if we have any application / driver that is causing an issue while the upgrade to Windows 10 is going on.  Preform a clean boot on the system. Refer https://support.microsoft.com/en-us/kb/929135 for steps to perform a Clean boot.</TD></TR>
+<TR><TD>0x80070004 - 0x3000D
-<TR><TD>0x80070004 - 0x50012<TD>The Computer account for the system has an invalid name. <TD>Please ensure that the machine name does not have any invalid characters (See https://technet.microsoft.com/en-us/library/cc749460(v=ws.10).aspx). Additionally, the names should not be any of the reserved names for systems. Rename the system to a valid computer name and try the Setup again. See KB 3086101 for more details.</TD></TR>
+<TD>This is a problem with data migration during the first boot phase. There are multiple possible causes.
-<TR><TD>"0xC190020e 0x80070070 - 0x50011
+
-0x80070070 - 0x50012
+<TD>[Analyze log files](#analyze-log-files) to determine the issue.</TD></TR>
-0x80070070 - 0x60000"<TD>These errors would occur if your computer doesn’t have enough free space available to install the upgrade.<TD>"Typically to upgrade to Windows 10, you need free space of 16 GB for 32-bit OS and 20 GB for 64-bit OS. If there is not enough space refer the following article:
+<TR><TD>0xC1900101 - 0x4001E
-https://support.microsoft.com/en-us/help/17421/windows-free-up-drive-space 
+<TD>Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.
 <TD>This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xC1900101) section of this guide and review general troubleshooting procedures described in that section.</TD></TR>
 <TR><TD>0x80070005 - 0x4000D
 <TD>The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data.
 <TD>[Analyze log files](#analyze-log-files) to determine the data point that is reporting access denied.</TD></TR>
 <TR><TD>0x80070004 - 0x50012
 <TD>Windows Setup failed to open a file. 
 <TD>[Analyze log files](#analyze-log-files) to determine the data point that is reporting access problems.</TD></TR>
 <TR><TD>0xC190020e 
 <BR>0x80070070 - 0x50011
 <BR>0x80070070 - 0x50012
 <BR>0x80070070 - 0x60000
 <TD>These errors indicate the computer does not have enough free space available to install the upgrade.
 <TD>To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/en-us/help/17421/windows-free-up-drive-space) before proceeding with the upgrade.
-Note: Once the deletion is complete, initiate the upgrade and this time you should not receive the error if sufficient space has been made. If that is not enough 
+<P>Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS.  Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.
-then, you can implement solution as mentioned below.
+</TD></TR>
 Using External Drive
 If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will backup the previous version of Windows to a USB external drive. The external drive must be at least 8GB – but having 16GB is recommended. 
 Some important points to remember if you choose to use an external storage drive for installing Windows 10:
 - We recommend that the external drive is formatted in NTFS.  Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations.  To learn   how to format in NTFS, click here.
 - USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.
 "</TD></TR>
 </TABLE>
 ## Appendix B: Less common errors I haven't edited and don't know how to classify
 <TABLE>
 <TR><td BGCOLOR="#a0e4fa">Error Codes<td BGCOLOR="#a0e4fa">Cause<td BGCOLOR="#a0e4fa">Mitigation</TD></TR>
 <TR><TD>Contact your system administrator to upgrade Windows Server or Enterprise Editions<TD>This issue occurs if you run the updater tool. The tool works only with the Windows 10 Home, Pro, and Education editions.<TD>To resolve this issue, use a different method to upgrade to Windows 10 version 1607. For example, download the ISO, and then run Setup from it.</TD></TR>
 <TR><TD>When doing an upgrade to Windows Version 1607 is it supported to use a custom install.wim (sysprepped) instead of the default install.wim that comes with Windows Version 1607 <TD>Unsupported<TD>It is not supported to replace the install.wim with custom wim (sysprepped or not). It is supported to do some minor changes to the default install.wim such as injecting latest cumulative update or remove inbox apps. </TD></TR>
 <TR><TD>0xC1420127<TD>The typical conversion of the error means that the specified image in the specified wim is already mounted for read/write access. When we launch the setup.exe, it checks the registry key. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WIMMount\Mounted Images to check for any previously mounted WIM files on the system and if the image is mounted we will get this error.<TD>This error would be very rare on Upgrades of WIN10 specially when upgrading to the Anniversary 1607 Build. This issue has been fixed with the Cumulative updates released in June 2016 for Windows 10. When we perform an Upgrade, it is recommended to Perform a Windows Update first and apply all important updates on the current OS and then start the Upgrade process for Windows 10.</TD></TR>
 <TR><TD>0x8004100E<TD>This error code indicates that there is a problem with an Application that has an Invalid WMI Namespace<TD>In order to fix this problem, we need to open Application Event log and Check for Errors for various applications that could be causing this error. You can use WMIDIAG tool and make sure that the WMI is working well. The step by step instructions are available at: https://technet.microsoft.com/en-us/library/ff404265.aspx</TD></TR>
 <TR><TD>0x80070057<TD>This error means that One or more arguments are invalid<TD>This is a very generic error, and it could be due to any of the issues that we would have on the machine. This error may not be related to Upgrade only. It could be due to any programs; device drivers etc. There is no specific resolution for this error</TD></TR>
 <TR><TD>0x8007007e<TD>The error indicates one of the modules required to upgrade to Windows 10 was not found, some of these modules could be manifest files, COM Classes, DLL or any app packages that may be missing.<TD>"When we start the upgrade of the OS, the Setup engine is responsible to check and confirm that all OS components / modules are running in good health, so that the upgrade succeeds. When we have any issues being reported with manifest files, COM Classes, DLL or any app packages, the setup engine would give this error. In order to fix this error, we would suggest to follow the solutions as below and then start the upgrade again.
 Solution 1: System File Checker
 Follow the detailed steps as in: https://support.microsoft.com/en-us/kb/929833
 Solution 2: Integrated CHKSUR
 Run DISM Command to verify the health of the system:
 1. Go to Start
 2. Search for """"Command Prompt""""
 3. Right Click and select """"Run as Administrator""""
 4. On the prompt type command: Dism /Online /Cleanup-Image /CheckHealth
 5. Hit Enter.
 6. When you use the /CheckHealth argument, the DISM tool will report whether the image is healthy, repairable, or non-repairable. If the image is non-repairable, you should discard the image and start again. 
 7. If the image is repairable, you can use the /RestoreHealth argument to repair the image. Dism /Online /Cleanup-Image /RestoreHealth.
 "</TD></TR>
 <TR><TD>0x8007045d<TD>This error indicates that we ran into an I/O device error.<TD>"Please ensure that all I/O devices are working correctly. Please review the Device Manager for any errors and troubleshoot accordingly.
 Refer: https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations
 Additionally, you can review the following logs to verify which I/O device is causing the problem.
 ""%systemroot%\$Windows.~BT\Sources\Panther\setupact.log"" 
 If unable to review the logs, post on Windows 10 TechNet Forum (https://social.technet.microsoft.com/Forums/en-us/home?forum=win10itprogeneral&filter=alltypes&sort=lastpostdesc)
 "</TD></TR>
 <TR><TD>0x80070542<TD>The user executing the Setup.exe does not have all permissions required to complete the upgrade. <TD>"Please ensure the user performing the upgrade is part of Local Administrators group or is a Local Admin.
 Additionally, to troubleshoot further you may need to identify which process is preventing access to certain resources required for upgrade process. That can be identify by using Process Monitor (https://technet.microsoft.com/en-us/sysinternals/processmonitor).
 Use this (https://support.microsoft.com/en-us/kb/939896) to understand how to use Process Monitor and then post the results to Windows 10 TechNet Forum (https://social.technet.microsoft.com/Forums/en-us/home?forum=win10itprogeneral&filter=alltypes&sort=lastpostdesc)
 "</TD></TR>
 <TR><TD>0x80070652 <TD>This error occurs when another program is being installed at the same time as the upgrade.<TD>Ensure that the are no other installation currently in progress. If there is, wait for the installation to complete. Restart the computer and do the upgrade to Windows 10.</TD></TR>
 <TR><TD>0x800F0923<TD>This error code indicates that the user entered Safe Mode during the upgrade process.<TD>In order to complete the upgrade successfully, we recommend that you reboot the system in normal mode. If a roll-back occurs, re-initiate the upgrade.</TD></TR>
 <TR><TD>0x80200056<TD>This error indicates when the upgrade attempts to use a security token for some of the operations, but the token is not currently available. <TD>You can attempt to re-login to the machine with a local administrator privileges and attempt to re-run the upgrade. Ensure that you do not logoff until the upgrade is complete.</TD></TR>
 <TR><TD>0xC0000005<TD>The error indicates that the setup process lead to an access violation<TD>"Please ensure the user performing the upgrade is part of Local Administrators group or is a Local Admin.
 Additionally, to troubleshoot further you may need to identify which process is preventing access to certain resources required for upgrade process. That can be identify by using Process Monitor (https://technet.microsoft.com/en-us/sysinternals/processmonitor).
 Use this (https://support.microsoft.com/en-us/kb/939896) to understand how to use Process Monitor and then post the results to Windows 10 TechNet Forum (https://social.technet.microsoft.com/Forums/en-us/home?forum=win10itprogeneral&filter=alltypes&sort=lastpostdesc)
 "</TD></TR>
 <TR><TD>0XC0000428<TD>"This error occurs when the digital signatures for one of the Boot Critical Drivers has not been verified. In most cases, we will see an error on Bootup which will be similar to as below:
 File: \Windows\system32\boot\winload.exe
 Status:0xc0000428
 Info: Windows cannot verify the digital signature for this file."<TD>"In order to fix this error, we need to look for the file that is causing the issue. The file listed in the cause section may vary as well. When this error occurs, the machine / device will show a bluescreen and will not be in a useable state. At this point, we would need to perform Automatic Repair using Windows 10 installation media. The Drivers, conflicts with other programs, malware, and memory can all cause startup problems. 
 Automatic repair can detect and fix problems that prevent your PC from starting. Refer to the steps:
 a. Insert the installation USB media and boot Windows Technical Preview from it.
 b. In the ‘Windows setup’ page select the ‘language to install’, ‘Time and currency format’ and the ‘keyboard or input method’ and click on ‘next’.
 c. Click on ‘Repair your computer’ and select ‘Troubleshoot’.
 d. Select ‘Automatic Repair’ and select the operating system.
 e. You will then see a blue screen and an option to choose. Choose the option Troubleshoot and select advanced options.
 f. You may choose Automatic Repair from Advanced boot option.
 g. Follow the instructions.
 The above steps should fix the issue and get the driver signatures back as well for the corrupted drivers. If that does not help, then we may not have any other option than performing a Clean Install of Windows 10 on the machine / device. You can create a Windows 10 installation Disc and perform a clean installation on the computer. To create a please find the below link:
 https://www.microsoft.com/en-us/software-download/windows10 
 Once the media is created by the tool, it will walk you through how to set up Windows 10 on your PC. During setup, you might be asked to enter a product key.
 If you bought Windows 10 and are installing it for the first time, you’ll need to enter the Windows 10 product key you received in the confirmation email after your purchase. If you don’t have a product key and you’ve not previously upgraded to Windows 10, select I need to buy a Windows 10 product key.
 "</TD></TR>
 <TR><TD>0xc1900106<TD>This indicate that upgrade process was forcefully terminated either by Rebooting or forcefully canceling the setup. <TD>"We recommended that when the Windows 10 Upgrade is initiated, one should not terminate the process at any time until the Setup completes. Before initiating the setup, we should make sure:
 1. The device (Laptop or Surface) it should be connected to power source and adequately charged.
 2. The user is not cancelling the setup on the Black Screen, when the setup.exe is installing devices and configuring user settings.
 PS: It takes time on the device configuration and migration depending upon the Speed of the CPU and the amount of RAM on the system. 
 "</TD></TR>
 <TR><TD>0xC1900208 -1047526904<TD>This error occurs when the computer does not pass the compatibility check for upgrading to Windows 10.<TD>"This error comes when there is software/driver which is not yet certified to be compatible with windows 10. Hence you might want to re-run the compatibility check before initiating the Upgrade. 
 Refer AskCore Blog: Using the Windows 10 Compatibility Reports to understand upgrade issues (https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/)
 Once you have found the in-compatible software/drivers:
 1. Uninstall incompatible software or hardware or driver, 
 2. Now re-run the compatibility check just to verify that there no more in-compatible software/driver on the machine. 
 3. If it comes clean, initiate the upgrade.
 4. Else, repeat the steps until the compatibility check is clean.
 "</TD></TR>
 <TR><TD>Couldn't Update System Reserved Partition<TD>This error occurs because the System Reserved Partition (SRP) is full.<TD>Free up 15MB of space on the SRP using the appropriate method described in Knowledge Base article 3086249, and then try the upgrade again.</TD></TR>
 <TR><TD>MismatchedLanguage, found HardBlock<TD>This error code indicates that the Current Language installed on the machine is not Supported for the Upgrade to start.<TD>We need to have English as the base Language in order to upgrade to Windows 10. There is a Hard block for the Upgrade to be performed and the compatibility scan data is saved to %Systemroot%\$WINDOWS.~BT\Sources\Panther\CompatData_YYYY.txt</TD></TR>
 <TR><TD>Setup couldn’t start properly. Please reboot your PC and try running Windows 10 Setup again<TD>This error occurs if the upgrade files are corrupt due to a failed Windows 10 download.<TD>"The Setup.exe initializes the temporary folders to copy the data and prepare the machine for upgrade. The specific folders that are initialized are:
 1. C:\$Windows ~BT (Hidden Folder)
 2. C:\$Windows~WS (Hidden Folder)
 In order to delete the above folders we would suggest that we use the Disk Clean Up tool and delete the folders and then try to run the upgrade again.
 https://support.microsoft.com/en-us/help/17421/windows-free-up-drive-space 
 "</TD></TR>
 <TR><TD>Unable to resurrect NewSystem object. hr=0x80070002<TD>"This error occurs when the setup.exe is unable to create the newsystem data file when the upgrade starts. If we look at the C:\$Windows.~BT\Sources\Panther\diagerr.xml, we should see something like:
 CSetupPlatform::ResurrectNewSystem: 
 Failure: Win32Exception: \\?\C:\$Windows.~BT\Sources\NewSystem.dat: 
 The system cannot find the file specified. [0x00000002] __cdecl    
 UnBCL::FileStream::FileStream(const class UnBCL::String *,enum 
 UnBCL::FileMode,enum UnBCL::FileAccess,enum UnBCL::FileShare,unsigned long)"<TD>"The NewSystem.dat is an operational file that is created at the beginning of the upgrade process and used at various points in the setup phase like driver migrations; disk space detections; Platforms detections and creating a base image of the new OS that is extracted from the INSTALL.WIM, which is the source file for the upgrade.
 There are couple of solutions for this issue:
 Solution 1: Disk Space
 Check and Make sure that we have good amount of free disk space on the OS partition. Disk space requirements:
 a. For 32-bit: Greater than 16gb
 b. For 64-Bit: Greater than 20gb
 Solution 2: Upgrade Path
 We need to make sure that we are upgrading the existing OS, to the New Version as per the guidelines described in https://technet.microsoft.com/en-us/itpro/windows/deploy/windows-10-upgrade-paths?f=255&MSPPError=-2147217396
 Solution: Media Creation Tool
 Use the Media Creation tool and create an ISO and then start the upgrade of the OS. The tool can be downloaded from: http://go.microsoft.com/fwlink/?LinkId=691209
 "</TD></TR>
 </TABLE>
 ## Appendix A: Example setupact.log
 ## Related topics
-•	Windows 10 FAQ for IT professionals
+[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx)
-•	Windows 10 Enterprise system requirements
+<BR>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
-•	Windows 10 IT pro forums
+<BR>[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
 <BR>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
 <BR>[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
--- a/windows/deploy/upgrade-analytics-get-started.md
+++ b/windows/deploy/upgrade-analytics-get-started.md
@ -101,7 +101,7 @@ IMPORTANT: Restart user computers after you install the compatibility update KBs
 | **Site discovery** | **KB** |
 |----------------------|-----------------------------------------------------------------------------|
-| [Review site discovery](upgrade-analytics-review-site-discovery.md)         | [KB 3170106](https://support.microsoft.com/en-us/kb/3170106)<br>Site discovery requires July 2016 security update for Internet Explorer.   |
+| [Review site discovery](upgrade-analytics-review-site-discovery.md)         | Site discovery requires the [July 2016 security update for Internet Explorer](https://support.microsoft.com/en-us/kb/3170106) (KB3170106) or later.  |
 ### Automate data collection
--- a/windows/deploy/upgrade-analytics-review-site-discovery.md
+++ b/windows/deploy/upgrade-analytics-review-site-discovery.md
@ -15,7 +15,7 @@ This section of the Upgrade Analytics workflow provides an inventory of web site
 Ensure the following prerequisites are met before using site discovery:
-1. Install the latest Internet Explorer 11 Cumulative Update. This update provides the capability for site discovery and is available in the [July 2016 cumulative update (KB3170106)](https://support.microsoft.com/kb/3170106) and later.
+1. Install the latest Internet Explorer 11 Cumulative Update. This update provides the capability for site discovery and is available in the [July 2016 cumulative update](https://support.microsoft.com/kb/3170106) and later.
 2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)).
 3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Analytics deployment script](upgrade-analytics-get-started.md#run-the-upgrade-analytics-deployment-script) to allow Internet Explorer data collection before you run it. 
--- a/windows/deploy/windows-10-poc-mdt.md
+++ b/windows/deploy/windows-10-poc-mdt.md
@ -1,548 +0,0 @@
 ---
 title: Placeholder (Windows 10)
 description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit 
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ---
 # Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
 **Applies to**
 -   Windows 10
 **Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). Please complete all steps in the prerequisite guide before attempting the procedures in this guide.
 The PoC environment is a virtual network running on Hyper-V with three virtual machines:
 - **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
 - **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
 - **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes.
 This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
 ## In this guide
 Description here.
 ## Install the Microsoft Deployment Toolkit (MDT)
 1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
    ```
    $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
    Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
    Stop-Process -Name Explorer
    ```
 2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT) 2013 Update 2](https://www.microsoft.com/en-us/download/details.aspx?id=50407) on SRV1 using the default options.
 3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1607. Installation might require several minutes to acquire all components.
 3. If desired, re-enable IE Enhanced Security Configuration:
    ```
    Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
    Stop-Process -Name Explorer
    ```
 ## Create a deployment share and reference image
 1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1.  To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
    ```
    Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
    ```
 2. Connect to SRV1 and verify that the Windows Enterprise installation DVD is mounted as drive letter D.
 3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
 4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
 5. Use the following settings for the New Deployment Share Wizard:
    - Deployment share path: **C:\MDTBuildLab**<BR>
    - Share name: **MDTBuildLab$**<BR>
    - Deployment share description: **MDT build lab**<BR>
    - Options: click **Next** to accept the default<BR>
    - Summary: click **Next**<BR>
    - Progress: settings will be applied<BR>
    - Confirmation: click **Finish**
 6. Expand the Deployment Shares node, and then expand MDT build lab.
 7. Right-click the Operating Systems node, and then click New Folder. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**.
 7. Right-click the Windows 10 folder created in the previous step, and then click **Import Operating System**.
 8. Use the following settings for the Import Operating System Wizard: 
    - OS Type: **Full set of source files**<BR>
    - Source: **D:\\** <BR>
    - Destination: **W10Ent_x64**<BR>
    - Summary: click **Next**
    - Confirmation: click **Finish**
 9. For purposes of this test lab, we will not add applications (such as Microsoft Office) to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/en-us/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic in the TechNet library.
 10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
    - Task sequence ID: **REFW10X64-001**<BR>
    - Task sequence name: **Windows 10 Enterprise x64 Default Image** <BR>
    - Task sequence comments: **Reference Build**<BR>
    - Template: **Standard Client Task Sequence**
    - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
    - Specify Product Key: **Do not specify a product key at this time**
    - Full Name: **Contoso**
    - Organization: **Contoso**
    - Internet Explorer home page: **http://www.contoso.com**
    - Admin Password: **Do not specify an Administrator password at this time**
    - Summary: click **Next**
    - Confirmation: click **Finish**
 11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
 12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**.
 13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**.
 14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. 
 15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**.
 16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
    >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
 17. Click **OK** to complete editing the task sequence.
 18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab.
 19. Replace the default rules with the following text:
    ```
    [Settings]
    Priority=Default
    [Default]
    _SMSTSORGNAME=Contoso
    UserDataLocation=NONE
    DoCapture=YES
    OSInstall=Y
    AdminPassword=pass@word1
    TimeZoneName=Pacific Standard Time 
    JoinWorkgroup=WORKGROUP
    HideShell=YES
    FinishAction=SHUTDOWN
    DoNotCreateExtraPartition=YES
    ApplyGPOPack=NO
    SkipAdminPassword=YES
    SkipProductKey=YES
    SkipComputerName=YES
    SkipDomainMembership=YES
    SkipUserData=YES
    SkipLocaleSelection=YES
    SkipTaskSequence=NO
    SkipTimeZone=YES
    SkipApplications=YES
    SkipBitLocker=YES
    SkipSummary=YES
    SkipRoles=YES
    SkipCapture=NO
    SkipFinalSummary=YES
    ```
 20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
    ```
    [Settings]
    Priority=Default
    [Default]
    DeployRoot=\\SRV1\MDTBuildLab$
    UserDomain=CONTOSO
    UserID=administrator
    UserPassword=pass@word1
    SkipBDDWelcome=YES
    ```
 21. Click **OK** to complete the configuration of the deployment share.
 22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**.
 23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**.  The update process will take 5 to 10 minutes. When it has completed, click **Finish**.
 24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
 >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
 25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
    ```
    New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB 
    Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
    Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
    Start-VM REFW10X64-001
    vmconnect localhost REFW10X64-001
    ```
 26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**.
 27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated.
    Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
    - Install the Windows 10 Enterprise operating system.
    - Install added applications, roles, and features.
    - Update the operating system using Windows Update (or WSUS if optionally specified).
    - Stage Windows PE on the local disk.
    - Run System Preparation (Sysprep) and reboot into Windows PE.
    - Capture the installation to a Windows Imaging (WIM) file.
    - Turn off the virtual machine.
    This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server. The file name is **REFW10X64-001.wim**.
 ## Deploy a Windows 10 image using MDT
 This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT.
 1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard:
     - **Deployment share path**: C:\MDTProd
     - **Share name**: MDTProd$
     - **Deployment share description**: MDT Production
     - **Options**: accept the default
 2. Click **Finish** and verify the new deployment share was added successfully.
 3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values.
 4. Right-click the Windows 10 folder created in the previous step, and then click **Import Operating System**.
 5. On the **OS Type** page, choose **Custom image file** and then click **Next**.
 6. On the Image page, browse to the C:\MDTBuildLab\Captures\REFW10X64-001.wim file created in the previous procedure, click **Open**, and then click **Next**.
 7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. 
 8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**.
 9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, and then click **Finish**.
 10. In the Operating Systems > Windows 10 node, double-click the operating system that was added to view its Properties. Change the Operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**.
 ### Create the deployment task sequence
 1. Using the Deployment Workbench, select Task Sequences in the MDT Production node, and create a folder named **Windows 10**.
 2. Right-click the Windows 10 folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
    - Task sequence ID: W10-X64-001
    - Task sequence name: Windows 10 Enterprise x64 Custom Image
    - Task sequence comments: Production Image
    - Select Template: Standard Client Task Sequence
    - Select OS: Windows 10 Enterprise x64 Custom Image
    - Specify Product Key: Do not specify a product key at this time
    - Full Name: Contoso
    - Organization: Contoso
    - Internet Explorer home page: http://www.contoso.com
    - Admin Password: pass@word1 
 ### Configure the MDT production deployment share
 1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
    ```
    copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force
    copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force
    ``` 
 2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click Properties.
 3. Click the **Rules** tab and replace the rules with the following text:
    ```
    [Settings] 
    Priority=Default 
    [Default] 
    _SMSTSORGNAME=Contoso 
    OSInstall=YES 
    UserDataLocation=AUTO 
    TimeZoneName=Pacific Standard Time
    OSDComputername=#Left("PC-%SerialNumber%",7)#
    AdminPassword=pass@word1 
    JoinDomain=contoso.com 
    DomainAdmin=administrator
    DomainAdminDomain=CONTOSO
    DomainAdminPassword=pass@word1 
    ScanStateArgs=/ue:*\* /ui:CONTOSO\*
    USMTMigFiles001=MigApp.xml
    USMTMigFiles002=MigUser.xml
    HideShell=YES 
    ApplyGPOPack=NO 
    SkipAppsOnUpgrade=NO 
    SkipAdminPassword=YES
    SkipProductKey=YES 
    SkipComputerName=YES 
    SkipDomainMembership=YES
    SkipUserData=YES 
    SkipLocaleSelection=YES 
    SkipTaskSequence=NO 
    SkipTimeZone=YES 
    SkipApplications=NO 
    SkipBitLocker=YES 
    SkipSummary=YES 
    SkipCapture=YES 
    SkipFinalSummary=NO
    EventService=http://SRV1:9800
    ```
    **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini.
    >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified.
 4. Click **Edit Bootstap.ini** and replace text in the file with the following text:
    ```
    [Settings] 
    Priority=Default 
    [Default] 
    DeployRoot=\\SRV1\MDTProd$ 
    UserDomain=CONTOSO 
    UserID=administrator
    UserPassword=pass@word1
    SkipBDDWelcome=YES
    ```
 5. Click **OK** when finished. 
 ### Update the deployment share
 1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**.
 2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete.
 3. Click **Finish** when the update is complete.
 ### Enable deployment monitoring
 1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**.
 2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**.
 3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/).
 4. Close Internet Explorer.
 ### Configure Windows Deployment Services
 1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1:
    ```
    WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
    WDSUTIL /Set-Server /AnswerClients:All
    ```
 2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**.
 3. In the Windows Deployment Services console, expand Servers, expand SRV1.contoso.com, right-click **Boot Images**, and then click **Add Boot Image**.
 4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image.
 ### Deploy the client image
 1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway. **Note**: Do not disable the *internal* network interface. To disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command:
    ```
    Disable-NetAdapter "Ethernet 2" -Confirm:$false
    ```
 2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt:
    ```
    New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
    Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
    ```
    >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle.
 3. Start the new VM and connect to it:
    ```
    Start-VM PC2
    vmconnect localhost PC2
    ```
 4. When prompted, hit ENTER to start the network boot process.
 5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
 6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command:
    ```
    Enable-NetAdapter "Ethernet 2"
    ```
 7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation.
 8. When OS installation is complete, the system will reboot automatically and begin configuring devices.  When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator. 
 9. Turn off the PC2 VM before starting the next section.  To turn off the VM, right-click **Start**, point to **Shut down or sign out**, and then click **Shut down**.
 ### Refresh a computer with Windows 10
 This topic will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). 
 1. Create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios.  Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
    ```
    Checkpoint-VM -Name PC1 -SnapshotName BeginState
    ```
 2. Sign on to PC1 using the CONTOSO\Administrator account.
    >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
 3. Open an elevated command prompt on PC1 and type the following:
    ```
    cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
    ```
    **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer.
 4. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
 5. Choose **Do not back up the existing computer** and click **Next**.
    **Note**: The USMT will still back up the computer.
 6. Lite Touch Installation will perform the following actions:
    - Back up user settings and data using USMT.
    - Install the Windows 10 Enterprise X64 operating system.
    - Update the operating system via Windows Update.
    - Restore user settings and data using USMT.
    You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. 
 7. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system.
 8. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
    ```
    Checkpoint-VM -Name PC1 -SnapshotName RefreshState
    ```
 9. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
    ```
    Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
    Start-VM PC1
    vmconnect localhost PC1
    ```
 10. Sign in to PC1 using the contoso\administrator account.
 ### Replace a computer with Windows 10
 At a high level, the computer replace process consists of:<BR>
 - A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.<BR>
 - A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored.
 #### Create a backup-only task sequence
 1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**.
 2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share.
 3. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
    ```
    New-Item -Path C:\MigData -ItemType directory
    New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE
    icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)'
    ```
 4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**.
 5. Name the new folder **Other**, and complete the wizard using default options.
 6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard:
    - **Task sequence ID**: REPLACE-001
    - **Task sequence name**: Backup Only Task Sequence
    - **Task sequence comments**: Run USMT to backup user data and settings
    - **Template**: Standard Client Replace Task Sequence
 7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings.
 8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence.
 #### Run the backup-only task sequence
 1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt:
    ```
    whoami
    ```
 2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt:
    ```
    Remove-Item c:\minint -recurse
    Remove-Item c:\_SMSTaskSequence -recurse
    Restart-Computer
    ```
 2. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt:
    ```
    cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
    ```
 3. Complete the deployment wizard using the following:
    - **Task Sequence**: Backup Only Task Sequence
    - **User Data**: Specify a location: **\\SRV1\MigData$\PC1**
    - **Computer Backup**: Do not back up the existing computer.
 4. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks.  
 5. Verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete.
 6. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example:
    ```
    PS C:\> dir C:\MigData\PC1\USMT
        Directory: C:\MigData\PC1\USMT
    Mode                LastWriteTime     Length Name
    ----                -------------     ------ ----
    -a---          9/6/2016  11:34 AM   14248685 USMT.MIG
    ```
 #### Deploy PC3 
 1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt:
    ```
    New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
    Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
    ```
 2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1:
    ```
    Disable-NetAdapter "Ethernet 2" -Confirm:$false
    ```
 3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
    ```
    Start-VM PC3
    vmconnect localhost PC3
    ```
 4. When prompted, press ENTER for network boot.
 6. On PC3, ue the following settings for the Windows Deployment Wizard:
    - **Task Sequence**: Windows 10 Enterprise x64 Custom Image
    - **Move Data and Settings**: Do not move user data and settings
    - **User Data (Restore)**: Specify a location: **\\SRV1\MigData$\PC1**
 5. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1:
    ```
    Enable-NetAdapter "Ethernet 2"
    ```
 7. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1.
 #### Troubleshooting logs, events, and utilities
 Deployment logs are available on the client computer in the following locations:
 - Before the image is applied: X:\MININT\SMSOSD\OSDLOGS
 - After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS
 - After deployment: %WINDIR%\TEMP\DeploymentLogs
 You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**.
 Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=50012)
 ## Related Topics
 [Microsoft Deployment Toolkit](https://technet.microsoft.com/en-US/windows/dn475741)<BR>
 [Prepare for deployment with MDT 2013](prepare-for-windows-deployment-with-mdt-2013.md)
--- a/windows/deploy/windows-10-poc-sc-config-mgr.md
+++ b/windows/deploy/windows-10-poc-sc-config-mgr.md
@ -1,645 +0,0 @@
 ---
 title: Placeholder (Windows 10)
 description: Deploy Windows 10 in a test lab using System Center Configuration Manager 
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ---
 # Deploy Windows 10 in a test lab using System Center Configuration Manager
 **Applies to**
 -   Windows 10
 **Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). Please complete all steps in the prerequisite guide before attempting the procedures in this guide.
 If you have already completed [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), you can skip some steps of this guide, such as installation of MDT.
 The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
 - **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
 - **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
 - **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes.
 This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
 >Multiple features and services are installed on SRV1 in this guide. If less than 4 GB of RAM is allocated to SRV1, some procedures will require more time to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1 to 2 GB and 1 GB respectively, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**.
 ## In this guide
 Description here.
 ## Install prerequisites
 1. Before installing System Center Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1: 
    ```
    Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ
    ```
    >If the request to add features fails, retry the installation by typing the command again.
 2. Download [SQL Server 2012 SP2](https://www.microsoft.com/en-us/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
 3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: 
    ```
    Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso
    ```
    This command mounts the .ISO file to drive D on SRV1.
 4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server 2012 SP2:
    ```
    D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms
    ```
    Installation might take several minutes. When installation is complete, the following output will be displayed:
    ```
    Microsoft (R) SQL Server 2014 12.00.5000.00
    Copyright (c) Microsoft Corporation.  All rights reserved.
    Microsoft (R) .NET Framework CasPol 2.0.50727.7905
    Copyright (c) Microsoft Corporation.  All rights reserved.
    Success
    Microsoft (R) .NET Framework CasPol 2.0.50727.7905
    Copyright (c) Microsoft Corporation.  All rights reserved.
    Success
    ```
 5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
    ```
    New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow
    New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow
    New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow
    New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow
    New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow
    ```
 6. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
    ```
    $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
    Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
    Stop-Process -Name Explorer
    ```
 7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1607. Installation might require several minutes to acquire all components.   
 ## Install System Center Configuration Manager
 1. Download [System Center Configuration Manager and Endpoint Protection](https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1, double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
 2. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
    ```
    Get-Service Winmgmt
    Status   Name               DisplayName
    ------   ----               -----------
    Running  Winmgmt            Windows Management Instrumentation
    Test-NetConnection -ComputerName 192.168.0.2 -Port 135 -InformationLevel Detailed
    ComputerName             : 192.168.0.2
    RemoteAddress            : 192.168.0.2
    RemotePort               : 135
    AllNameResolutionResults :
    MatchingIPsecRules       :
    NetworkIsolationContext  : Internet
    InterfaceAlias           : Ethernet
    SourceAddress            : 192.168.0.2
    NetRoute (NextHop)       : 0.0.0.0
    PingSucceeded            : True
    PingReplyDetails (RTT)   : 0 ms
    TcpTestSucceeded         : True
    ```
    You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**.
    If the WMI service is not started, attempt to start it or reboot the computer.  If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information.
 2. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt:
    ```
    cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
    ```
 3. Provide the following in the System Center Configuration Manager Setup Wizard:
    - **Before You Begin**: Read the text and click *Next*.
    - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox.
        - Click **Yes** in response to the popup window.
    - **Product Key**: Choose **Install the evaluation edition of this Product**.
    - **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox.
    - **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page.
    - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**. 
    - **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**.
        - use default settings for all other options
    - **Usage Data**: Read the text and click **Next**.
    - **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use).
    - **Settings Summary**: Review settings and click **Next**.
    - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**.
    Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete. 
 ## Download and install MDT  
 1. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT) 2013 Update 2](https://www.microsoft.com/en-us/download/details.aspx?id=50407) on SRV1 using the default options.
 2. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
    ```
    Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
    Stop-Process -Name Explorer
    ```
 ## Download MDOP and install DaRT
 1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso) to the C:\VHD directory on the Hyper-V host.
 2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
    ```
    Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso
    ```
 3. Type the following command at an elevated Windows PowerShell prompt on SRV1:
    ```
    cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi"
    ```
 4. Install DaRT 10 using default settings.
 5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
    ```
    Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64"
    Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86"
    ```
 ## Create a folder structure
 1. Type the following commands at a Windows PowerShell prompt on SRV1:
    ```
    New-Item -ItemType Directory -Path "C:Sources\OSD\Boot"
    New-Item -ItemType Directory -Path "C:Sources\OSD\OS"
    New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings"
    New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding"
    New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT"
    New-Item -ItemType Directory -Path "C:\Logs"
    New-SmbShare -Name Sources$ -Path C:\Sources -ChangeAccess EVERYONE
    New-SmbShare -Name Logs$ -Path C:\Logs -ChangeAccess EVERYONE
    ```
 ## Enable MDT ConfigMgr integration
 1. Click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**.
 2. Type **PS1** next to **Site code**, and then click **Next**.
 3. Verify **The process completed successfully** is displayed, and then click **Finish**.
 ## Configure client settings
 1. Click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**.
 2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar.
 3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab.
 4. In the console tree, open the **Administration** workspace and click **Client Settings**.
 5. In the display pane, double-click **Default Client Settings**.
 6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**.
 ## Enable PXE on the distribution point
 1. Deterime the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1:
    ```
    (Get-NetAdapter "Ethernet").MacAddress
    ```
    >If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter.
 2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**.
 3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**.
 4. On the PXE tab, select the following settings:
    - Enable PXE support for clients. Click **Yes** in the popup that appears.
    - Allow this distribution point to respond to incoming PXE requests
    - Enable unknown computer support. Click **OK** in the popup that appears.
    - Require a password when computers use PXE
    - Password and Confirm password: pass@word1
    - Respond to PXE requests on specific network interfaces: Enter the MAC address determined in the first step of this procedure.
 5. Click **OK**.
 6. Type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
    ```
    cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
    abortpxe.com
    bootmgfw.efi
    bootmgr.exe
    pxeboot.com
    pxeboot.n12
    wdsmgfw.efi
    wdsnbp.com
    ```
    >If these files are not present, type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
    ```
    Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
    ```
 ## Create a branding image file 
 1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image.
 2. Type the following command at an elevated Windows PowerShell prompt:
    ```
    copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp"
    ```
    >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
 ## Create a boot image for Configuration Manager 
 1. In the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
 2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
    - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later.
 3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**.
 4. On the Options page, under **Platform** choose **x64**, and click **Next**.
 5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**.
 6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image.
 7. Click **Finish**.
 8. Right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**.
 9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**.
 10. Use the CMTrace application to view the **distmgr.log** file and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
    ```
    Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
    ```
    >In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
        ```
        STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003"	SMS_DISTRIBUTION_MANAGER	9/14/2016 3:11:09 PM	4636 (0x121C)
        ```
 11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects**, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
 12. In the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
 13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
 14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
    ```
    cmd /c dir /s /b C:\RemoteInstall\SMSImages
    C:\RemoteInstall\SMSImages\PS100004
    C:\RemoteInstall\SMSImages\PS100005
    C:\RemoteInstall\SMSImages\PS100006
    C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim
    C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim
    C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim
    ```
    >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT.
 ## Create a Windows 10 reference image
 If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. Copy the reference image file (REFW10-X64-001.wim) from C:\MDTBuildLab\Captures\REFW10X64-001.wim to C:\Sources\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim.
 If you have not yet created a Windows 10 reference image, complete the following steps.
 1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1.  To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
    ```
    Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
    ```
 2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
 3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
 4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
 5. Use the following settings for the New Deployment Share Wizard:
    - Deployment share path: **C:\MDTBuildLab**<BR>
    - Share name: **MDTBuildLab$**<BR>
    - Deployment share description: **MDT build lab**<BR>
    - Options: click **Next** to accept the default<BR>
    - Summary: click **Next**<BR>
    - Progress: settings will be applied<BR>
    - Confirmation: click **Finish**
 6. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
 7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**.
 7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
 8. Use the following settings for the Import Operating System Wizard: 
    - OS Type: **Full set of source files**<BR>
    - Source: **D:\\** <BR>
    - Destination: **W10Ent_x64**<BR>
    - Summary: click **Next**
    - Confirmation: click **Finish**
 9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/en-us/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic in the TechNet library.
 10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
    - Task sequence ID: **REFW10X64-001**<BR>
    - Task sequence name: **Windows 10 Enterprise x64 Default Image** <BR>
    - Task sequence comments: **Reference Build**<BR>
    - Template: **Standard Client Task Sequence**
    - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
    - Specify Product Key: **Do not specify a product key at this time**
    - Full Name: **Contoso**
    - Organization: **Contoso**
    - Internet Explorer home page: **http://www.contoso.com**
    - Admin Password: **Do not specify an Administrator password at this time**
    - Summary: click **Next**
    - Confirmation: click **Finish**
 11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
 12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo.
 13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again.
 14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. 
 15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**.
 16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
    >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
 17. Click **OK** to complete editing the task sequence.
 18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab.
 19. Replace the default rules with the following text:
    ```
    [Settings]
    Priority=Default
    [Default]
    _SMSTSORGNAME=Contoso
    UserDataLocation=NONE
    DoCapture=YES
    OSInstall=Y
    AdminPassword=pass@word1
    TimeZoneName=Pacific Standard Time 
    JoinWorkgroup=WORKGROUP
    HideShell=YES
    FinishAction=SHUTDOWN
    DoNotCreateExtraPartition=YES
    ApplyGPOPack=NO
    SkipAdminPassword=YES
    SkipProductKey=YES
    SkipComputerName=YES
    SkipDomainMembership=YES
    SkipUserData=YES
    SkipLocaleSelection=YES
    SkipTaskSequence=NO
    SkipTimeZone=YES
    SkipApplications=YES
    SkipBitLocker=YES
    SkipSummary=YES
    SkipRoles=YES
    SkipCapture=NO
    SkipFinalSummary=YES
    ```
 20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
    ```
    [Settings]
    Priority=Default
    [Default]
    DeployRoot=\\SRV1\MDTBuildLab$
    UserDomain=CONTOSO
    UserID=administrator
    UserPassword=pass@word1
    SkipBDDWelcome=YES
    ```
 21. Click **OK** to complete the configuration of the deployment share.
 22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**.
 23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**.  The update process will take 5 to 10 minutes. When it has completed, click **Finish**.
 24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
    >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. 
 25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
    ```
    New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB 
    Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
    Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
    Start-VM REFW10X64-001
    vmconnect localhost REFW10X64-001
    ```
 26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**.
 27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated.
    Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
    - Install the Windows 10 Enterprise operating system.
    - Install added applications, roles, and features.
    - Update the operating system using Windows Update (or WSUS if optionally specified).
    - Stage Windows PE on the local disk.
    - Run System Preparation (Sysprep) and reboot into Windows PE.
    - Capture the installation to a Windows Imaging (WIM) file.
    - Turn off the virtual machine.
    This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. 
 ## Add a Windows 10 operating system image
 1. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
    ```
    New-Item -ItemType Directory -Path "C:Sources\OSD\OS\Windows 10 Enterprise x64"
    cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
    ```
 2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**.
 3. On the Data Source page, under **Path:**, type **\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**.
 4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**.
 5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**.
 6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**.
 7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar, click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**.
 ## Create a task sequence
 1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**.
 2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**.
 3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**.
 4. On the Details page, enter the following settings:<BR>
    - Join a domain: contoso.com<BR>
    - Account: click **Set**<BR>
        - User name: contoso\administrator<BR>
        - Password: pass@word1<BR>
        - Confirm password: pass@word1<BR>
        - Click **OK**<BR>
    - Windows Settings<BR>
        - User name: Contoso<BR>
        - Organization name: Contoso<BR>
        - Product key: \<blank\><BR>
    - Administrator Account: Enable the account and specify the local administrator password<BR>
        - Password: pass@word1<BR>
        - Confirm password: pass@word1<BR>
    - Click Next<BR>
 5. On the Capture Settings page, accept the default settings and click **Next**.
 6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package and then click **Next**.
 7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\SRV1\Sources$\OSD\MDT\MDT 2013**, and then click **Next**.
 8. On the MDT Details page, next to **Name:** type **MDT 2013** and then click **Next**.
 9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, and then click **Next**.
 10. On the Deployment Method page, accept the default settings and click **Next**.
 11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package** and then click **Next**.
 12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 8 10.0.14393.0** package, and then click **Next**.
 13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type \\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings, and then click **Next**.
 14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and click **Next**.
 15. On the Sysprep Package page, click **Next** twice.
 16. On the Confirmation page, click **Finish**.
 ## Edit the task sequence
 1. In the Configuration Manager console, in the Software Library workspace, click Task Sequences, right-click Windows 10 Enterprise x64, and then click Edit.
 2. Scroll down to the Install group and click Set Variable for Drive Letter.
 3. Change the Value under OSDPreserveDriveLetter from False to True, and click Apply.
 4. In the **State Restore** group, click **Set Status 5**, click **Add**, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**.
 5. Configure the **Request State Store** action that was just added with the following settings:<BR>
    - Request state storage location to: **Restore state from another computer**<BR>
    - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.<BR>
    - Options tab: Select the **Continue on error** checkbox.<BR>
    - Add Condition: **Task Sequence Variable**:<BR>
        - Variable: **USMTLOCAL** <BR>
        - Condition: **not equals**<BR>
        - Value: **True**<BR>
        - Click **OK**.<BR>
    - Click **Apply**<BR>.
 6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**.
 7. Configure the **Release State Store** action that was just added with the following settings:<BR>
    - Options tab: Select the **Continue on error** checkbox.<BR>
    - Add Condition: **Task Sequence Variable**:<BR>
        - Variable: **USMTLOCAL** <BR>
        - Condition: **not equals**<BR>
        - Value: **True**<BR>
        - Click **OK**.<BR>
    - Click **OK**<BR>.
 ## Finalize the operating system configuration
 1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**.
 2. Use the following settings for the New Deployment Share Wizard:
    - Deployment share path: **C:\MDTProduction**<BR>
    - Share name: **MDTProduction$**<BR>
    - Deployment share description: **MDT Production**<BR>
    - Options: click **Next** to accept the default<BR>
    - Summary: click **Next**<BR>
    - Progress: settings will be applied<BR>
    - Confirmation: click **Finish**
 3. Right-click the **MDT Production** deployment share, and click **Properties**. 
 4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**.
 5. Type the following command at an elevated Windows PowerShell prompt on SRV1:
    ```
    notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini"
    ```
 6. Replace the contents of the file with the following text:
    ```
    [Settings]
    Priority=Default
    Properties=OSDMigrateConfigFiles,OSDMigrateMode
    [Default]
    DoCapture=NO
    ComputerBackupLocation=NONE
    MachineObjectOU=ou=Workstations,ou=Computers,ou=Contoso,dc=contoso,dc=com
    OSDMigrateMode=Advanced
    OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\*
    OSDMigrateConfigFiles=Miguser.xml,Migapp.xml
    SLSHARE=\\SRV1\Logs$
    EventService=http://SRV1:9800
    ApplyGPOPack=NO
    ```
 7. In the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears.
 8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**.
 9. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**.
 10. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar, click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**.
 ## Create a deployment for the task sequence
 1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**. 
 2. On the General page, next to **Collection**, click **Browse** and select the **All Unknown Computers** collection, then click **Next**.
 3. On the Deployment Settings page, use the following settings:<BR>
    - Purpose: Available<BR>
    - Make available to the following: Only media and PXE<BR>
    - Click Next.<BR>
 4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages.
 5. Click **Close**.
 ## Deploy Windows 10 using PXE and Configuration Manager
 1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
    ```
    New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
    Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
    Start-VM PC3
    vmconnect localhost PC3
    ```
 2. Press ENTER when prompted to start the network boot service.
 3. In the Task Sequence Wizard, provide the password: pass@word1, and then click Next.
 4. The Windows 10 Enterprise x64 task sequence is selected, click Next.
 - ok I have an error that PS100001 cannot be located on a distribution point.
 - I tried going to content status and this seems to bhe the USMT and it says it is successfully distributed
 - I tried software library, boot images, and distribute these - this didn't help
 - I tried software library, application management, packages, distribute content but the distributon point isn't showing up. This is likely the problem.
 ## Related Topics
--- a/windows/deploy/windows-10-poc.md
+++ b/windows/deploy/windows-10-poc.md
@ -1,683 +0,0 @@
 ---
 title: Deploy Windows 10 in a test lab (Windows 10)
 description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ---
 # Step by step guide: Deploy Windows 10 in a test lab
 **Applies to**
 -   Windows 10
 If you are interested in upgrading to Windows 10 and want to know more about the upgrade process, then keep reading...
 Do you have a computer running Windows 8 or later with 16GB of RAM? If so, then you have everything you need to set up a Windows 10 test lab. You can even clone computers from your network and see exactly what happens when they are upgraded to Windows 10. 
 ## In this guide
 This guide provides step-by-step instructions for configuring a proof of concept (PoC) environment where you can deploy Windows 10. The PoC enviroment is configured using Hyper-V and a minimum amount of resources. Simple to use Windows PowerShell commands are provided for setting up the test lab.
 The following topics and procedures are provided in this guide:
 - [Hardware and software requirements](#hardware-and-software-requirements): Prerequisites to complete this guide.<BR>
 - [Lab setup](#lab-setup): A description and diagram of the PoC environment that is configured.<BR>
 - [Configure the PoC environment](#configure-the-poc-environment): Step by step guidance for the following procedures:
    - [Verify support and install Hyper-V](#verify-support-and-install-hyper-v): Verify that installation of Hyper-V is supported, and install the Hyper-V server role.
    - [Download VHD and ISO files](#download-vhd-and-iso-files): Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.
    - [Convert PC to VHD](#convert-pc-to-vhd): Convert a physical computer on your network to a VHDX file and prepare it to be used on the Hyper-V host.
    - [Resize VHD](#resize-vhd): Increase the storage capacity for one of the Windows Server VMs.
    - [Configure Hyper-V](#configure-hyper-v): Create virtual switches, determine available RAM for virtual machines, and add virtual machines.
    - [Configure VHDs](#configure-vhds): Start virtual machines and configure all services and settings.
 The following optional topics are also available:
 - [Appendix A: Configuring Hyper-V on Windows Server 2008 R2](#appendix-a-configuring-hyper-v-on-windows-server-2008-r2): Information about using this guide with a Hyper-V host running Windows Server 2008 R2.
 - [Appendix B: Verify the configuration](#appendix-b-verify-the-configuration): Verify and troubleshoot network connectivity and services in the PoC environment.
 When you have completed the steps in this guide, see the following topics for step by step instructions to deploy Windows 10 using the PoC environment under common scenarios with current deployment tools:
 - [Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
 - [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
 ## Hardware and software requirements
 One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. 
 The second computer is used to clone and mirror a client computer (computer 2) from your corporate network to the POC environment. Alternatively, you can use an arbitrary VM to represent this computer, therefore this computer is not required to complete the lab.
 <table border="1" cellpadding="2">
    <tr>
        <td></td>
        <td BGCOLOR="#a0e4fa">**Computer 1** (required)</td>
        <td BGCOLOR="#a0e4fa">**Computer 2** (recommended)</td>
    </tr>
    <tr>
        <td BGCOLOR="#a0e4fa">Role</td>
        <td>Hyper-V host</td>
        <td>Client computer</td>
    </tr>
    <tr>
        <td BGCOLOR="#a0e4fa">Description</td>
        <td>This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.</td>
        <td>This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VHD for upgrade demonstration purposes.</td>
    </tr>
    <tr>
        <td BGCOLOR="#a0e4fa">OS</td>
        <td>Windows 8/8.1/10 or Windows Server 2012/2012 R2/2016<B>*</B></td>
        <td>Windows 7 or a later</td>
    </tr>
    <tr>
        <td BGCOLOR="#a0e4fa">Edition</td>
        <td>Enterprise, Professional, or Education</td>
        <td>Any</td>
    </tr>
    <tr>
        <td BGCOLOR="#a0e4fa">Architecture</td>
        <td>64-bit</td>
        <td>Any</td>
    </tr>
    <tr>
        <td BGCOLOR="#a0e4fa">RAM</td>
        <td>8 GB RAM (16 GB recommended)</td>
        <td>Any</td>
    </tr>
    <tr>
        <td BGCOLOR="#a0e4fa">Disk</td>
        <td>50 GB available hard disk space (100 GB recommended)</td>
        <td>Any</td>
    </tr>
    <tr>
        <td BGCOLOR="#a0e4fa">CPU</td>
        <td>SLAT-Capable CPU</td>
        <td>Any</td>
    </tr>
    <tr>
        <td BGCOLOR="#a0e4fa">Network</td>
        <td>Internet connection</td>
        <td>Any</td>
    </tr>
 </table>
 >Retaining applications and settings during the upgrade process requires that architecture (32 or 64-bit) is the same before and after the upgrade.
 <B>*</B>The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. The performance and features of the Hyper-V role are also much improved on later operating systems. If your host must be running Windows Server 2008 R2, see [Appendix A: Configuring Hyper-V settings on 2008 R2](#appendix-a-configuring-hyper-v-on-windows-server-2008-r2).
 The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows.
 ## Lab setup
 - The Hyper-V host computer (computer 1) is configured to host four VMs on a private, proof of concept network. 
    - Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
    - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario.
 - Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab.
 The lab architecture is summarized in the following diagram:
 ![PoC](images/poc.png)
 **Note**:
 >If you have an existing Hyper-V host, you can use this host if desired and skip the Hyper-V installation section in this guide.
 >The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts.
 ## Configure the PoC environment
 ### Procedures in this section
 [Verify support and install Hyper-V](#verify-support-and-install-hyper-v)<BR>
 [Download VHD and ISO files](#download-vhd-and-iso-files)<BR>
 [Convert PC to VHD](#convert-pc-to-vhd)<BR>
 [Resize VHD](#resize-vhd)<BR>
 [Configure Hyper-V](#configure-hyper-v)<BR>
 [Convert PC to VHD](#convert-pc-to-vhd)<BR>
 [Configure VHDs](#configure-vhds)<BR>
 ### Verify support and install Hyper-V
 1. Verify that the computer supports Hyper-V.
    Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](http://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. To verify your computer supports SLAT, open an administrator command prompt,  type systeminfo, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. 
    See the following example:
    ```
    C:\>systeminfo
    ...
    Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
                               Virtualization Enabled In Firmware: Yes
                               Second Level Address Translation: Yes
                               Data Execution Prevention Available: Yes
    ```   
    In this example, the computer supports SLAT and Hyper-V. 
    If one or more requirements are evaluated as "No" then the computer does not support installing Hyper-V.  However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the "Virtualization Enabled In Firmware" setting from "No" to "Yes." The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
    You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/en-us/library/cc731397.aspx) tool, or you can download the [coreinfo](http://technet.microsoft.com/en-us/sysinternals/cc835722) utility and run it, as shown in the following example:
    ```
    C:\>coreinfo -v
    Coreinfo v3.31 - Dump information on system CPU and memory topology
    Copyright (C) 2008-2014 Mark Russinovich
    Sysinternals - www.sysinternals.com
    Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
    Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
    Microcode signature: 0000001B
    HYPERVISOR      -       Hypervisor is present
    VMX             *       Supports Intel hardware-assisted virtualization
    EPT             *       Supports Intel extended page tables (SLAT)
    ```   
    Note: A 64-bit operating system is requried to run Hyper-V.
 2. Enable Hyper-V.
    The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
    ```
    Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
    ```
    When you are prompted to restart the computer, choose Yes. The computer might restart more than once.
    You can also install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** (client OS), or using Server Manager's **Add Roles and Features Wizard** (server OS), as shown below:
    ![hyper-v feature](images/hyper-v-feature.png)
    ![hyper-v](images/svr_mgr2.png)
 ### Download VHD and ISO files
 1. Create a directory on your Hyper-V host named C:\VHD and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the C:\VHD directory. 
    **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
    After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD.
    ![VHD](images/download_vhd.png)
 2. Rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is not required, but is done to make the filename simpler to recognize.
 3. Copy the VHD to a second file also in the C:\VHD directory and name this VHD **2012R2-poc-2.vhd**.
 4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the C:\VHD directory on your Hyper-V host. During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English VHD is chosen. You can choose a different version if desired. Note that Windows 10 in-place upgrade is only possible if the source operating system and installation media are both 32-bit or both 64-bit, so you should download the file version that corresponds to the version of your source computer for upgrade testing. 
 5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simpler to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO. 
    The following commands and output display the procedures described in this section:
    ```
    C:\>mkdir VHD
    C:\>cd VHD
    C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
    C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
            1 file(s) copied.
    C:\VHD ren *.iso w10-enterprise.iso
    C:\VHD>dir /B
    2012R2-poc-1.vhd
    2012R2-poc-2.vhd
    w10-enterprise.iso
    ```
 ### Convert PC to VHD
 **Important**:Before you convert a PC to VHD, verify that you have access to a local administrator account on the computer. Alternatively you can use a domain account with administrative rights if these credentials are cached on the computer and your domain policy allows the use of cached credentials for login.
 >For purposes of the test lab, you must use a PC with a single hard drive that is assigned a drive letter of C:. Systems with multiple hard drives or non-standard configurations can also be upgraded using PC refresh and replace scenarios, but these systems require more advanced deployment task sequences than those used in this lab.
 1. Download the [Disk2vhd utility](https://technet.microsoft.com/en-us/library/ee656415.aspx), extract the .zip file and copy disk2vhd.exe to a flash drive or other location that is accessible from the computer you wish to convert.
    >Note: You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media.
 2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. 
 3. Select checkboxes next to the volumes you wish to copy and specify a location to save the resulting VHD or VHDX file. If your Hyper-V host is running Windows Server 2008 R2 you must choose VHD, otherwise choose VHDX.
 4. Click **Create** to start creating a VHDX file.
    >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
 5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
    ```
    C:\vhd>dir /B
    2012R2-poc-1.vhd
    2012R2-poc-2.vhd
    w10-enterprise.iso
    w7.VHDX
    ```
 ### Resize VHD
 The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 80GB to support installing imaging tools and storing OS images.
 1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
    ```
    Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 80GB
    $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
    Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
    ```
 2. Verify that the mounted VHD drive is resized to 80 GB, and then dismount the drive:
    ```
    Get-Volume -DriveLetter $x
    Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd
    ```
 ### Configure Hyper-V
 Note: The Hyper-V Windows PowerShell module is not available on Windows Server 2008 R2. For more information, see [Appendix A: Configuring Hyper-V settings on 2008 R2](#appendix-a-configuring-hyper-v-on-windows-server-2008-r2).  
 **Important**:You should take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy, then right-clicking and selecting paste.
 Instructions to "type" commands provided in this guide can be typed, but in most cases the preferred method is to copy and paste these commands.
 1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external":
    >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is "**already bound to the Microsoft Virtual Switch protocol.**" In this case, choose one of the following options:<BR>
    &nbsp;&nbsp;&nbsp;a) Remove the existing external virtual switch, then add the poc-external switch<BR> 
    &nbsp;&nbsp;&nbsp;b) Rename the existing external switch to "poc-external"<BR>
    &nbsp;&nbsp;&nbsp;c) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch<BR>
    If you choose b) or c), then do not run the second command below.
    ```
    New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
    New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and $_.NdisPhysicalMedium -eq 14}).Name -Notes "PoC External"
    ```
    >Also, since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. This is automated in the example here by filtering for active ethernet adapters using the Get-NetAdapter cmdlet. If your Hyper-V host has multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the specific value needed for the -NetAdapterName option. This value corresponds to the name of the network interface you wish to use.
 2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host:
    ```
    (Get-Counter -Counter @("\Memory\Available MBytes")).countersamples.cookedvalue
    ```
    >This command will display the megabytes of RAM available. On a Hyper-V host computer with 16 GB of physical RAM installed, 12,000 MB of RAM or greater should be available if the computer is not also running other applications. If the computer has less than 12,000 MB of available RAM, try closing applications to free up more memory.
 3. Determine the available memory for VMs by dividing the available RAM by 4.  For example:
    ```
    (Get-Counter -Counter @("\Memory\Available MBytes")).countersamples.cookedvalue/4
    2775.5
    ```
    In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously. 
 4. At the elevated Windows PowerShell prompt, type the following command to create three new VMs. The fourth VM will be added later. 
    >**Important**: Replace the value of 2700MB in the first command below with the RAM value that you calculated in the previous step:
    ```
    $maxRAM = 2700MB
    New-VM –Name "DC1" –VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
    Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
    Enable-VMIntegrationService –Name "Guest Service Interface" -VMName DC1
    New-VM –Name "SRV1" –VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal
    Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
    Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
    Enable-VMIntegrationService –Name "Guest Service Interface" -VMName SRV1
    New-VM –Name "PC1" –VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
    Enable-VMIntegrationService –Name "Guest Service Interface" -VMName PC1
    ```
 ### Configure VHDs 
 1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first VM by typing the following command:
    ```
    Start-VM DC1
    ```
 2. Wait for the VM to complete starting up, and then connect to it either using the Hyper-V Manager console (virtmgmt.msc) or using an elevated command prompt on the Hyper-V host:
    ```
    vmconnect localhost DC1
    ```
 3. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of **pass@word1**, and click **Finish**. 
 4. Sign in to DC1 using the local administrator account. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM.
 5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
    ```
    Rename-Computer DC1
    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
    ```
    >The default gateway at 192.168.0.2 will be configured later in this guide.
 6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt:
    ```
    Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
    ```
 7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt:
    ```
    Restart-Computer
    ```
 8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string:
    ```
    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
    Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
    ```
    Ignore any warnings that are displayed. The computer will automatically reboot upon completion.
 9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and supress the post-DHCP-install alert:
    ```
    Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
    Add-WindowsFeature -Name DHCP -IncludeManagementTools
    netsh dhcp add securitygroups
    Restart-Service DHCPServer
    Add-DhcpServerInDC  dc1.contoso.com  192.168.0.1
    Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2
    ```
 10. Next, add a DHCP scope and set option values:
    ```
    Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
    Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
    ```
    >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network.
 11. Add a user account to the contoso.com domain that can be used with client computers:
    ```
    New-ADUser -Name "User1" -UserPrincipalName user1 -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
    ```
 12. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already existed on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
    ```
    Get-DnsServerForwarder
    ```
    The following output should be displayed:
    ```
    UseRootHint        : True
    Timeout(s)         : 3
    EnableReordering   : True
    IPAddress          : 192.168.0.2
    ReorderedIPAddress : 192.168.0.2
    ```
    If this output is not displayed, you can use the following command to add SRV1 as a forwarder:
    ```
    Add-DnsServerForwarder -IPAddress 192.168.0.2
    ```
 13. Minimize the DC1 VM window but **do not stop** the VM.
    Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain.
 14. Using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it:
    ```
    Start-VM PC1
    vmconnect localhost PC1
    ```
 15. Sign on to PC1 using an account that has local administrator rights.
    >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account.
 16. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes.
    ![PoC](images/installing-drivers.png)
    >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. 
 17. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**.
 18. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller.
    To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**."
    ```
    ipconfig
    Windows IP Configuration
    Ethernet adapter Local Area Connection 3:
        Connection-specific DNS Suffix  . : contoso.com
        Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18
        Ipv4 Address. . . . . . . . . . . : 192.168.0.101
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.0.2
    ping dc1.contoso.com
    Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data:
    Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
    Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
    Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
    Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
    nltest /dsgetdc:contoso.com
               DC: \\DC1
          Address: \\192.168.0.1
         Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8
         Dom Name: CONTOSO
      Forest Name: contoso.com
     Dc Site Name: Default-First-Site-Name
    Our Site Name: Default-First-Site-Name
            Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000
    ```
 >If PC1 is running Windows 7, enhanced session mode is not available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them.
 19. Open an elevated Windows PowerShell ISE window on the Hyper-V host and type the following commands in the (upper) script editor pane: 
    ```
    (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
    $user = "contoso\administrator"
    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
    Add-Computer -DomainName contoso.com -Credential $cred
    Restart-Computer
    ```
 20. Click **File**, click **Save As**, and save the commands as **c:\VHD\ps1.ps1** on the Hyper-V host.
 21. In the (lower) terminal input window, type the following command to copy the script to PC1 using integration services:
    ```
    Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
    ```
    >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service.
 22. On PC1, type the following commands at an elevated Windows PowerShell prompt:
    ```
    Get-Content c:\pc1.ps1 | powershell.exe -noprofile - 
    ```
    >PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. We have not also renamed PC1 to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
 23. After PC1 restarts, sign in to the contoso.com domain with the (user1) account you created in step 11 of this section.
    >The settings that will be used to migrate user data specifically select only accounts that belong to the CONTOSO domain. If you wish to test migration of user data and settings with an account other than the user1 account, you must copy this account's profile to the user1 profile.
 24. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. 
 25. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
    ```
    Start-VM SRV1
    vmconnect localhost SRV1
    ```
 26. Accept the default settings, read license terms and accept them, provide an administrator password of **pass@word1**, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**.
 27. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
 28. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands:
    ```
    Rename-Computer SRV1
    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
    Restart-Computer
    ```
 29. Wait for the computer to restart, then type or paste the following commands at an elevated Windows PowerShell prompt:
    ```  
    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
    $user = "contoso\administrator"
    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
    Add-Computer -DomainName contoso.com -Credential $cred
    Restart-Computer
    ```
 30. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands:
    ```
    Install-WindowsFeature -Name DNS -IncludeManagementTools
    Install-WindowsFeature -Name WDS -IncludeManagementTools
    Install-WindowsFeature -Name Routing -IncludeManagementTools
    ```
 31. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease.
    To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below:
    ```
    Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
    IPAddress                                                                  InterfaceAlias
    ---------                                                                  --------------
    10.137.130.118                                                             Ethernet 2
    192.168.0.2                                                                Ethernet
    ``` 
    In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services.
 32. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1:
    ```
    Install-RemoteAccess -VpnType Vpn
    cmd /c netsh routing ip nat install
    cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL 
    cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
    cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
    ```
 33. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
    ```
    Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
    ```
 34. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
    ```
    ping www.microsoft.com
    ```
    If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command. 
    **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
    ```
    Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
    ```
 35. If DNS and routing are both working correctly, you will see the following on DC1 and PC1:
    ```
    PS C:\> ping www.microsoft.com
    Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
    Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
    Reply from 23.222.146.170: bytes=32 time=1ms TTL=51
    Ping statistics for 23.222.146.170:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 1ms, Maximum = 3ms, Average = 2ms
    ```
 36. Verify that all three VMs can reach each other, and the Internet. See [Appendix B: Verify the configuration](#appendix-b-verify-the-configuration) for more information. 
 37. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days.  To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
    ```
    slmgr -rearm
    Restart-Computer
    ```
 ## Appendix A: Configuring Hyper-V on Windows Server 2008 R2
 If your Hyper-V host is running Windows Server 2008 R2, several of the steps in this guide will not work because they use the Hyper-V Module for Windows PowerShell, which is not available on Windows Server 2008 R2.
 To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console.  
 An example that uses Hyper-V WMI to create a virtual switch on Windows Server 2008 R2 is provided below. Converting all Hyper-V module commands used in this guide to Hyper-V WMI is beyond the scope of the guide.  If you must use a Hyper-V host running Windows Server 2008 R2, the steps in the guide can be accomplished by using the Hyper-V Manager console.
 ```
 $SwitchFriendlyName = "poc-internal"
 $InternalEthernetPortFriendlyName = $SwitchFriendlyName
 $InternalSwitchPortFriendlyName = "poc"
 $SwitchName = [guid]::NewGuid().ToString()
 $InternalSwitchPortName = [guid]::NewGuid().ToString()
 $InternalEthernetPortName = [guid]::NewGuid().ToString()
 $NumLearnableAddresses = 1024
 $ScopeOfResidence = ""
 $VirtualSwitchManagementService = gwmi Msvm_VirtualSwitchManagementService -namespace "root\virtualization"
 $Result = $VirtualSwitchManagementService.CreateSwitch($SwitchName, $SwitchFriendlyName, $NumLearnableAddresses, $ScopeOfResidence) 
 $Switch = [WMI]$Result.CreatedVirtualSwitch 
 $Result = $VirtualSwitchManagementService.CreateSwitchPort($Switch, $InternalSwitchPortName, $InternalSwitchPortFriendlyName, $ScopeOfResidence)
 $InternalSwitchPort = [WMI]$Result.CreatedSwitchPort 
 $Result = $VirtualSwitchManagementService.CreateInternalEthernetPortDynamicMac($InternalEthernetPortName, $InternalEthernetPortFriendlyName)
 $InternalEthernetPort = [WMI]$Result.CreatedInternalEthernetPort
 $query = "Associators of {$InternalEthernetPort} Where ResultClass=CIM_LanEndpoint"
 $InternalLanEndPoint = gwmi -namespace root\virtualization -query $query
 $Result = $VirtualSwitchManagementService.ConnectSwitchPort($InternalSwitchPort, $InternalLanEndPoint)
 $filter = "SettingID='" + $InternalEthernetPort.DeviceID +"'"
 $NetworkAdapterConfiguration = gwmi Win32_NetworkAdapterConfiguration -filter $filter
 ```
 To install Hyper-V on Windows Server 2008 R2, you can use the Add-WindowsFeature cmdlet:
 ```
 Add-WindowsFeature -Name Hyper-V
 ```
 For more information about the Hyper-V Manager interface in Windows Server 2008 R2, see [Hyper-V](https://technet.microsoft.com/library/cc730764.aspx) in the Windows Server TechNet Library.
 ## Appendix B: Verify the configuration
 Use the following procedures to verify that the PoC environment is configured properly and working as expected.
 1. On DC1, open an elevated Windows PowerShell prompt and type the following commands:
    ```
    Get-Service NTDS,DNS,DHCP
    DCDiag -a
    Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
    Get-DnsServerForwarder
    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
    Get-DhcpServerInDC
    Get-DhcpServerv4Statistics
    ipconfig /all
    ```
    **Get-Service** displays a status of "Running" for all three services.<BR>
    **DCDiag** displays "passed test" for all tests.<BR>
    **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.<BR>
    **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.<BR>
    **Resolve-DnsName** displays public IP address results for www.microsoft.com.<BR>
    **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.<BR>
    **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).<BR>
    **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2. 
 2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
    ```
    Get-Service DNS,RemoteAccess
    Get-DnsServerForwarder
    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
    ipconfig /all
    netsh int ipv4 show address
    ```
    **Get-Service** displays a status of "Running" for both services.<BR>
    **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.<BR>
    **Resolve-DnsName** displays public IP address results for www.microsoft.com.<BR>
    **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.<BR>
    **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1.
 3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
    ```
    whoami
    hostname
    nslookup www.microsoft.com
    ping -n 1 dc1.contoso.com
    tracert www.microsoft.com
    ```
    **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.<BR>
    **hostname** displays the name of the local computer, for example W7PC-001.<BR>
    **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.<BR>
    **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.<BR>
    **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
 ## Related Topics
 [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@ -38,7 +38,15 @@
 #### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
 ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
-## [VPN profile options](vpn-profile-options.md)
+## [VPN technical guide](vpn-guide.md)
 ### [VPN connection types](vpn-connection-type.md)
 ### [VPN routing decisions](vpn-routing.md)
 ### [VPN authentication options](vpn-authentication.md)
 ### [VPN and conditional access](vpn-conditional-access.md)
 ### [VPN name resolution](vpn-name-resolution.md)
 ### [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 ### [VPN security features](vpn-security-features.md)
 ### [VPN profile options](vpn-profile-options.md)
 ## [Windows security baselines](windows-security-baselines.md)
 ## [Security technologies](security-technologies.md)
 ### [Access Control Overview](access-control.md)
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@ -12,6 +12,12 @@ author: brianlic-msft
 # Change history for Keep Windows 10 secure
 This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 ## October 2016
 | New or changed topic | Description |
 | --- | --- |
 | [VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic |
 ## September 2016
 | New or changed topic | Description |
--- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@ -33,15 +33,53 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
-    a.  Click **Endpoint Management** on the **Navigation pane**.
+    a.  Select **Endpoint Management** on the **Navigation pane**.
-    b.  Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file.
+    b.  Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
      ![Endpoint onboarding](images/atp-onboard-mdm.png)
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named  *WindowsDefenderATP.onboarding*.
 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
-Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
+  a. Select **Policy** > **Configuration Policies** > **Add**.
  ![Microsoft Intune Configuration Policies](images/atp-intune-add-policy.png)
  b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
  ![Microsoft Intune Configuration Policies](images/atp-intune-new-policy.png)
  c. Type a name and description for the policy.
  ![Microsoft Intune Create Policy](images/atp-intune-policy-name.png)
  d. Under OMA-URI settings, select **Add...**.
  ![Microsoft Intune add OMC-URI](images/atp-intune-add-oma.png)
  e. Type the following values then select **OK**:
  ![Microsoft Intune save policy](images/atp-intune-oma-uri-setting.png)
  - **Setting name**: Type a name for the setting.
  - **Setting description**: Type a description for the setting.
  - **Data type**: Select **String**.
  - **OMA-URI**:  *./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding*
  - **Value**: Copy and paste the contents of the *WindowsDefenderATP.onboarding* file you downloaded.
  f. Save the policy.
  ![Microsoft Intune save policy](images/atp-intune-save-policy.png)
  g. Deploy the policy.
  ![Microsoft Intune deploy policy](images/atp-intune-deploy-policy.png)
  h. Select the device group to deploy the policy to:
  ![Microsoft Intune manage deployment](images/atp-intune-manage-deployment.png)
 When the policy is deployed and is propagated, endpoints will be shown in the **Machines view**.
 You can use the following onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
 - Onboarding
 - Health Status for onboarded machines
 - Configuration for onboarded machines
@ -49,10 +87,10 @@ Onboarding - Use the onboarding policies to deploy configuration settings on end
 Policy | OMA-URI | Type | Value | Description
 :---|:---|:---|:---|:---
 Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file |  Onboarding
-Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE |  Windows Defender ATP service is running
+Health Status for onboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE |  Windows Defender ATP service is running
- | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
+Health Status for onboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
-  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
+Health Status for onboarded machines: Organization ID | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
- Configuration for onboarded machines  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
+Configuration for onboarded machines  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
 > [!NOTE]
@ -83,8 +121,8 @@ Offboarding - Use the offboarding policies to remove configuration settings on e
 Policy | OMA-URI | Type | Value | Description
 :---|:---|:---|:---|:---
 Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding
- Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
+ Health Status for offboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
-  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
+Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
 > [!NOTE]
 > The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@ -40,89 +40,64 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-
 ## Hardware and software requirements
-The PC must meet the following hardware and software requirements to use Credential Guard:
+To deploy Credential Guard, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements. Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. 
-<table>
+You can deploy Credential Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
-<colgroup>
+
-<col width="50%" />
+The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
-<col width="50%" />
+
-</colgroup>
+> [!NOTE]  
-<thead>
+> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.<br>
-<tr class="header">
+> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).
-<th align="left">Requirement</th>
+
-<th align="left">Description</th>
+
-</tr>
+## Credential Guard requirements for baseline protections
-</thead>
+
-<tbody>
+|Baseline Protections - requirement           | Description                                        |
-<tr class="odd">
+|---------------------------------------------|----------------------------------------------------|
-<td align="left"><p>Windows 10 Enterprise</p></td>
+| Hardware: **64-bit CPU**              | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-<td align="left"><p>The PC must be running Windows 10 Enterprise.</p></td>
+| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>- VT-x (Intel) or<br>- AMD-V<br>And:<br>- Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
-</tr>
+| Hardware: **IOMMU** (input/output memory management unit)  |  **Requirement**: VT-D or AMD Vi IOMMU<br><br>**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
-<tr class="even">
+| Hardware: **Trusted Platform Module (TPM)**  |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br><br>**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
-<td align="left"><p>UEFI firmware version 2.3.1 or higher and Secure Boot</p></td>
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
-<td align="left"><p>To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby) Windows Hardware Compatibility Program requirement.</p></td>
+| Firmware: **Secure firmware update process**      | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-</tr>
+| Firmware: **Secure MOR implementation**  |  **Requirement**: Secure MOR implementation<br><br>**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
-<tr class="odd">
+| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
-<td align="left"><p>Virtualization extensions</p></td>
+
-<td align="left"><p>The following virtualization extensions are required to support virtualization-based security:</p>
+> [!IMPORTANT]
-<ul>
+> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide.
-<li>Intel VT-x or AMD-V</li>
+
-<li>Second Level Address Translation</li>
+## Credential Guard requirements for improved security
-</ul></td>
+
-</tr>
+The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
-<tr class="even">
+
-<td align="left"><p>x64 architecture</p></td>
+### 2015 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
-<td align="left"><p>The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.</p></td>
+
-</tr>
+| Protections for Improved Security - requirement         | Description                                        |
-<tr class="odd">
+|---------------------------------------------|----------------------------------------------------|
-<td align="left"><p>A VT-d or AMD-Vi IOMMU (Input/output memory management unit)</p></td>
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- BIOS password or stronger authentication must be supported.<br>- In the BIOS configuration, BIOS authentication must be set.<br>- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-<td align="left"><p>In Windows 10, an IOMMU enhances system resiliency against memory attacks. ¹</p></td>
+
-</tr>
+<br>
-<tr class="even">
+
-<td align="left"><p>Trusted Platform Module (TPM) version 1.2 or 2.0</p></td>
+### 2016 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1607, and Windows Server 2016)
-<td align="left"><p>TPM 1.2 and 2.0 provides protection for encryption keys used by virtualization-based security to protect Credential Guard secrets where all other keys are stored. See the following table to determine which TPM versions are supported on your OS.</p>
+
-<table>
+> [!IMPORTANT]
-<th>OS version</th>
+> The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Credential Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
-<th>Required TPM</th>
+
-<tr>
+| Protections for Improved Security - requirement         | Description                                        |
-<td>Windows 10 version 1507</td>
+|---------------------------------------------|----------------------------------------------------|
-<td>TPM 2.0</td>
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).<br><br>**Security benefits**:<br>- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>- HSTI provides additional security assurance for correctly secured silicon and platform. |
-</tr>
+| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.<br><br>**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
-<tr>
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.<br><br>**Security benefits**:<br>- Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-<td>Windows 10 version 1511, Windows Server 2016, or later</td>
+
-<td>TPM 2.0 or TPM 1.2</td>
+<br>
-</tr>
+
-</table>
+### 2017 Additional Qualification Requirements for Credential Guard (announced as options for future Windows operating systems for 2017) 
-<div class="alert">
+
-<strong>Note</strong>  If you don't have a TPM installed, Credential Guard will still be enabled, but the virtualization-based security keys used to protect Credential Guard secrets will not bound to the TPM. Instead, the keys will be protected in a UEFI Boot Service variable.
+| Protections for Improved Security - requirement         | Description                                        |
-</div>
+|---------------------------------------------|----------------------------------------------------|
-</td>
+| Firmware: **UEFI NX Protections**  | **Requirements**:<br>- All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.<br><br>UEFI Runtime Services:<br>- Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.<br>- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.<br>- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware. |
-</tr>
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |
 <tr class="odd">
 <td align="left"><p>Secure firmware update process</p></td>
 <td align="left"><p>To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.</p><p>Credential Guard relies on the security of the underlying hardware and firmware. It is critical to keep the firmware updated with the latest security fixes.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>The firmware is updated for [Secure MOR implementation](http://msdn.microsoft.com/library/windows/hardware/mt270973.aspx)</p></td>
 <td align="left"><p>Credential Guard requires the secure MOR bit to help prevent certain memory attacks.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Physical PC</p></td>
 <td align="left"><p>For PCs running Windows 10, version 1511 and Windows 10, version 1507, you cannot run Credential Guard on a virtual machine.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Virtual machine</p></td>
 <td align="left"><p>For PCs running Windows 10, version 1607 or Windows Server 2016, you can run Credential Guard on a Generation 2 virtual machine.</p></td>
 </tr>
 </tr>
 <tr class="even">
 <td align="left"><p>Hypervisor</p></td>
 <td align="left"><p>You must use the Windows hypervisor.</p></td>
 </tr>
 </tbody>
 </table>
 ¹ If you choose the **Secure Boot and DMA protection** option in the Group Policy setting, an IOMMU is required. The **Secure Boot** Group Policy option enables Credential Guard on devices without an IOMMU.
 ## Manage Credential Guard
--- a/windows/keep-secure/images/atp-intune-add-oma.png
+++ b/windows/keep-secure/images/atp-intune-add-oma.png
--- a/windows/keep-secure/images/atp-intune-add-policy.png
+++ b/windows/keep-secure/images/atp-intune-add-policy.png
--- a/windows/keep-secure/images/atp-intune-deploy-policy.png
+++ b/windows/keep-secure/images/atp-intune-deploy-policy.png
--- a/windows/keep-secure/images/atp-intune-manage-deployment.png
+++ b/windows/keep-secure/images/atp-intune-manage-deployment.png
--- a/windows/keep-secure/images/atp-intune-new-policy.png
+++ b/windows/keep-secure/images/atp-intune-new-policy.png
--- a/windows/keep-secure/images/atp-intune-oma-uri-setting.png
+++ b/windows/keep-secure/images/atp-intune-oma-uri-setting.png
--- a/windows/keep-secure/images/atp-intune-policy-name.png
+++ b/windows/keep-secure/images/atp-intune-policy-name.png
--- a/windows/keep-secure/images/atp-intune-save-policy.png
+++ b/windows/keep-secure/images/atp-intune-save-policy.png
--- a/windows/keep-secure/images/atp-onboard-mdm.png
+++ b/windows/keep-secure/images/atp-onboard-mdm.png
--- a/windows/keep-secure/images/vpn-app-rules.png
+++ b/windows/keep-secure/images/vpn-app-rules.png
--- a/windows/keep-secure/images/vpn-app-trigger.PNG
+++ b/windows/keep-secure/images/vpn-app-trigger.PNG
--- a/windows/keep-secure/images/vpn-conditional-access-intune.png
+++ b/windows/keep-secure/images/vpn-conditional-access-intune.png
--- a/windows/keep-secure/images/vpn-connection-intune.png
+++ b/windows/keep-secure/images/vpn-connection-intune.png
--- a/windows/keep-secure/images/vpn-connection.png
+++ b/windows/keep-secure/images/vpn-connection.png
--- a/windows/keep-secure/images/vpn-custom-xml-intune.png
+++ b/windows/keep-secure/images/vpn-custom-xml-intune.png
--- a/windows/keep-secure/images/vpn-device-compliance.png
+++ b/windows/keep-secure/images/vpn-device-compliance.png
--- a/windows/keep-secure/images/vpn-eap-xml.png
+++ b/windows/keep-secure/images/vpn-eap-xml.png
--- a/windows/keep-secure/images/vpn-intune-policy.png
+++ b/windows/keep-secure/images/vpn-intune-policy.png
--- a/windows/keep-secure/images/vpn-name-intune.png
+++ b/windows/keep-secure/images/vpn-name-intune.png
--- a/windows/keep-secure/images/vpn-profilexml-intune.png
+++ b/windows/keep-secure/images/vpn-profilexml-intune.png
--- a/windows/keep-secure/images/vpn-split-route.png
+++ b/windows/keep-secure/images/vpn-split-route.png
--- a/windows/keep-secure/images/vpn-split.png
+++ b/windows/keep-secure/images/vpn-split.png
--- a/windows/keep-secure/images/vpn-traffic-rules.png
+++ b/windows/keep-secure/images/vpn-traffic-rules.png
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@ -312,7 +312,6 @@ You’ll need this software to set Windows Hello for Business policies in your e
 <tr class="header">
 <th align="left">Windows Hello for Business mode</th>
 <th align="left">Azure AD</th>
 <th align="left">Active Directory (AD) on-premises (available with production release of Windows Server 2016)</th>
 <th align="left">Azure AD/AD hybrid (available with production release of Windows Server 2016)</th>
 </tr>
 </thead>
@ -321,11 +320,6 @@ You’ll need this software to set Windows Hello for Business policies in your e
 <td align="left">Key-based authentication</td>
 <td align="left">Azure AD subscription</td>
 <td align="left"><ul>
 <li>Active Directory Federation Service (AD FS) (Windows Server 2016)</li>
 <li>A few Windows Server 2016 domain controllers on-site</li>
 <li>Microsoft System Center 2012 R2 Configuration Manager SP2</li>
 </ul></td>
 <td align="left"><ul>
 <li>Azure AD subscription</li>
 <li>[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
 <li>A few Windows Server 2016 domain controllers on-site</li>
@ -341,12 +335,6 @@ You’ll need this software to set Windows Hello for Business policies in your e
 <li>PKI infrastructure</li>
 </ul></td>
 <td align="left"><ul>
 <li>ADFS (Windows Server 2016)</li>
 <li>Active Directory Domain Services (AD DS) Windows Server 2016 schema</li>
 <li>PKI infrastructure</li>
 <li>Configuration Manager SP2, Intune, or non-Microsoft MDM solution</li>
 </ul></td>
 <td align="left"><ul>
 <li>Azure AD subscription</li>
 <li>[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
 <li>AD CS with NDES</li>
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@ -26,7 +26,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
 | [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
 | [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
 |[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies. |
-| [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
+| [VPN technical guide](vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
 | [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
 | [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
 | [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
--- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@ -19,7 +19,7 @@ localizationpriority: high
 In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
 >[!NOTE]
-> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
+> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
 Hello addresses the following problems with passwords:
 -   Passwords can be difficult to remember, and users often reuse passwords on multiple sites.
--- a/windows/keep-secure/microsoft-passport-guide.md
+++ b/windows/keep-secure/microsoft-passport-guide.md
@ -298,7 +298,6 @@ Table 1. Deployment requirements for Microsoft Passport
 <th align="left">Microsoft Passport method</th>
 <th align="left">Azure AD</th>
 <th align="left">Hybrid Active Directory</th>
 <th align="left">On-premises Active Directory only</th>
 </tr>
 </thead>
 <tbody>
@ -312,8 +311,6 @@ Table 1. Deployment requirements for Microsoft Passport
 <li>A management solution, such as Configuration Manager, Group Policy, or MDM</li>
 <li>Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)</li>
 </ul></td>
 <td align="left"><p>One or more Windows Server 2016 Technical Preview domain controllers</p>
 <p>AD FS of Windows Server 2016 Technical Preview</p></td>
 </tr>
 <tr class="even">
 <td align="left">Certificate-based</td>
@ -326,9 +323,6 @@ Table 1. Deployment requirements for Microsoft Passport
 <li>AD CS with NDES</li>
 <li>Configuration Manager (current branch) or Configuration Manager 2016 Technical Preview for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work</li>
 </ul></td>
 <td align="left"><p>AD DS Windows Server 2016 Technical Preview schema </p>
 <p>AD FS of Windows Server 2016 Technical Preview</p>
 <p>PKI infrastructure  System Center 2012 R2 Configuration Manager with SP2 or later</p></td>
 </tr>
 </tbody>
 </table>
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@ -74,6 +74,8 @@ Event ID | Error Type | Resolution steps
 ## Troubleshoot onboarding issues using Microsoft Intune
 You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
 If you have configured policies in Intune and they are not propagated on endpoints, you might need to configure automatic MDM enrollment. For more information, see the [Configure automatic MDM enrollment](https://go.microsoft.com/fwlink/?linkid=829597) section.
 Use the following tables to understand the possible causes of issues while onboarding:
 - Microsoft Intune error codes and OMA-URIs table
@ -114,7 +116,7 @@ Channel name: Admin
 ID | Severity | Event description | Troubleshooting steps
 :---|:---|:---|:---
-1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ELAM driver needs to be enabled see, [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions.
+1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
 ## Troubleshoot onboarding issues on the endpoint
 If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
--- a/windows/keep-secure/vpn-authentication.md
+++ b/windows/keep-secure/vpn-authentication.md
@ -0,0 +1,61 @@
 ---
 title: VPN authentication options (Windows 10)
 description: tbd
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerMS
 localizationpriority: high
 ---
 # VPN authentication options
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).
 Windows supports a number of EAP authentication methods. 
 <table>
 <thead><tr><th>Method</th><th>Details</th></thead>
 <tbody>
 <tr><td>EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2)</td><td><ul><li>User name and password authentication</li><li>Winlogon credentials - can specify authentication with computer sign-in credentials</li></ul></td></tr>
 <tr><td>EAP-Transport Layer Security (EAP-TLS) </td><td><ul><li>Supports the following types of certificate authentication<ul><li>Certificate with keys in the software Key Storage Provider (KSP)</li><li>Certificate with keys in Trusted Platform Module (TPM) KSP</li><li>Smart card certficates</li><li>Windows Hello for Business certificate</li></ul></li><li>Certificate filtering<ul><li>Certificate filtering can be enabled to search for a particular certificate to use to authenticate with</li><li>Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based</li></ul></li><li>Server validation - with TLS, server validation can be toggled on or off<ul><li>Server name - specify the server to validate</li><li>Server certificate - trusted root certificate to validate the server</li><li>Notification - specify if the user should get a notification asking whether to trust the server or not</li></ul></li></ul></td></tr>
 <tr><td><a href="https://msdn.microsoft.com/library/cc754179.aspx">Protected Extensible Authentication Protocol (PEAP)</a></td><td><ul><li>Server validation - with PEAP, server validation can be toggled on or off<ul><li>Server name - specify the server to validate</li><li>Server certificate - trusted root certificate to validate the server</li><li>Notification - specify if the user should get a notification asking whether to trust the server or not</li></ul></li><li>Inner method - the outer method creates a secure tunnel inside while the inner method is used to complete the authentication<ul><li>EAP-MSCHAPv2</li><li>EAP-TLS</li></ul><li>Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.<li><a href="https://msdn.microsoft.com/library/cc238384.aspx">Cryptobinding</a>: By deriving and exchanging values from the PEAP phase 1 key material (<b>Tunnel Key</b>) and from the PEAP phase 2 inner EAP method key material (<b>Inner Session Key</b>), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.</li></li></ul></td></tr>
 <tr><td>Tunneled Transport Layer Security (TTLS)</td><td><ul><li>Inner method<ul><li>Non-EAP<ul><li>Password Authentication Protocol (PAP)</li><li>CHAP</li><li>MSCHAP</li><li>MSCHAPv2</li></ul></li><li>EAP<ul><li>MSCHAPv2</li><li>TLS</li></ul></li></ul></li><li>Server validation: in TTLS, the server must be validated. The following can be configured:<ul><li>Server name</li><li>Trusted root certificate for server certificate</li><li>Whether there should be a server validation notification</li></ul></li></ul></td></tr></tbody>
 </table>
 </br>
 For a UWP VPN plug-in, the app vendor controls the authentication method to be used. The following credential types can be used:
 - Smart card
 - Certificate
 - Windows Hello for Business
 - User name and password
 - One-time password
 - Custom credential type
 ## Configure authentication
 See [EAP configuration](https://msdn.microsoft.com/library/windows/hardware/mt168513.aspx) for EAP XML configuration. 
 >[!NOTE]
 >To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](https://msdn.microsoft.com/library/windows/hardware/mt168513.aspx) to create a smart card certificate. [Learn more about Windows Hello for Business.](https://technet.microsoft.com/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport)
 The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
 ![EAP XML configuration in Intune profile](images/vpn-eap-xml.png)
 ## Related topics
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN and conditional access](vpn-conditional-access.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)
 - [VPN profile options](vpn-profile-options.md)
--- a/windows/keep-secure/vpn-auto-trigger-profile.md
+++ b/windows/keep-secure/vpn-auto-trigger-profile.md
@ -0,0 +1,88 @@
 ---
 title: VPN auto-triggered profile options (Windows 10)
 description: tbd
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerMS
 localizationpriority: high
 ---
 # VPN auto-triggered profile options
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 In Windows 10, a number of features were added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules: 
 - App trigger
 - Name-based trigger
 - Always On
 ## App trigger
 VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
 The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.
 [Find a package family name (PFN) for per-app VPN configuration](https://docs.microsoft.com/intune/deploy-use/find-a-pfn-for-per-app-vpn)
 ## Name-based trigger
 You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.
 Name-based auto-trigger can be configured using the VPNv2/*ProfileName*/DomainNameInformationList/dniRowId/AutoTrigger setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
 There are four types of name-based triggers:
 - Short name: for example, if **HRweb** is configured as a trigger and the stack sees a DNS resolution request for **HRweb**, the VPN will be triggered.
 - Fully-qualified domain name (FQDN): for example, if **HRweb.corp.contoso.com** is configured as a trigger and the stack sees a DNS resolution request for **HRweb.corp.contoso.com**, the VPN will be triggered.
 - Suffix: for example, if **.corp.contoso.com** is configured as a trigger and the stack sees a DNS resolution request with a matching suffix (such as **HRweb.corp.contoso.com**), the VPN will be triggered. For any short name resolution, VPN will be triggered and the DNS server will be queried for the *ShortName*.**corp.contoso.com**.
 - All: if used, all DNS resolution should trigger VPN.
 ## Always On
 Always On is a feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers: 
 - User sign-in 
 - Network change 
 - Device screen on 
 When the trigger occurs, VPN tries to connect. If an error occurs or any user input is needed, the user is shown a toast notification for additional interaction.
 When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. 
 ## Trusted network detection
 This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
 Trusted network detection can be configured using the VPNv2/*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
 ## Configure app-triggered VPN
 See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
 The following image shows associating an app to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
 ![Add an app for the VPN connection](images/vpn-app-trigger.png)
 After you add an associated app, if you select the **Only these apps can use this VPN connection (per-app VPN)** checkbox, the app becomes available in **Corporate Boundaries**, where you can configure rules for the app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details. 
 ![Configure rules for the app](images/vpn-app-rules.png)
 ## Related topics
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN security features](vpn-security-features.md)
 - [VPN profile options](vpn-profile-options.md)
--- a/windows/keep-secure/vpn-conditional-access.md
+++ b/windows/keep-secure/vpn-conditional-access.md
@ -0,0 +1,127 @@
 ---
 title: VPN and conditional access (Windows 10)
 description: tbd
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerMS
 localizationpriority: high
 ---
 # VPN and conditional access
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.  
 >[!NOTE]
 >Conditional Access is an Azure AD Premium feature. 
 Conditional Access Platform components used for Device Compliance include the following cloud-based services:
 - [Conditional Access Framework](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
 - [Azure AD Connect Health](https://azure.microsoft.com/documentation/articles/active-directory-Azure ADconnect-health/)
 - [Windows Health Attestation Service](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation) (optional)
 - Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA).  An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. 
 - Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules.  If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN.  Note that certificate authentication methods such as EAP-TLS can be used. 
    Additional details regarding the Azure AD issued short-lived certificate: 
    - The default lifetime is 60 minutes and is configurable
    - When that certificate expires, the client will again check with Azure AD so that continued health can be validated before a new certificate is issued allowing continuation of the connection
 - [Microsoft Intune device compliance policies](https://docs.microsoft.com/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
    - Antivirus status
    - Auto-update status and update compliance
    - Password policy compliance
    - Encryption compliance
    - Device health attestation state (validated against attestation service after query)
 The following client-side components are also required:
 - [HealthAttestation Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn934876.aspx)
 - [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) DeviceCompliance node settings
 - Trusted Platform Module (TPM)
 ## VPN device compliance 
 Server-side infrastructure requirements to support VPN device compliance include:
 - The VPN server should be configured for certificate authentication.
 - The VPN server should trust the tenant-specific Azure AD CA
 - Either of the below should be true for Kerberos/NTLM SSO:
   -	Domain servers trust Azure AD CA
   -	A domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO)
 After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node.
 Two client-side configuration service providers are leveraged for VPN device compliance.
 - VPNv2 CSP DeviceCompliance settings
   - **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client will attempt to communicate with Azure AD to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Azure AD.
   - **Sso**: nodes under SSO can be used to choose a certificate different from the VPN authentication certificate for  Kerberos authentication in the case of device compliance.
   - **Sso/Enabled**: if this field is set to **true**, the VPN client will look for a separate certificate for Kerberos authentication.
   - **Sso/IssuerHash**: hashes for the VPN client to look for the correct certificate for Kerberos authentication.
   - **Sso/Eku**: comma-separated list of Enhanced Key Usage (EKU) extensions for the VPN client to look for the correct certificate for Kerberos authentication.
 - HealthAttestation CSP (not a requirement) - functions performed by the HealthAttestation CSP include:
   - Collects TPM data used to verify health states
   - Forwards the data to the Health Attestation Service (HAS)
   - Provisions the Health Attestation Certificate received from the HAS
   - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
 ## Client connection flow
 The  VPN client side connection flow works as follows:
 ![Device compliance workflow when VPN client attempts to connect](images/vpn-device-compliance.png)
 When a Device Compliance-enabled VPN connection profile is triggered (either manually or automatically):
 1.	 The VPN client calls into Windows 10’s AAD Token Broker, identifying itself as a VPN client.
 2.	 The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies.
 3.	 If compliant, Azure AD requests a short-lived certificate
 4.	 Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection  processing.
 5. The VPN client uses the Azure AD-issued certificate to authenticate with the VPN server.
 ## Configure conditional access
 See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
 The following image shows conditional access options in a VPN Profile configuration policy using Microsoft Intune.
 ![conditional access in profile](images/vpn-conditional-access-intune.png)
 >[!NOTE]
 >In Intune, the certificate selected in **Select a client certificate for client authentication** does not set any VPNv2 CSP nodes. It is simply a way to tie the VPN profile’s successful provisioning to the existence of a certificate. If you are enabling conditional access and using the Azure AD short-lived certificate for both VPN server authentication and domain resource authentication, do not select a certificate since the short-lived certificate is not a certificate that would be on the user’s device yet.
 ## Learn more about Conditional Access and Azure AD Health
 - [Azure Active Directory conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/)
 - [Getting started with Azure Active Directory Conditional Access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access-azuread-connected-apps/)
 - [Control the health of Windows 10-based devices](https://technet.microsoft.com/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/14/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2/)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/15/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3/)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
 ## Related topics
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)
 - [VPN profile options](vpn-profile-options.md)
--- a/windows/keep-secure/vpn-connection-type.md
+++ b/windows/keep-secure/vpn-connection-type.md
@ -0,0 +1,84 @@
 ---
 title: VPN connection types (Windows 10)
 description: tbd
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerMS
 localizationpriority: high
 ---
 # VPN connection types
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.
 There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. 
 ![VPN connection types](images/vpn-connection.png)
 ## Built-in VPN client
 - Tunneling protocols
    - [Internet Key Exchange version 2 (IKEv2)](https://technet.microsoft.com/library/ff687731.aspx)
      Configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
    - [L2TP](https://technet.microsoft.com/library/ff687761.aspx)
      L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
    - [PPTP](https://technet.microsoft.com/library/ff687676.aspx)
    - [SSTP](https://technet.microsoft.com/library/ff687819.aspx)
        SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option.
 - Automatic
    The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt from most secure to least secure. 
    Configure **Automatic** for the **NativeProtocolType** setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
 ## Universal Windows Platform VPN plug-in
 The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.  
 There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
 ## Configure connection type
 See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
 The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune.
 ![Available connection types](images/vpn-connection-intune.png)
 In Intune, you can also include custom XML for third-party plug-in profiles.
 ![Custom XML](images/vpn-custom-xml-intune.png)
 ## Related topics
 - [VPN technical guide](vpn-guide.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)
 - [VPN profile options](vpn-profile-options.md)
--- a/windows/keep-secure/vpn-guide.md
+++ b/windows/keep-secure/vpn-guide.md
@ -0,0 +1,45 @@
 ---
 title: Windows 10 VPN technical guide (Windows 10)
 description: Use this guide to configure VPN deployment for Windows 10.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
 localizationpriority: high
 ---
 # Windows 10 VPN technical guide
 **Applies to**
 - Windows 10
 - Windows 10 Mobile
 This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
 ![Intune VPN policy template](images/vpn-intune-policy.png)
 >[!NOTE]
 >This guide does not explain server deployment.  
 ## In this guide
 | Topic | Description  |
 | --- | --- |
 | [VPN connection types](vpn-connection-type.md) | Select a VPN client and tunneling protocol |
 | [VPN routing decisions](vpn-routing.md)  | Choose between split tunnel and force tunnel configuration |
 | [VPN authentication options](vpn-authentication.md)  | Select a method for Extensible Authentication Protocol (EAP) authentication. |
 | [VPN and conditional access](vpn-conditional-access.md)  | Use Azure Active Directory policy evaluation to set access policies for VPN connections. |
 | [VPN name resolution](vpn-name-resolution.md)  | Decide how name resolution should work |
 | [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)  | Set a VPN profile to connect automatically by app or by name, to be "always on", and to not trigger VPN on trusted networks |
 | [VPN security features](vpn-security-features.md)  | Set a LockDown VPN profile, configure traffic filtering, and connect VPN profile to Windows Information Protection (WIP) |
 | [VPN profile options](vpn-profile-options.md)  | Combine settings into single VPN profile using XML |
 ## Learn more
 - [VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune)
--- a/windows/keep-secure/vpn-name-resolution.md
+++ b/windows/keep-secure/vpn-name-resolution.md
@ -0,0 +1,82 @@
 ---
 title: VPN name resolution (Windows 10)
 description: tbd
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerMS
 localizationpriority: high
 ---
 # VPN name resolution
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server.
 The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS suffix on the most preferred interface based on the interface metric is appended to the name (in the case of a short name) and a DNS query is sent out on the preferred interface. If the query times out, the DNS suffix search list is used in order and DNS queries are sent on all interfaces. 
 ## Name Resolution Policy table (NRPT)
 The NRPT is a table of namespaces that determines the DNS client’s havior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache.
 There are 3 types of name matches that can  set up for NRPT:
 - Fully qualified domain name (FQDN) that can  used for direct matching to a name
 - Suffix match results in either a comparison of suffixes (for FQDN resolution) or the appending of the suffix (in case of a short name)
 - Any resolution should attempt to first resolve with the proxy server/DNS server with this entry
 NRPT is set using the **VPNv2/*ProfileName*/DomainNameInformationList** node of the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx). This node also configures Web proxy server or domain name servers. 
 [Learn more about NRPT](https://technet.microsoft.com/library/ee649207%28v=ws.10%29.aspx)
 ## DNS suffix
 This setting is used to configure the primary DNS suffix for the VPN interface and the suffix search list after the VPN connection is established.
 Primary DNS suffix is set using the **VPNv2/*ProfileName*/DnsSuffix** node.
 [Learn more about primaryDNS suffix](https://technet.microsoft.com/library/cc959611.aspx)
 ## Persistent
 You can also configure *persistent* name resolution rules. Name resolution for specified items will only  performed over VPN.
 Persistent name resolution is set using the **VPNv2/*ProfileName*/DomainNameInformationList//*dniRowId*/Persistent** node.
 ## Configure name resolution
 See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
 The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune.
 ![Add DNS rule](images/vpn-name-intune.png)
 The fields in **Add or edit DNS rule** in the Intune profile correspond to the XML settings shown in the following table.
 | Field | XML |
 | --- | --- |
 | **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName**  |
 | **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers**  |
 | **Proxy server** |  **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers**  |
 ## Related topics
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)
 - [VPN profile options](vpn-profile-options.md)
--- a/windows/keep-secure/vpn-profile-options.md
+++ b/windows/keep-secure/vpn-profile-options.md
@ -16,48 +16,288 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
-Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect.
+Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or System Center Configuration Manager. All VPN settings in Windows 10 can be configued using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx). 
-## Always On
+>[!NOTE]
 >If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers) first.
-Always On is a new feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers:
+The following table lists the VPN settings and whether the setting can be configured in Intune and Configuration Manager, or can only be configured using **ProfileXML**.
 -   User sign-on
 -   Network change
-When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** &gt; **Network & Internet** &gt; **VPN** &gt; *VPN profile* &gt; **Let apps automatically use this VPN connection**.
+| Profile setting | Can be configured in Intune and Configuration Manager | 
 | --- | --- | 
 | Connection type | yes | 
 | Routing: split-tunnel routes | yes, except exclusion routes |
 | Routing: forced-tunnel | yes |
 | Authentication (EAP) | yes, if connection type is built-in |
 | Conditional access | yes |
 | Proxy settings | yes, by PAC/WPAD file or server and port |
 | Name resolution: NRPT | yes |
 | Name resolution: DNS suffix | no |
 | Name resolution: persistent | no |
 | Auto-trigger: app trigger | yes |
 | Auto-trigger: name trigger | yes |
 | Auto-trigger: Always On | no |
 | Auto-trigger: trusted network detection | no |
 | LockDown | no |
 | Windows Information Protection (WIP) | no |
 | Traffic filters | yes |
-## App-triggered VPN
+The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic.
 VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. This feature was included in Windows 8.1 as "On demand VPN". The applications can be defined using the following:
 -   Package family name for Universal Windows Platform (UWP) apps
 -   File path for Classic Windows applications
-## Traffic filters
+## Sample Native VPN profile
-Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy . With the ever-increasing landscape of remote threats on the corporate network and lesser IT controls on machines, it becomes essential to control the traffic that is allowed through. While server-side layers of firewalls and proxies help, by adding traffic filters the first layer of filtering can be moved onto the client with more advanced filtering on the server side. There are two types of Traffic Filter rules:
+The following is a sample Native VPN profile. This blob would fall under the ProfileXML node. 
-   **App-based rules**. With app-based rules, a list of applications can be marked such that only traffic originating from these apps is allowed to go over the VPN interface.
+```
-   **Traffic-based rules**. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified such that only traffic matching these rules is allowed to go over the VPN interface.
+<VPNProfile>  
  <ProfileName>TestVpnProfile</ProfileName>  
  <NativeProfile>  
    <Servers>testServer.VPN.com</Servers>  
    <NativeProtocolType>IKEv2</NativeProtocolType> 
    <!--Sample EAP profile (PEAP)--> 
    <Authentication>  
      <UserMethod>Eap</UserMethod>  
      <MachineMethod>Eap</MachineMethod>  
      <Eap>  
       <Configuration>
          <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
            <EapMethod>
              <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type>
              <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
              <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
              <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
            </EapMethod>
            <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
              <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
                <Type>25</Type>
                <EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1">
                  <ServerValidation>
                    <DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation>
                    <ServerNames></ServerNames>
                    <TrustedRootCA>d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2 </TrustedRootCA>
                    <TrustedRootCA>d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74 </TrustedRootCA>
                  </ServerValidation>
                  <FastReconnect>true</FastReconnect>
                  <InnerEapOptional>false</InnerEapOptional>
                  <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
                    <Type>13</Type>
                    <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
                      <CredentialsSource>
                        <CertificateStore>
                          <SimpleCertSelection>true</SimpleCertSelection>
                        </CertificateStore>
                      </CredentialsSource>
                      <ServerValidation>
                        <DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation>
                        <ServerNames></ServerNames>
                        <TrustedRootCA>d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2 </TrustedRootCA>
                        <TrustedRootCA>d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74 </TrustedRootCA>
                      </ServerValidation>
                      <DifferentUsername>false</DifferentUsername>
                      <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
                      <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
                      <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
                        <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
                          <EKUMapping>
                            <EKUMap>
                              <EKUName>AAD Conditional Access</EKUName>
                              <EKUOID>1.3.6.1.4.1.311.87</EKUOID>
                            </EKUMap>
                          </EKUMapping>
                          <ClientAuthEKUList Enabled="true">
                            <EKUMapInList>
                              <EKUName>AAD Conditional Access</EKUName>
                            </EKUMapInList>
                          </ClientAuthEKUList>
                        </FilteringInfo>
                      </TLSExtensions>
                    </EapType>
                  </Eap>
                  <EnableQuarantineChecks>false</EnableQuarantineChecks>
                  <RequireCryptoBinding>true</RequireCryptoBinding>
                  <PeapExtensions>
                    <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">true</PerformServerValidation>
                    <AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName>
                  </PeapExtensions>
                </EapType>
              </Eap>
            </Config>
          </EapHostConfig>
        </Configuration>
      </Eap>  
    </Authentication>  
    <!--Sample routing policy: in this case, this is a split tunnel configuration with two routes configured-->
    <RoutingPolicyType>SplitTunnel</RoutingPolicyType>  
    <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>  
  </NativeProfile>  
    <Route>  
    <Address>192.168.0.0</Address>  
    <PrefixSize>24</PrefixSize>  
  </Route>  
  <Route>  
    <Address>10.10.0.0</Address>  
    <PrefixSize>16</PrefixSize>  
  </Route>  
  <!--VPN will be triggered for the two apps specified here-->
  <AppTrigger>  
    <App>  
      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>  
    </App>  
  </AppTrigger>  
  <AppTrigger>  
    <App>  
      <Id>C:\windows\system32\ping.exe</Id>  
    </App>  
  </AppTrigger>  
  <!--Example of per-app VPN. This configures traffic filtering rules for two apps. Internet Explorer is configured for force tunnel, meaning that all traffic allowed through this app must go over VPN. Microsoft Edge is configured as split tunnel, so whether data goes over VPN or the physical interface is dictated by the routing configuration.-->
  <TrafficFilter>  
    <App>  
      <Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>  
    </App>  
    <Protocol>6</Protocol>  
    <LocalPortRanges>10,20-50,100-200</LocalPortRanges>  
    <RemotePortRanges>20-50,100-200,300</RemotePortRanges>  
    <RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>  
    <RoutingPolicyType>ForceTunnel</RoutingPolicyType>  
  </TrafficFilter>  
  <TrafficFilter>  
    <App>  
      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>  
    </App>  
    <LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>  
  </TrafficFilter>  
  <!--Name resolution configuration. The AutoTrigger node configures name-based triggering. In this profile, the domain "hrsite.corporate.contoso.com" triggers VPN.-->
  <DomainNameInformation>  
    <DomainName>hrsite.corporate.contoso.com</DomainName>  
    <DnsServers>1.2.3.4,5.6.7.8</DnsServers>  
    <WebProxyServers>5.5.5.5</WebProxyServers>  
    <AutoTrigger>true</AutoTrigger>  
  </DomainNameInformation>  
  <DomainNameInformation>  
    <DomainName>.corp.contoso.com</DomainName>  
    <DnsServers>10.10.10.10,20.20.20.20</DnsServers>  
    <WebProxyServers>100.100.100.100</WebProxyServers>  
  </DomainNameInformation>  
  <!--EDPMode is turned on for the enterprise ID "corp.contoso.com". When a user accesses an app with that ID, VPN will be triggered.-->
  <EdpModeId>corp.contoso.com</EdpModeId>  
  <RememberCredentials>true</RememberCredentials>  
  <!--Always On is turned off, and triggering VPN for the apps and domain name specified earlier in the profile will not occur if the user is connected to the trusted network "contoso.com".-->
  <AlwaysOn>false</AlwaysOn>  
  <DnsSuffix>corp.contoso.com</DnsSuffix>  
  <TrustedNetworkDetection>contoso.com</TrustedNetworkDetection>  
  <Proxy>  
    <Manual>  
      <Server>HelloServer</Server>  
    </Manual>  
    <AutoConfigUrl>Helloworld.Com</AutoConfigUrl>  
  </Proxy>  
  <!--Device compliance is enabled and an alternate certificate is specified for domain resource authentication.-->
  <DeviceCompliance>  
        <Enabled>true</Enabled>  
        <Sso>  
            <Enabled>true</Enabled>  
            <Eku>This is my Eku</Eku>  
            <IssuerHash>This is my issuer hash</IssuerHash>  
        </Sso>  
    </DeviceCompliance>  
 </VPNProfile> 
 ```
-There can be many sets of rules which are linked by **OR**. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by **AND**. This gives the IT admins a lot of power to craft the perfect policy befitting their use case.
+## Sample plug-in VPN profile
-## LockDown VPN
+The following is a sample plug-in VPN profile. This blob would fall under the ProfileXML node. 
-A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
+```
-   The system attempts to keep the VPN connected at all times.
+<VPNProfile>
-   The user cannot disconnect the VPN connection.
+	<ProfileName>TestVpnProfile</ProfileName>
-   The user cannot delete or modify the VPN profile.
+	<PluginProfile>
-   The VPN LockDown profile uses forced tunnel connection.
+		<ServerUrlList>testserver1.contoso.com;testserver2.contoso..com</ServerUrlList>
-   If the VPN connection is not available, outbound network traffic is blocked.
+		<PluginPackageFamilyName>JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy</PluginPackageFamilyName>
-   Only one VPN LockDown profile is allowed on a device.
+		<CustomConfiguration>&lt;pulse-schema&gt;&lt;isSingleSignOnCredential&gt;true&lt;/isSingleSignOnCredential&gt;&lt;/pulse-schema&gt;</CustomConfiguration>
-> **Note:**  For inbox VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) tunnel type.
+	</PluginProfile>
- 
+	<Route>
-## Learn about VPN and the Conditional Access Framework in Azure Active Directory
+		<Address>192.168.0.0</Address>
 		<PrefixSize>24</PrefixSize>
 	</Route>
 	<Route>
 		<Address>10.10.0.0</Address>
 		<PrefixSize>16</PrefixSize>
 	</Route>
 	<AppTrigger>
 		<App>
 			<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
 		</App>
 	</AppTrigger>
 	<AppTrigger>
 		<App>
 			<Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
 		</App>
 	</AppTrigger>
 	<TrafficFilter>
 		<App>
 			<Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
 		</App>
 		<Protocol>6</Protocol>
 		<LocalPortRanges>10,20-50,100-200</LocalPortRanges>
 		<RemotePortRanges>20-50,100-200,300</RemotePortRanges>
 		<RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>
 		<!--<RoutingPolicyType>ForceTunnel</RoutingPolicyType>-->
 	</TrafficFilter>
 	<TrafficFilter>
 		<App>
 			<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
 		</App>
 		<LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>
 	</TrafficFilter>
 	<TrafficFilter>
 		<App>
 			<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
 		</App>
 		<Claims>O:SYG:SYD:(A;;CC;;;AU)</Claims>
 		<!--<RoutingPolicyType>SplitTunnel</RoutingPolicyType>-->
 	</TrafficFilter>
 	<DomainNameInformation>
 		<DomainName>corp.contoso.com</DomainName>
 		<DnsServers>1.2.3.4,5.6.7.8</DnsServers>
 		<WebProxyServers>5.5.5.5</WebProxyServers>
 		<AutoTrigger>false</AutoTrigger>
 	</DomainNameInformation>
 	<DomainNameInformation>
 		<DomainName>corp.contoso.com</DomainName>
 		<DnsServers>10.10.10.10,20.20.20.20</DnsServers>
 		<WebProxyServers>100.100.100.100</WebProxyServers>
 	</DomainNameInformation>
 	<!--<EdpModeId>corp.contoso.com</EdpModeId>-->
 	<RememberCredentials>true</RememberCredentials>
 	<AlwaysOn>false</AlwaysOn>
 	<DnsSuffix>corp.contoso.com</DnsSuffix>
 	<TrustedNetworkDetection>contoso.com,test.corp.contoso.com</TrustedNetworkDetection>
 	<Proxy>
 		<Manual>
 			<Server>HelloServer</Server>
 		</Manual>
 		<AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
 	</Proxy>
 </VPNProfile>  
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
+```
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/14/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2/)
+
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/15/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3/)
+## Apply ProfileXML using Intune
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
+
 After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
 The OMS-URI setting to apply ProfileXML is **./user/vendor/MSFT/*VPN profile name*/ProfileXML**.
 ![Paste your ProfileXML in OMA-URI Setting value field](images/vpn-profilexml-intune.png)
 ## Learn more
@ -65,3 +305,13 @@ A VPN profile configured with LockDown secures the device to only allow network
 - [VPNv2 configuration service provider (CSP) reference](https://go.microsoft.com/fwlink/p/?LinkId=617588)
 - [How to Create VPN Profiles in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=618028)
 ## Related topics
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)
--- a/windows/keep-secure/vpn-routing.md
+++ b/windows/keep-secure/vpn-routing.md
@ -0,0 +1,68 @@
 ---
 title: VPN routing decisions (Windows 10)
 description: tbd
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerMS
 localizationpriority: high
 ---
 # VPN routing decisions
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection. 
 ## Split tunnel configuration
 In a split tunnel configuration, routes can be specified to go over VPN and all other traffic will go over the physical interface. 
 Routes can be configured using the VPNv2/*ProfileName*/RouteList setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
 For each route item in the list the following can be specified: 
 - **Address**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Address
 - **Prefix size**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Prefix
 - **Exclusion route**: VPNv2/*ProfileName*/RouteList/*routeRowId*/ExclusionRoute
   Windows VPN platform now supports the ability to specify exclusion routes that specifically should not go over the physical interface. 
 Routes can also be added at connect time through the server for UWP VPN apps.  
 ## Force tunnel configuration
 In a force tunnel configuration, all traffic will go over VPN. This is the default configuration and takes effect if no routes are specified. 
 The only implication of this setting is the manipulation of routing entries. In the case of a force Tunnel VPN V4 and V6 default routes (for example. 0.0.0.0/0) are added to the routing table with a lower Metric than ones for other interfaces. This sends traffic through the VPN as long as there isn’t a specific route on the Physical Interface itself. 
 For built-in VPN, this decision is controlled using the MDM setting **VPNv2/ProfileName/NativeProfile/RoutingPolicyType**.
 For a UWP VPN plug-in, this property is directly controlled by the app. If the VPN plug-in passes only 2 include routes (default route for both v4 and v6), the Windows VPN Platform marks the VPN as force tunnel.  
 ## Configure routing
 See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
 When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration.
 ![split tunnel](images/vpn-split.png)
 Next, in **Corporate Boundaries**, you add the routes that should use the VPN connection.   
 ![add route for split tunnel](images/vpn-split-route.png)
 ## Related topics
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)
 - [VPN profile options](vpn-profile-options.md)
--- a/windows/keep-secure/vpn-security-features.md
+++ b/windows/keep-secure/vpn-security-features.md
@ -0,0 +1,87 @@
 ---
 title: VPN security features (Windows 10)
 description: tbd
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerMS
 localizationpriority: high
 ---
 # VPN security features
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 ## LockDown VPN
 A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
 - The system attempts to keep the VPN connected at all times.
 - The user cannot disconnect the VPN connection.
 - The user cannot delete or modify the VPN profile.
 - The VPN LockDown profile uses forced tunnel connection.
 - If the VPN connection is not available, outbound network traffic is blocked.
 - Only one VPN LockDown profile is allowed on a device. 
 >[!NOTE]
 >For built-in VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type.
 Deploy this feature with caution as the resultant connection will not be able to send or receive any network traffic without the VPN being connected. 
 ## Windows Information Protection (WIP) integration with VPN
 Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally.
 The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include:
 - Core functionality: File encryption and file access blocking
 - UX policy enforcement: Restricting copy/paste, drag/drop, and sharing operations
 - WIP network policy enforcement: Protecting intranet resources over the corporate network and VPN
 - Network policy enforcement: Protecting SMB and Internet cloud resources over the corporate network and VPN
 The value of the **EdpModeId** is an Enterprise ID. The networking stack will look for this ID in the app token to determine whether VPN should be triggered for that particular app. 
 Additionally, when connecting with WIP, the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced configuration is needed) because the WIP policies and App lists automatically take effect.
 [Learn more about Windows Information Protection](protect-enterprise-data-using-wip.md)
 ## Traffic filters
 Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy. Network admins to effectively add interface specific firewall rules on the VPN Interface.There are two types of Traffic Filter rules:
 - App-based rules. With app-based rules, a list of applications can be marked such that only traffic originating from these apps is allowed to go over the VPN interface.
 - Traffic-based rules. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified such that only traffic matching these rules is allowed to go over the VPN interface.
 There can be many sets of rules which are linked by OR. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by AND. In addition, these rules can be applied at a per-app level or a per-device level. 
 For example, an admin could define rules that specify: 
 - The Contoso HR App must be allowed to go through the VPN and only access port 4545. 
 - The Contoso finance apps is allowed to go over the VPN and only access the Remote IP ranges of 10.10.0.40 - 10.10.0.201 on port 5889.
 - All other apps on the device should be able to access only ports 80 or 443.  
 ## Configure traffic filters
 See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
 The following image shows the interface to configure traffic rules in a VPN Profile configuration policy using Microsoft Intune.
 ![Add a traffic rule](images/vpn-traffic-rules.png)
 ## Related topics
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN profile options](vpn-profile-options.md)
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@ -86,6 +86,7 @@
 ##### [About App-V Reporting](appv-reporting.md)
 ##### [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](appv-install-the-reporting-server-on-a-standalone-computer.md)
 #### [App-V Deployment Checklist](appv-deployment-checklist.md)
 #### [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
 #### [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
 #### [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
 ### [Operations for App-V](appv-operations.md)
--- a/windows/manage/appv-deploying-appv.md
+++ b/windows/manage/appv-deploying-appv.md
@ -30,7 +30,8 @@ App-V supports a number of different deployment options. Review this topic for i
    This section provides a deployment checklist that can be used to assist with installing App-V.
-   [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)<br>
+-   [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)<br>
 [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)<br>
 [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
    These sections describe how to use App-V to deliver Microsoft Office as a virtualized application to computers in your organization.
--- a/windows/manage/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/manage/appv-deploying-microsoft-office-2016-with-appv.md
@ -0,0 +1,444 @@
 ---
 title: Deploying Microsoft Office 2016 by Using App-V (Windows 10)
 description: Deploying Microsoft Office 2016 by Using App-V
 author: MaggiePucciEvans
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
 ---
 # Deploying Microsoft Office 2016 by Using App-V
 **Applies to**
 -   Windows 10, version 1607
 Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2013, see [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md). For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md).
 This topic contains the following sections:
 -   [What to know before you start](#what-to-know-before-you-start)
 -   [Creating an Office 2016 package for App-V with the Office Deployment Tool](#creating-an-office-2016-package-for-app-v-with-the-office-deployment-tool) 
 -   [Publishing the Office package for App-V](#publishing-the-office-package-for-app-v) 
 -   [Customizing and managing Office App-V packages](#customizing-and-managing-office-app-v-packages) 
 ## What to know before you start
 Before you deploy Office 2016 by using App-V, review the following planning information.
 ### Supported Office versions and Office coexistence
 Use the following table to get information about supported versions of Office and about running coexisting versions of Office.
 | **Information to review**           | **Description**        |
 |-------------------------------------|------------------------|
 | [Supported versions of Microsoft Office](appv-planning-for-using-appv-with-office.md#bkmk-office-vers-supp-appv)     | - Supported versions of Office<br>- Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)<br>- Office licensing options |
 | [Planning for using App-V with coexisting versions of Office](appv-planning-for-using-appv-with-office.md#bkmk-plan-coexisting) | Considerations for installing different versions of Office on the same computer   |
 ### Packaging, publishing, and deployment requirements
 Before you deploy Office by using App-V, review the following requirements.
 | **Task**  | **Requirement**   |
 |-----------|-------------------|
 | Packaging  | - All of the Office applications that you want to deploy to users must be in a single package.<br>- In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.<br>- If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office). |
 | Publishing   | - You can publish only one Office package to each client computer.<br>- You must publish the Office package globally. You cannot publish to the user. |
 | Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:<br>- Office 365 ProPlus<br>- Visio Pro for Office 365<br>- Project Pro for Office 365 | You must enable [shared computer activation](https://technet.microsoft.com/library/dn782860.aspx). |
 ### Excluding Office applications from a package
 The following table describes the recommended methods for excluding specific Office applications from a package.
 | **Task**    | **Details**   |
 |-------------|---------------|
 | Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool. | Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.<br><br>For more information, see [ExcludeApp element](https://technet.microsoft.com/library/jj219426.aspx#BKMK_ExcludeAppElement). |
 | Modify the DeploymentConfig.xml file                                                            | Modify the DeploymentConfig.xml file after the package has been created. This file contains the default package settings for all users on a computer that is running the App-V Client.<br>For more information, see [Disabling Office 2016 applications](#disabling-office-2016-applications).                      |
 ## Creating an Office 2016 package for App-V with the Office Deployment Tool
 Complete the following steps to create an Office 2016 package for App-V.
 >**Important**&nbsp;&nbsp;In App-V 5.0 and later, you must use the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
 ### Review prerequisites for using the Office Deployment Tool
 The computer on which you are installing the Office Deployment Tool must have:
 | **Prerequisite**     | **Description**    |
 |----------------------|--------------------|
 | Prerequisite software    | .Net Framework 4    |
 | Supported operating systems | -   64-bit version of Windows 10<br>- 64-bit version of Windows 8 or 8.1<br>- 64-bit version of Windows 7 |
 >**Note**&nbsp;&nbsp;In this topic, the term “Office 2016 App-V package” refers to subscription licensing.
 ### Create Office 2016 App-V Packages Using Office Deployment Tool
 You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Subscription Licensing.
 Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers.
 ### Download the Office Deployment Tool
 Office 2016 App-V Packages are created using the Office Deployment Tool, which generates an Office 2016 App-V Package. The package cannot be created or modified through the App-V sequencer. To begin package creation:
 1.  Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117).
    > **Important**&nbsp;&nbsp;You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages.
 2.  Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved.
    Example: \\\\Server\\Office2016
 3.  Check that a setup.exe and a configuration.xml file exist and are in the location you specified.
 ### Download Office 2016 applications
 After you download the Office Deployment Tool, you can use it to get the latest Office 2016 applications. After getting the Office applications, you create the Office 2016 App-V package.
 The XML file that is included in the Office Deployment Tool specifies the product details, such as the languages and Office applications included.
 **Step 1: Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications:
 1.  Open the sample XML file in Notepad or your favorite text editor.
 2.  With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the configuration.xml file:
    ```
    <Configuration>
       <Add SourcePath= ”\\Server\Office2016” OfficeClientEdition="32" >
        <Product ID="O365ProPlusRetail ">
          <Language ID="en-us" />
        </Product>
        <Product ID="VisioProRetail">
          <Language ID="en-us" />
        </Product>
      </Add>  
    </Configuration>
    ```
    >**Note**&nbsp;&nbsp;The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the “&lt;! - -“ from the beginning of the line, and the “-- &gt;” from the end of the line.
    The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office2016, which is the location where Office applications will be saved. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
 | **Input**    | **Description**            | **Example**    |
 |--------------|----------------------------|----------------|
 | Add element  | Specifies the products and languages to include in the package.     | N/A     |
 | OfficeClientEdition (attribute of Add element) | Specifies the edition of Office 2016 product to use: 32-bit or 64-bit. The operation fails if **OfficeClientEdition** is not set to a valid value.     | **OfficeClientEdition**="32"<br>**OfficeClientEdition**="64"  |
 | Product element   | Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.<br>For more information about the product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297).   | `Product ID ="O365ProPlusRetail"`<br>`Product ID ="VisioProRetail"`<br>`Product ID ="ProjectProRetail"` |
 | Language element     | Specifies the language supported in the applications    | `Language ID="en-us"`   |
 | Version (attribute of Add element) | Optional. Specifies a build to use for the package<br>Defaults to latest advertised build (as defined in v32.CAB at the Office source).   | `16.1.2.3`    |
 | SourcePath (attribute of Add element)   | Specifies the location in which the applications will be saved to.    | `Sourcepath = "\\Server\Office2016"`     |
 | Channel (part of Add element)       | Optional. Defines which channel to use for updating Office after it is installed.<br>The default is **Deferred** for Office 365 ProPlus and **Current** for Visio Pro for Office 365 and Project Online Desktop Client. <br>For more information about update channels, see [Overview of update channels for Office 365 ProPlus](https://technet.microsoft.com/library/mt455210.aspx). | `Channel="Current"`<br><br>`Channel="Deferred"`<br><br>`Channel="FirstReleaseDeferred"`<br><br>`Channel="FirstReleaseCurrent"`  |
 After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
 **Step 2: Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with description of details:
 `\\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml`
 In the example:
 | Element | Description |
 |-------------------------------|--------------------------------------|
 | **\\\\server\\Office2016**    | is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.    |
 | **Setup.exe**   | is the Office Deployment Tool.     |
 | **/download**   | downloads the Office 2016 applications that you specify in the customConfig.xml file.  |
 | **\\\\server\\Office2016\\Customconfig.xml** | passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \\\\Server\\Office2016. |
 ### Convert the Office applications into an App-V package
 After you download the Office 2016 applications through the Office Deployment Tool, use the Office Deployment Tool to convert them into an Office 2016 App-V package. Complete the steps that correspond to your licensing model.
 **Summary of what you’ll need to do:**
 -   Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10 computers.
 -   Create an Office App-V package for either Subscription Licensing package by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file.
    The following table summarizes the values you need to enter in the CustomConfig.xml file. The steps in the sections that follow the table will specify the exact entries you need to make.
 >**Note**&nbsp;&nbsp;You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
 | **Product ID**                                   | **Subscription Licensing**                                  |
 |--------------------------------------------------|-------------------------------------------------------------|
 | **Office 2016**                                  | O365ProPlusRetail                                           |
 | **Office 2016 with Visio 2016**                  | O365ProPlusRetail<br>VisioProRetail                         |
 | **Office 2016 with Visio 2016 and Project 2016** | O365ProPlusRetail<br>VisioProRetail<br>ProjectProRetail     |
 #### How to convert the Office applications into an App-V package
 1. In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
    - **SourcePath**: Point to the Office applications downloaded earlier.
    - **ProductID**: Specify the type of licensing, as shown in the following example:
        - Subscription Licensing:
        ```
 <Configuration>
   <Add SourcePath= "\\server\Office 2016" OfficeClientEdition="32" >
    <Product ID="O365ProPlusRetail">
      <Language ID="en-us" />
    </Product>
    <Product ID="VisioProRetail">
      <Language ID="en-us" />
    </Product>
  </Add>  
 </Configuration>
        ```
        In this example, the following changes were made to create a package with Subscription licensing:
        **SourcePath** is the path, which was changed to point to the Office applications that were downloaded earlier.<br>
        **Product ID** for Office was changed to `O365ProPlusRetail`.<br>
        **Product ID** for Visio was changed to `VisioProRetail`.
    - **ExcludeApp** (optional): Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access.
    - **PACKAGEGUID** (optional): By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
        An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
        >**Note**&nbsp;&nbsp;Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
 2.	Use the /packager command to convert the Office applications to an Office 2016 App-V package.
    For example:
    ``` syntax
    \\server\Office2016\setup.exe /packager \\server\Office2016\Customconfig.xml  \\server\share\Office2016AppV
    ```
    In the example:
    <table>
    <colgroup>
    <col width="50%" />
    <col width="50%" />
    </colgroup>
    <tbody>
    <tr class="odd">
    <td align="left"><p><code>\\server\Office2016</code></p></td>
    <td align="left"><p>is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.</p></td>
    </tr>
    <tr class="even">
    <td align="left"><p><code>Setup.exe</code></p></td>
    <td align="left"><p>is the Office Deployment Tool.</p></td>
    </tr>
    <tr class="odd">
    <td align="left"><p><code>/packager</code></p></td>
    <td align="left"><p>creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file.</p></td>
    </tr>
    <tr class="even">
    <td align="left"><p><code>\\server\Office2016\Customconfig.xml</code></p></td>
    <td align="left"><p>passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage.</p></td>
    </tr>
    <tr class="odd">
    <td align="left"><p><code>\\server\share\Office2016AppV</code></p></td>
    <td align="left"><p>specifies the location of the newly created Office App-V package.</p></td>
    </tr>
    </tbody>
    </table>
    After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:<br>
    - **App-V Packages** – contains an Office 2016 App-V package and two deployment configuration files.
    - **WorkingDir**
    **Note**&nbsp;&nbsp;To troubleshoot any issues, see the log files in the %temp% directory (default).
 3. Verify that the Office 2016 App-V package works correctly:
    1. Publish the Office 2016 App-V package, which you created globally, to a test computer, and verify that the Office 2016 shortcuts appear.
    2. Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected.
 ## Publishing the Office package for App-V
 Use the following information to publish an Office package.
 ### Methods for publishing Office App-V packages
 Deploy the App-V package for Office 2016 by using the same methods you use for any other package:
 -   System Center Configuration Manager
 -   App-V Server
 -   Stand-alone through Windows PowerShell commands
 ### Publishing prerequisites and requirements
 | **Prerequisite or requirement**       | **Details**        |
 |---------------------------------------|--------------------|
 | Enable Windows PowerShell scripting on the App-V clients | To publish Office 2016 packages, you must run a script.<br><br>Package scripts are disabled by default on App-V clients. To enable scripting, run the following Windows PowerShell command:<br>`Set-AppvClientConfiguration -EnablePackageScripts 1`    |
 | Publish the Office 2016 package globally     | Extension points in the Office App-V package require installation at the computer level.<br><br>When you publish at the computer level, no prerequisite actions or redistributables are needed, and the Office 2016 package globally enables its applications to work like natively installed Office, eliminating the need for administrators to customize packages. |
 ### How to publish an Office package
 Run the following command to publish an Office package globally:
 -   `Add-AppvClientPackage <Path_to_AppV_Package > | Publish-AppvClientPackage -global`
 -   From the Web Management Console on the App-V Server, you can add permissions to a group of computers instead of to a user group to enable packages to be published globally to the computers in the corresponding group.
 ## Customizing and managing Office App-V packages
 To manage your Office App-V packages, use the same operations as you would for any other package, with a few exceptions as outlined in the following sections.
 -   [Enabling Office plug-ins by using connection groups](#enabling-office-plug-ins-by-using-connection-groups) 
 -   [Disabling Office 2016 applications](#disabling-office-2016-applications) 
 -   [Disabling Office 2016 shortcuts](#disabling-office-2016-shortcuts) 
 -   [Managing Office 2016 package upgrades](#managing-office-2016-package-upgrades) 
 -   [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office) 
 ### Enabling Office plug-ins by using connection groups
 Use the steps in this section to enable Office plug-ins with your Office package. To use Office plug-ins, you must use the App-V Sequencer to create a separate package that contains just the plug-ins. You cannot use the Office Deployment Tool to create the plug-ins package. You then create a connection group that contains the Office package and the plug-ins package, as described in the following steps.
 #### To enable plug-ins for Office App-V packages
 1.  Add a Connection Group through App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet.
 2.  Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins.
 3.  Create an App-V package that includes the desired plug-ins.
 4.  Add a Connection Group through App-V server, System Center Configuration Manager, or a Windows PowerShell cmdlet.
 5.  Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created.
    > **Important**&nbsp;&nbsp;The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.
 6.  Ensure that both packages are published to the target computer and that the plug-in package is published globally to match the global settings of the published Office 2016 App-V package.
 7.  Verify that the Deployment Configuration File of the plug-in package has the same settings that the Office 2016 App-V package has.
    Since the Office 2016 App-V package is integrated with the operating system, the plug-in package settings should match. You can search the Deployment Configuration File for “COM Mode” and ensure that your plug-ins package has that value set as “Integrated” and that both "InProcessEnabled" and "OutOfProcessEnabled" match the settings of the Office 2016 App-V package you published.
 8.  Open the Deployment Configuration File and set the value for **Objects Enabled** to **false**.
 9.  If you made any changes to the Deployment Configuration file after sequencing, ensure that the plug-in package is published with the file.
 10.  Ensure that the Connection Group you created is enabled onto your desired computer. The Connection Group created will likely “pend” if the Office 2016 App-V package is in use when the Connection Group is enabled. If that happens, you have to reboot to successfully enable the Connection Group.
 11.  After you successfully publish both packages and enable the Connection Group, start the target Office 2016 application and verify that the plug-in you published and added to the connection group works as expected.
 ### Disabling Office 2016 applications
 You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
 >**Note**&nbsp;&nbsp;To exclude specific Office applications (for example, Access) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.
 #### To disable an Office 2016 application
 1.  Open a Deployment Configuration File with a text editor such as **Notepad** and search for “Applications."
 2.  Search for the Office application you want to disable, for example, Access 2016.
 3.  Change the value of "Enabled" from "true" to "false."
 4.  Save the Deployment Configuration File.
 5.  Add the Office 2016 App-V Package with the new Deployment Configuration File.
    ``` syntax
    <Application Id="[{AppVPackageRoot}]\officel6\lync.exe" Enabled="true">
      <VisualElements>
        <Name>Lync 2016</Name>
        <Icon />
        <Description />
      </VisualElements>
    </Application>
    <Application Id="[(AppVPackageRoot}]\office16\MSACCESS.EXE" Enabled="true">
      <VisualElements>
        <Name>Access 2016</Name>
        <Icon />
        <Description />
      </VisualElements>
    </Application>
    ```
 6. Re-add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
 ### Disabling Office 2016 shortcuts
 You may want to disable shortcuts for certain Office applications instead of unpublishing or removing the package. The following example shows how to disable shortcuts for Microsoft Access.
 #### To disable shortcuts for Office 2016 applications
 1.  Open a Deployment Configuration File in Notepad and search for “Shortcuts”.
 2.  To disable certain shortcuts, delete or comment out the specific shortcuts you don’t want. You must keep the subsystem present and enabled. For example, in the example below, delete the Microsoft Access shortcuts, while keeping the subsystems &lt;shortcut&gt; &lt;/shortcut&gt; intact to disable the Microsoft Access shortcut.
    ``` syntax
    Shortcuts 
    -->
     <Shortcuts Enabled="true">
      <Extensions>
        <Extension Category="AppV.Shortcut">
          <Shortcut>
           <File>[{Common Programs}]\Microsoft Office 2016\Access 2016.lnk</File>
           <Target>[{AppvPackageRoot}])office16\MSACCESS.EXE</Target>
           <Icon>[{Windows}]\Installer\{90150000-000F-0000-0000-000000FF1CE)\accicons.exe.Ø.ico</Icon>
           <Arguments />
           <WorkingDirectory />
           <AppuserModelId>Microsoft.Office.MSACCESS.EXE.16</AppUserModelId>
           <AppUsermodelExcludeFroeShowInNewInstall>true</AppUsermodelExcludeFroeShowInNewInstall>
           <Description>Build a professional app quickly to manage data.</Description>
           <ShowCommand>l</ShowCommand>
           <ApplicationId>[{AppVPackageRoot}]\officel6\MSACCESS.EXE</ApplicationId>
        </Shortcut>
    ```
 3. Save the Deployment Configuration File.
 4. Republish Office 2016 App-V Package with new Deployment Configuration File.
 Many additional settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document.
 ### Managing Office 2016 package upgrades
 To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a previously deployed Office 2016 package, perform the following steps.
 #### How to upgrade a previously deployed Office 2016 package
 1.  Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
    > **Note**&nbsp;&nbsp;Office App-V packages have two Version IDs:
    > - An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
    > - A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
 2.  Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
 3.  Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
 ### Deploying Visio 2016 and Project 2016 with Office
 The following table describes the requirements and options for deploying Visio 2016 and Project 2016 with Office.
 | **Task**            | **Details**   |
 |---------------------|---------------|
 | How do I package and publish Visio 2016 and Project 2016 with Office? | You must include Visio 2016 and Project 2016 in the same package with Office.<br>If you are not deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic.  |
 | How can I deploy Visio 2016 and Project 2016 to specific users?       | Use one of the following methods:<br>**To create two different packages and deploy each one to a different group of users**:<br>Create and deploy the following packages:<br>- A package that contains only Office - deploy to computers whose users need only Office.<br>- A package that contains Office, Visio, and Project - deploy to computers whose users need all three applications.<br><br>**To create only one package for the whole organization, or create a package intended for users who share computers**:<br>Follow these steps:<br>1. Create a package that contains Office, Visio, and Project.<br>2. Deploy the package to all users.<br>3. Use [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) to prevent specific users from using Visio and Project. |
 ## Related topics
 - [Deploying App-V for Windows 10](appv-deploying-appv.md)
 - [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
 - [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
 - [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117)
 ## Have a suggestion for App-V?
 Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
--- a/windows/manage/appv-for-windows.md
+++ b/windows/manage/appv-for-windows.md
@ -35,6 +35,7 @@ The topics in this section provide information and step-by-step procedures to he
 - [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md)
 - [Deploying the App-V Server](appv-deploying-the-appv-server.md)
 - [App-V Deployment Checklist](appv-deployment-checklist.md)
 - [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
 - [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
 - [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@ -12,6 +12,13 @@ author: jdeckerMS
 This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 ## October 2016
 | New or changed topic | Description |
 | --- | --- |
 | [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |Added an important note about Cortana and Office 365 integration. |
 | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. |
 ## September 2016
 | New or changed topic | Description |
--- a/windows/manage/lockdown-xml.md
+++ b/windows/manage/lockdown-xml.md
@ -88,7 +88,7 @@ The following example is a complete lockdown XML file that disables Action Cente
 ![XML for Apps](images/AppsXML.png)
-The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. If you don't include the Apps setting in the file, all apps on the device are available to the user.
+The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. 
 You provide the product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you should also provide the App User Model ID (AUMID) to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)
--- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@ -1353,3 +1353,5 @@ You can turn off automatic updates by doing one of the following. This is not re
    -   **5**. Turn off automatic updates.
 To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
 To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying.
--- a/windows/manage/manage-cortana-in-enterprise.md
+++ b/windows/manage/manage-cortana-in-enterprise.md
@ -24,6 +24,10 @@ Cortana in Windows 10 is already great at letting your employees quickly see wh
 But Cortana works even harder when she connects to Office 365, helping employees prepare for meetings, learn about co-workers, and receive reminders about where they need to be so they won’t be late.
 >**Important**<br>
 >Before your employees can use Cortana with Office 365, they must sign into Cortana using a Microsoft account (such as, @outlook.com), and then they must go to the **Connected Accounts** section of Cortana’s notebook to turn on and connect to Office 365.
 **More info:**
 -   For specific info about what you need to know as a company administrator, including how to turn off Cortana with Office 365, see the [Cortana integration with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=717378) support topic.
--- a/windows/manage/uev-troubleshooting.md
+++ b/windows/manage/uev-troubleshooting.md
@ -14,8 +14,11 @@ ms.prod: w10
 **Applies to**
 -   Windows 10, version 1607
 For information that can help with troubleshooting UE-V for Windows 10, see:
 - [UE-V FAQ Wiki](http://social.technet.microsoft.com/wiki/contents/articles/35333.ue-v-important-changes-in-ue-v-functionality-after-the-windows-10-anniversary-update.aspx)
 - [UE-V: List of Microsoft Support Knowledge Base Articles](http://social.technet.microsoft.com/wiki/contents/articles/14271.ue-v-list-of-microsoft-support-knowledge-base-articles.aspx)
 - [User Experience Virtualization Release Notes](uev-release-notes-1607.md)
--- a/windows/manage/waas-overview.md
+++ b/windows/manage/waas-overview.md
@ -81,7 +81,7 @@ To align with the new method of delivering feature updates and quality updates i
 The concept of servicing branches is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
 >[!NOTE]
->Servicing branches are not the only way to separate groups of machines when consuming updates. Each branch can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing branches, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). 
+>Servicing branches are not the only way to separate groups of devices when consuming updates. Each branch can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing branches, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). 
 ### Current Branch
@ -110,6 +110,9 @@ Specialized systems—such as PCs that control medical equipment, point-of-sale
 Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSB releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
 >[!NOTE]
 >Windows 10 LTSB will support the currently released silicon at the time of release of the LTSB. As future silicon generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
 LTSB is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, it’s important to remember that Microsoft has positioned the LTSB model primarily for specialized devices.
 >[!NOTE]
--- a/windows/manage/waas-wufb-intune.md
+++ b/windows/manage/waas-wufb-intune.md
@ -47,7 +47,7 @@ In this example, you use two security groups to manage your updates: **Ring 3 Br
 5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
-6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**.
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**.
 7. In the **Value** box, type **1**, and then click **OK**.
@ -78,7 +78,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to enable the CB
 4.	In **Setting name**, type **Enable Clients for CBB**, and then in the **Data type** list, select **Integer**.
-6.	In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**.
+6.	In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**.
 7.	Click **OK** to save the setting.
@ -86,7 +86,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to enable the CB
 9.	For this setting, in **Setting name**, type **Defer Updates for 1 Week**, and then in the **Data type** list, select **Integer**.
-11.	In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**. 
+11.	In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**. 
 12.	In the **Value** box, type **1**.
@ -96,7 +96,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to enable the CB
 15.	For this setting, in **Setting name**, type **Defer Upgrades for 1 Month**, and then in the **Data type** list, select **Integer**.
-17.	In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**.
+17.	In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**.
 18.	In the **Value** box, type **1**.
@ -134,7 +134,7 @@ In this example, you use three security groups from Table 1 in [Build deployment
 4. In **Setting name**, type **Enable Clients for CB**, and then select **Integer** from the **Data type** list.
-6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
 7. In the **Value** box, type **0**, and then click **OK**.
@ -146,7 +146,7 @@ In this example, you use three security groups from Table 1 in [Build deployment
 8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 14 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. 
 8. In **Setting name**, type **Defer feature updates for 14 days**, and then select **Integer** from the **Data type** list.
-10.	In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
+10.	In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
 11.	In the **Value** box, type **14**, and then click **OK**.
    ![Settings for this policy](images/waas-wufb-intune-step11a.png)
@ -174,7 +174,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e
 4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
-6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
 7. In the **Value** box, type **1**, and then click **OK**.
@ -186,7 +186,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e
 8. In **Setting name**, type **Defer feature updates for 0 days**, and then select **Integer** from the **Data type** list.
-10.	In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
+10.	In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
 11.	In the **Value** box, type **0**, and then click **OK**.
@ -216,7 +216,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to receive CBB f
 4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
-6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
 7. In the **Value** box, type **1**, and then click **OK**.
@ -228,7 +228,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to receive CBB f
 8. In **Setting name**, type **Defer quality updates for 7 days**, and then select **Integer** from the **Data type** list.
-10.	In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays**.
+10.	In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays**.
 11.	In the **Value** box, type **7**, and then click **OK**.
@ -236,7 +236,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to receive CBB f
 8. In **Setting name**, type **Defer feature updates for 30 days**, and then select **Integer** from the **Data type** list.
-10.	In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
+10.	In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
 11.	In the **Value** box, type **30**, and then click **OK**.
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@ -57,7 +57,7 @@ Windows 10, version 1607, provides administrators with increased control over up
 - Quality Updates can be deferred up to 30 days and paused for 35 days
 - Feature Updates can be deferred up to 180 days and paused for 60 days
 - Update deferrals can be applied to both Current Branch (CB) and Current Branch for Business (CBB)
- Drivers can be excluded from udpates
+- Drivers can be excluded from updates
 ## Security
@ -67,12 +67,13 @@ Isolated User Mode is now included with Hyper-V so you don't have to install it
 ### Windows Hello for Business
-When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
 Additional changes for Windows Hello in Windows 10, version 1607:
 - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
 - Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
 - Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. 
 <!--- Users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser.-->
 [Learn more about Windows Hello for Business.](../keep-secure/manage-identity-verification-using-microsoft-passport.md)