diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
index 92d00bac2c..b1243f0790 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -11,7 +11,12 @@ ms.sitesec: library
 # Change history for Internet Explorer 11
 This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
 
-##July 2016
+## August 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)|Added the Understanding the returned reason codes section to the topic. |
+
+## July 2016
 |New or changed topic | Description |
 |----------------------|-------------|
 |[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. |
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
index 9eccc9be96..adb0625f1e 100644
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
 author: CelesteDG
+localizationpriority: high
 ---
 
 # Windows 10 editions for education customers
diff --git a/windows/deploy/activate-using-active-directory-based-activation-client.md b/windows/deploy/activate-using-active-directory-based-activation-client.md
index cd91b2b614..9c8f4c7fa1 100644
--- a/windows/deploy/activate-using-active-directory-based-activation-client.md
+++ b/windows/deploy/activate-using-active-directory-based-activation-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: greg-lindsay
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # Activate using Active Directory-based activation
diff --git a/windows/deploy/activate-using-key-management-service-vamt.md b/windows/deploy/activate-using-key-management-service-vamt.md
index 3fc787f902..2bb06acd4e 100644
--- a/windows/deploy/activate-using-key-management-service-vamt.md
+++ b/windows/deploy/activate-using-key-management-service-vamt.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # Activate using Key Management Service
diff --git a/windows/deploy/activate-windows-10-clients-vamt.md b/windows/deploy/activate-windows-10-clients-vamt.md
index c110f8233c..478ceda691 100644
--- a/windows/deploy/activate-windows-10-clients-vamt.md
+++ b/windows/deploy/activate-windows-10-clients-vamt.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # Activate clients running Windows 10
diff --git a/windows/deploy/install-configure-vamt.md b/windows/deploy/install-configure-vamt.md
index 49b3f8ec44..eb904768ad 100644
--- a/windows/deploy/install-configure-vamt.md
+++ b/windows/deploy/install-configure-vamt.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Install and Configure VAMT
diff --git a/windows/deploy/install-kms-client-key-vamt.md b/windows/deploy/install-kms-client-key-vamt.md
index 9605053d6a..f1774ca7c8 100644
--- a/windows/deploy/install-kms-client-key-vamt.md
+++ b/windows/deploy/install-kms-client-key-vamt.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Install a KMS Client Key
diff --git a/windows/deploy/install-product-key-vamt.md b/windows/deploy/install-product-key-vamt.md
index 71817b7b80..f03f3510df 100644
--- a/windows/deploy/install-product-key-vamt.md
+++ b/windows/deploy/install-product-key-vamt.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Install a Product Key
diff --git a/windows/deploy/install-vamt.md b/windows/deploy/install-vamt.md
index 07a9a72b5b..4be81d78de 100644
--- a/windows/deploy/install-vamt.md
+++ b/windows/deploy/install-vamt.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Install VAMT
diff --git a/windows/deploy/provision-pcs-for-initial-deployment.md b/windows/deploy/provision-pcs-for-initial-deployment.md
index d3692b2073..6daf655797 100644
--- a/windows/deploy/provision-pcs-for-initial-deployment.md
+++ b/windows/deploy/provision-pcs-for-initial-deployment.md
@@ -7,7 +7,7 @@ ms.prod: W10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # Provision PCs with common settings for initial deployment (simple provisioning)
diff --git a/windows/deploy/provision-pcs-with-apps-and-certificates.md b/windows/deploy/provision-pcs-with-apps-and-certificates.md
index 936f1b6f73..820e7ab47a 100644
--- a/windows/deploy/provision-pcs-with-apps-and-certificates.md
+++ b/windows/deploy/provision-pcs-with-apps-and-certificates.md
@@ -7,7 +7,7 @@ ms.prod: W10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # Provision PCs with apps and certificates for initial deployment (advanced provisioning)
diff --git a/windows/deploy/provisioning-packages.md b/windows/deploy/provisioning-packages.md
index 4630340ba6..fbeadf5826 100644
--- a/windows/deploy/provisioning-packages.md
+++ b/windows/deploy/provisioning-packages.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Provisioning packages for Windows 10
diff --git a/windows/deploy/use-the-volume-activation-management-tool-client.md b/windows/deploy/use-the-volume-activation-management-tool-client.md
index 6eed17adf5..7efe6a23a3 100644
--- a/windows/deploy/use-the-volume-activation-management-tool-client.md
+++ b/windows/deploy/use-the-volume-activation-management-tool-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # Use the Volume Activation Management Tool
diff --git a/windows/deploy/usmt-technical-reference.md b/windows/deploy/usmt-technical-reference.md
index 17380ccbb3..6414a4386a 100644
--- a/windows/deploy/usmt-technical-reference.md
+++ b/windows/deploy/usmt-technical-reference.md
@@ -1,6 +1,6 @@
 ---
 title: User State Migration Tool (USMT) Technical Reference (Windows 10)
-description: The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
+description: The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
 ms.assetid: f90bf58b-5529-4520-a9f8-b6cb4e4d3add
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,31 +9,29 @@ author: greg-lindsay
 ---
 
 # User State Migration Tool (USMT) Technical Reference
-The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
+The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
 
 Download the Windows ADK [from this website](http://go.microsoft.com/fwlink/p/?LinkID=526803).
 
-**Note**: USMT version 10.1.10586 supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.
+**USMT support for Microsoft Office**
+>USMT in the Windows ADK for Windows 10, version 1511 (10.1.10586.0) supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.<BR>
+>USMT in the Windows ADK for Windows 10, version 1607 (10.1.14393.0) adds support for migration of user settings for installations of Microsoft Office 2016.
 
-USMT 10.0 includes three command-line tools:
-
--   ScanState.exe
-
--   LoadState.exe
+USMT includes three command-line tools:
 
+-   ScanState.exe<BR>
+-   LoadState.exe<BR>
 -   UsmtUtils.exe
 
-USMT 10.0 also includes a set of three modifiable .xml files:
-
--   MigApp.xml
-
--   MigDocs.xml
+USMT also includes a set of three modifiable .xml files:
 
+-   MigApp.xml<BR>
+-   MigDocs.xml<BR>
 -   MigUser.xml
 
 Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
 
-USMT 10.0 tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](http://go.microsoft.com/fwlink/p/?LinkId=246564).
+USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](http://go.microsoft.com/fwlink/p/?LinkId=246564).
 
 ## In This Section
 |Topic |Description|
diff --git a/windows/deploy/volume-activation-windows-10.md b/windows/deploy/volume-activation-windows-10.md
index f1bda40ad4..594cb846f4 100644
--- a/windows/deploy/volume-activation-windows-10.md
+++ b/windows/deploy/volume-activation-windows-10.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # Volume Activation for Windows 10
diff --git a/windows/keep-secure/applocker-overview.md b/windows/keep-secure/applocker-overview.md
index 954c093d80..d8194a1caa 100644
--- a/windows/keep-secure/applocker-overview.md
+++ b/windows/keep-secure/applocker-overview.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md
index 23dc64932f..29836430fd 100644
--- a/windows/keep-secure/bitlocker-frequently-asked-questions.md
+++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md
index 18c4baf5b6..2921e55f01 100644
--- a/windows/keep-secure/bitlocker-overview.md
+++ b/windows/keep-secure/bitlocker-overview.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/keep-secure/configure-windows-defender-in-windows-10.md b/windows/keep-secure/configure-windows-defender-in-windows-10.md
index 71ec31b565..93469dafa2 100644
--- a/windows/keep-secure/configure-windows-defender-in-windows-10.md
+++ b/windows/keep-secure/configure-windows-defender-in-windows-10.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: medium
 author: jasesso
 ---
 
diff --git a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
index 72171eec5e..113656af14 100644
--- a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
@@ -8,6 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: detect
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: medium
 author: dulcemv
 ---
 
diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
index fe5431ac69..f7c920bb4f 100644
--- a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: medium
 author: jasesso
 ---
 
diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
index bae0757612..059e35186e 100644
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 # Keep Windows 10 secure
diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md
index 45548bb40f..19858820e5 100644
--- a/windows/keep-secure/microsoft-passport-guide.md
+++ b/windows/keep-secure/microsoft-passport-guide.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: security
 author: challum
+localizationpriority: high
 ---
 
 # Microsoft Passport guide
diff --git a/windows/keep-secure/requirements-to-use-applocker.md b/windows/keep-secure/requirements-to-use-applocker.md
index 2f9e009bd2..60ac319a63 100644
--- a/windows/keep-secure/requirements-to-use-applocker.md
+++ b/windows/keep-secure/requirements-to-use-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
index 595d3e6855..2234eebd86 100644
--- a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
@@ -8,6 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: medium
 author: mjcaparas
 ---
 
diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md
index 049685cef2..0714fff961 100644
--- a/windows/keep-secure/tpm-recommendations.md
+++ b/windows/keep-secure/tpm-recommendations.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
index a53f073958..3b12429458 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: medium
 author: jasesso
 ---
 
diff --git a/windows/keep-secure/trusted-platform-module-overview.md b/windows/keep-secure/trusted-platform-module-overview.md
index e7b6e784ff..8b0098f582 100644
--- a/windows/keep-secure/trusted-platform-module-overview.md
+++ b/windows/keep-secure/trusted-platform-module-overview.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
index 088acf33fa..0ab40df034 100644
--- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
@@ -8,6 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/keep-secure/user-account-control-overview.md b/windows/keep-secure/user-account-control-overview.md
index 1e1801da84..66f1abdc16 100644
--- a/windows/keep-secure/user-account-control-overview.md
+++ b/windows/keep-secure/user-account-control-overview.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: operate
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/keep-secure/vpn-profile-options.md b/windows/keep-secure/vpn-profile-options.md
index ef04831e0b..8564ae357c 100644
--- a/windows/keep-secure/vpn-profile-options.md
+++ b/windows/keep-secure/vpn-profile-options.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # VPN profile options
diff --git a/windows/keep-secure/windows-10-mobile-security-guide.md b/windows/keep-secure/windows-10-mobile-security-guide.md
index 0cb9c52700..54f7343cd7 100644
--- a/windows/keep-secure/windows-10-mobile-security-guide.md
+++ b/windows/keep-secure/windows-10-mobile-security-guide.md
@@ -1,254 +1,169 @@
 ---
 title: Windows 10 Mobile security guide (Windows 10)
-description: This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.
+description: This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.
 ms.assetid: D51EF508-699E-4A68-A7CD-91D821A97205
 keywords: data protection, encryption, malware resistance, smartphone, device, Windows Store
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security, mobile
+localizationpriority: high
 author: AMeeus
 ---
-
 # Windows 10 Mobile security guide
 
-**Applies to**
--   Windows 10 Mobile
+*Applies to Windows 10 Mobile, version 1511 and Windows Mobile, version 1607*
 
-This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.
+<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
-## Overview
+>This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.
 
-Windows 10 Mobile is specifically designed for smartphones and small tablets. It uses the same security technologies as the Windows 10 operating system to help protect against known and emerging security threats across the spectrum of attack vectors. Several broad categories of security work went into Windows 10 Mobile:
+Smartphones now serve as a primary productivity tool for business workers and, just like desktops or laptops, need to be secured against malware and data theft. Protecting these devices can be challenging due to the wide range of device operating systems and configurations and the fact that many employees use their own personal devices. IT needs to secure corporate assets on every device, but also ensure the privacy of the user’s personal apps and data. 
+Windows 10 Mobile addresses these security concerns directly, whether workers are using personal or corporate-owned devices. It uses the same security technologies as the Windows 10 operating system to help protect against known and emerging security threats across the spectrum of attack vectors. These technologies include:
+-	**Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods. 
+-	**Windows Information Protection** Automatic data separation keeps corporate information from being shared with personal data and apps.
+-	**Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices. 
 
--   **Identity and access control.** Microsoft has greatly enhanced identity and access control features to simplify and improve the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). (Windows Hello requires either a specialized illuminated infrared \[IR\] camera for facial recognition and iris detection or a finger print reader that supports the Windows Biometric Framework.)
--   **Data protection.** Confidential data is better protected from compromise than ever before. Windows 10 Mobile uses several data-protection technologies and delivers them in a user-friendly and IT-manageable way.
--   **Malware resistance.**Windows 10 Mobile helps protect critical system resources and apps to reduce the threat of malware, including support for enterprise-grade secure hardware and Secure Boot.
--   **App platform security.** The Windows 10 Mobile enterprise-grade secure app platform provides multiple layers of security. For example, Windows Store checks all apps for malware to help prevent malware from reaching devices. 
+This guide helps IT administrators better understand the security features in Windows 10 Mobile, which can be used to improve protection against unauthorized access, data leakage, and malware. 
 
-In addition, AppContainer application isolation helps prevent any malicious app from compromising other apps.
+**In this article:**
+-	Windows Hello for Business
+-	Windows Information Protection
+-	Malware resistance
 
-This guide explains each of these technologies and how they help protect your Windows 10 Mobile devices.
+## Windows Hello
 
-## Identity and access control
+Windows 10 Mobile includes Windows Hello, a simple, yet powerful, multifactor authentication solution that confirms a user’s identity before allowing access to corporate confidential information and resources. Multifactor authentication is a more secure alternative to password-based device security. Users dislike having to enter long, complex passwords – particularly on a mobile device touch screen – that corporate policy requires they change frequently. This leads to poor security practices like password reuse, written down passwords, or weak password creation. 
 
-A fundamental component of security is the notion that a user has a unique identity and that that identity is either allowed or denied access to resources. This notion is traditionally known as access control, which has three parts:
--   **Identification.** The user (subject) asserts a unique identity to the computer system for the purpose of accessing a resource (object), such as a file or an app.
--   **Authentication.** Authentication is the process of proving the asserted identity and verifying that the subject is indeed the subject.
--   **Authorization.** The system compares the authenticated subject’s access rights against the object’s permissions and either allows or denies the requested access.
+Windows Hello offers a simple, cost-effective way to deploy multifactor authentication across your organization. Unlike smart cards, it does not require public key infrastructure or the implementation of additional hardware. Workers use a PIN, a companion device (like Microsoft Band), or biometrics to validate their identity for accessing corporate resources on their Azure Active Directory (Azure AD) registered Windows 10 Mobile device. 
 
-The way an operating system implements these components makes a difference in preventing attackers from accessing corporate data. Only users who prove their identities and are authorized to access that data can access it. In security, however, there are varying degrees of identity proof and many different requirements for authorization limits. The access control flexibility most corporate environments need presents a challenge for any operating system. Table 1 lists typical Windows access control challenges and the solutions that Windows 10 Mobile offers.
+Because Windows Hello is supported across all Windows 10 devices, organizations can uniformly implement multifactor authentication across their environment. Deploying Windows Hello on Windows 10 Mobile devices does require Azure AD (sold separately), but you can use Azure AD Connect to synchronize with your on-premises Active Directory services.
 
-Table 1. Windows 10 Mobile solutions for typical access control challenges
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Access control challenge</th>
-<th align="left">Windows 10 Mobile solutions</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Organizations frequently use passwords to authenticate users and provide access to business applications or the corporate network, because more trustworthy authentication alternatives are too complex and costly to deploy.</p></td>
-<td align="left"><p>Windows Hello provides biometrics to identify the user and unlock the device that closely integrates with Microsoft Passport to identify, authenticate, and authorize users to access the corporate network or applications from their Windows 10 Mobile device with supporting biometric hardware.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>When an organization uses smart cards, it must purchase a smart card reader, smart cards, and smart card management software. These solutions are complex and costly to implement; they also tend to delay mobile productivity.</p></td>
-<td align="left"><p>Windows Hello with Microsoft Passport enables a simple and cost-effective MFA deployment across the organization, enhancing the business’ security stance.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Mobile device users must enter their password on a touch keyboard. Entering complex passwords in this way is error prone and less efficient than a keyboard.</p></td>
-<td align="left"><p>Windows Hello helps enable iris scan, fingerprint, and facial recognition-based authentication for devices that have biometric sensors. These biometric identification options are more convenient and more efficient than password-based logon.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Users dislike the need to enter long, complex passwords to log on to corporate services, especially passwords that must change frequently. This frustration often leads to password reuse, passwords written on notepads, and weak password composition.</p></td>
-<td align="left"><p>Microsoft Passport allows users to sign in once and gain access to corporate resources without having to re-enter complex passwords. Authentication credentials are bound to the device through a built-in Trusted Platform Module (TPM) and cannot be removed.</p></td>
-</tr>
-</tbody>
-</table>
- 
-The following sections describe these challenges and solutions in more detail.
+Windows Hello supports iris scan, fingerprint, and facial recognition-based authentication for devices that have biometric sensors. 
 
-### Microsoft Passport
+>**Note:** When Windows 10 first shipped, it included **Microsoft Passport** and **Windows Hello**, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the **Windows Hello** name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
 
-Microsoft Passport provides strong MFA, fully integrated into Windows devices, to replace passwords. To authenticate, the user must have a Microsoft Azure Active Directory (Azure AD)–registered device and either a PIN or Windows Hello biometric gesture to unlock the device. Microsoft Passport is conceptually similar to a smart card but more flexible, as it doesn’t require a public key infrastructure or the implementation of additional hardware and supports biometric identification.
+### <a href="" id="secured-credentials"></a>Secured credentials
 
-Microsoft Passport offers three significant advantages over the previous state of Windows authentication: it’s more flexible, it’s based on industry standards, and it more effectively mitigates risks.
-### It's effective
+Windows Hello eliminates the use of passwords for login, reducing the risk that an attacker will steal and reuse a user’s credentials. Windows 10 Mobile devices are required to have a Trusted Platform Module (TPM), a microchip that enables advanced security features. The TPM creates encryption keys that are “wrapped” with the TPM’s own storage root key, which is itself stored within the TPM to prevent credentials from being compromised. Encryption keys created by the TPM can only be decrypted by the same TPM, which protects the key material from attackers who want to capture and reuse it. 
 
-Microsoft Passport eliminates the use of passwords for logon and so reduces the risk that an attacker will steal and reuse a user’s credentials. User key material, which includes the user’s private key, is available only on the device that generated it. The key material is protected with the TPM, which protects the key material from attackers who want to capture and reuse it. It is a Windows Hardware Certification Program requirement that every Windows 10 Mobile device include a TPM.
+To compromise Windows Hello credentials, an attacker would need access to the physical device, and then find a way to spoof the user’s biometric identity or guess his or her PIN. All of this would have to be accomplished before TPM brute-force resistance capabilities lock the mobile device, the theft-protection mechanism kicks in, or the user or corporate administrator remotely wipes the device. With TPM-based protection, an attacker’s window of opportunity for compromising a user’s credentials is greatly reduced.
 
-To compromise a Microsoft Passport credential that the TPM protects, an attacker must have access to the physical device, and then find a way to spoof the user’s biometrics identity or guess his or her PIN—and all of this must be done before TPM brute-force resistance capabilities lock the mobile device, the theft-protection mechanism kicks in, or the user or corporate administrator remotely wipes the device. This technology greatly reduces an attacker’s window of opportunity for compromising a user’s credentials.
+### <a href="" id="support-for-biometrics"></a>Support for biometrics
 
-### It's flexible
+Biometrics help prevent credential theft and make it easier for users to login to their devices. Users always have their biometric identity with them – there is nothing to forget, lose, or leave behind. Attackers would need to have both access to the user’s device and be able to impersonate the user’s biometric identity to gain access to corporate resources, which is far more difficult than stealing a password.  
 
-Microsoft Passport offers unprecedented flexibility along with enterprise-grade security.
+Windows Hello supports three biometric sensor scenarios:
+-	**Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology.
+-	**Fingerprint recognition** uses a sensor to scan the user’s fingerprint. Although fingerprint readers have been available for computers running the Windows operating system for years, the detection, anti-spoofing, and recognition algorithms in Windows 10 are more advanced than in previous Windows versions. Most existing fingerprint readers (whether external to or integrated into laptops or USB keyboards) that support the Windows Biometric Framework will work with Windows Hello.
+-	**Iris scanning** uses cameras designed to scan the user’s iris, the colorful and highly detailed portion of the eye. Because the data must be accurate, iris scanning uses a combination of an IR light source and a high-quality camera. Microsoft Lumia 950 and 950 XL devices support this technology.
 
-Most importantly, Microsoft Passport works with biometrics or PINs and gives you options beyond long, complex passwords. Instead of users memorizing and retyping often-changed passwords, Microsoft Passport enables PIN- and biometrics-based identification through Windows Hello to identify users more securely.
+>Users must create an unlock PIN while they enroll a biometric gesture. The device uses this PIN as a fallback mechanism in situations where it cannot capture the biometric gesture.
 
-The Windows 10 Mobile device that the user logs on to is an authentication factor, as well. The credentials used and the private key on the device are device specific and bound to the device’s TPM.
+All three of these biometric factors – face, finger, and iris – are unique to an individual. To capture enough data to uniquely identify an individual, a biometric scanner might initially capture images in multiple conditions or with additional details. For example, an iris scanner will capture images of both eyes or both eyes with and without eyeglasses or contact lenses.
 
-In the future, Microsoft Passport will also enable people to use Windows 10 Mobile devices as a remote credential when signing in to PCs running Windows 10. Users will use their PINs or biometrics to unlock their phones, and their phones will unlock their PCs. Phone sign-in with Microsoft Passport will make implementing MFA for scenarios where the user’s credentials must be physically separate from the PC the user is signing in to less costly and complex than other solutions. Phone sign-in will also make it easier for users and IT pros because users can use their phones to sign in to any corporate device instead of enrolling a user credential on each.
+Spoofing biometric data is often a big concern in enterprise environments. Microsoft employs several anti-spoofing techniques in Windows 10 Mobile that verify the trustworthiness of the biometric device, as well as guard against intentional collision with stored biometric measurements. These techniques help improve the false-acceptance rate (the rate at which spoofed biometric data is accepted as authentic) while maintaining the overall usability and manageability of MFA.
 
-With Microsoft Passport, you gain flexibility in the data center, too. To deploy it for Windows 10 Mobile devices, you must set up Azure AD, but you don’t have to replace or remove your existing Active Directory environment. Using Azure AD Connect, organizations can synchronize these two directory services. Microsoft Passport builds on and adds to your existing infrastructure and allows you to federate with Azure AD.
+The biometric image collected at enrollment is converted into an algorithmic form that cannot be converted back into the original image. Only the algorithmic form is kept; the actual biometric image is removed from the device after conversion. Windows 10 Mobile devices both encrypt the algorithmic form of the biometric data and bind the encrypted data to the device, both of which help prevent someone from removing the data from the phone. As a result, the biometric information that Windows Hello uses is a local gesture and doesn’t roam among the user’s devices.
 
-Microsoft Passport is also supported on the desktop, giving organizations a uniform way to implement strong authentication on all devices. This flexibility makes it simpler for Microsoft Passport to supplement existing smart card or token deployments for on-premises Windows PC scenarios, adding MFA to mobile devices and users who don’t currently have it for extra protection of sensitive resources or systems that these mobile devices access.
+### <a href="" id="companion-devices"></a>Companion devices
 
-### It's standardized
+A Windows Hello companion device enables a physical device, like a wearable, to serve as a factor for validating the user’s identity before granting them access to their credentials. For instance, when the user has physical possession of a companion device they can easily, possibly even automatically, unlock their PC and authenticate with apps and websites. This type of device can be useful for smartphones or tablets that don’t have integrated biometric sensors or for industries where users need a faster, more convenient sign-in experience, such as retail.
 
-Both software vendors and enterprise customers have come to realize that proprietary identity and authentication systems are a dead end: the future lies with open, interoperable systems that allow secure authentication across a variety of devices, line-of-business (LOB) apps, and external applications and websites. To this end, a group of industry players formed the Fast Identity Online (FIDO) Alliance. The FIDO Alliance is a nonprofit organization that works to address the lack of interoperability among strong authentication devices as well as the problems users face in creating and remembering multiple user names and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to authenticate users of online services securely. This new standard can allow any business network, app, website, or cloud application to interface with a broad variety of existing and future FIDO-enabled devices and operating system platforms using a standardized set of interfaces and protocols.
-In 2014, Microsoft joined the board of the FIDO Alliance. FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong password-less authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards and of course new ideas. Microsoft has contributed Microsoft Passport technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike.
+In some cases, the companion device for Windows Hello enables a physical device, like a phone, wearable, or other types of device to store all of the user’s credentials. Storage of the credentials on a mobile device makes it possible to use them on any supporting device, like a kiosk or family PC, and eliminates the need to enroll Windows Hello on each device. Companion devices also help enable organizations to meet regulatory requirements, such as Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS 140-2).
 
-### Windows Hello
+### <a href="" id="standards-based-approach"></a>Standards-based approach 
 
-Windows Hello is the new biometric framework for Windows 10. Because biometric identification is built directly into the operating system, it allows you to use your iris, face, or fingerprint to unlock your mobile device. Windows Hello unlocks Microsoft Passport credentials, which enable authentication to resources or relying parties such as software-as-a-service applications like Microsoft Office 365.
-Windows Hello supports three biometric sensor options that are suitable for enterprise scenarios:
+The Fast Identity Online (FIDO) Alliance is a nonprofit organization that works to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple user names and passwords. FIDO standards help reduce reliance on passwords to authenticate users of online services securely, allowing any business network, app, website, or cloud application to interface with a broad variety of existing and future FIDO-enabled devices and operating system platforms. 
 
--   **Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology.
--   **Fingerprint recognition** uses a sensor to scan the user’s fingerprint. Although fingerprint readers have been available for computers running the Windows operating system for years, the detection, anti-spoofing, and recognition algorithms in Windows 10 are more advanced than in previous Windows versions. Most existing fingerprint readers (whether external to or integrated into laptops or USB keyboards) that support the Windows Biometric Framework will work with Windows Hello.
--   **Iris scanning** uses cameras designed to scan the user’s iris, the colorful and highly detailed portion of the eye. Because the data must be accurate, iris scanning uses a combination of an IR light source and a high-quality camera. Microsoft Lumia 950 and 950 XL devices support this technology.
-> **Note:**  Users must create an unlock PIN before they enroll a biometric gesture. The device uses this PIN as a fallback mechanism in situations where it cannot capture the biometric gesture.
- 
-All three of these biometric factors—the face, the finger, and the iris—are unique to an individual. To capture enough data to uniquely identify an individual, a biometric scanner might initially capture images in multiple conditions or with additional details. For example, an iris scanner will capture images of both eyes; or both with and without eyeglasses or contact lenses.
+In 2014, Microsoft joined the board of the FIDO Alliance. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards. Microsoft has contributed Windows Hello technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for both enterprises and consumers.
 
-Spoofing biometric data is often a big concern in enterprise environments. Microsoft employs several anti-spoofing techniques in Windows 10 Mobile that verify the trustworthiness of the biometric device as well as guard against intentional collision with stored biometric measurements. These techniques help improve the false-acceptance rate (the rate at which spoofed biometric data is accepted as authentic) while maintaining the overall usability and manageability of MFA.
+## Windows Information Protection
 
-The biometric image collected at enrollment is converted into an algorithmic form that cannot be converted back into the original image. Only the algorithmic form is kept; the actual biometric image is removed from the device after conversion. Windows 10 Mobile devices both encrypt the algorithmic form of the biometric data and bind the encrypted data to the device, both of which help prevent someone from removing the data from the phone. As a result, the biometric information that Windows Hello uses is a local gesture and doesn’t roam among the user’s devices.
+Enterprises have seen huge growth in the convergence of personal and corporate data storage. Personal data is frequently stored on corporate devices and vice versa. This fluidity increases the potential for sensitive corporate data to be accidentally compromised.
 
-Windows Hello offers several major benefits. First, it helps to address the problems of credential theft and sharing because an attacker must obtain the mobile phone and impersonate the user’s biometric identity, which is more difficult than stealing a device unlock password. Second, the use of biometrics gives users an authenticator that’s always with them—there’s nothing to forget, lose, or leave behind. Instead of worrying about memorizing long, complex passwords, users can take advantage of a convenient, enterprise-grade secure method for logging on to their Windows 10 Mobile device. Finally, there’s nothing additional to deploy, because Microsoft built Windows Hello support directly into the operating system. All you need is a device that includes a supported biometric sensor.
+Inadvertent disclosure is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. It’s easy to imagine that an employee using work email on their personal phone could unintentionally save an attachment containing sensitive company information to personal cloud storage, which could be shared with unauthorized people. This accidental sharing of corporate data is just one example of the challenges common to using mobile devices in the workplace. To prevent this type of data leakage, most solutions require users to login with a separate username and password to a container that stores all corporate apps and data, an experience that degrades user productivity. 
 
-The device that senses the biometric factors must report the data to Windows Hello quickly and accurately. For this reason, Microsoft determines which factors and devices are trustworthy and accurate prior to their inclusion in Windows Hello. For more information, see [Windows 10 specifications](http://go.microsoft.com/fwlink/p/?LinkId=722908).
+Windows 10 Mobile includes Windows Information Protection to transparently keep corporate data secure and personal data private. Because corporate data is always protected, users cannot inadvertently copy it or share it with unauthorized users or apps. Key features include:
+-	Automatically tag personal and corporate data.
+-	Protect data while it’s at rest on local or removable storage.
+-	Control which apps can access corporate data.
+-	Control which apps can access a virtual private network (VPN) connection.
+-	Prevent users from copying corporate data to public locations.
+-	Help ensure business data is inaccessible when the device is in a locked state. 
 
-## Data protection
+### <a href="" id="enlightened-apps"></a>Enlightened apps
 
-Windows 10 Mobile continues to provide solutions that help protect information against unauthorized access and disclosure.
+Third-party data loss protection solutions usually require developers to wrap their apps. However, Windows Information Protection builds this intelligence right into Windows 10 Mobile so most apps require nothing extra to prevent inappropriate corporate data sharing.
 
+Windows Information Protection classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data will be encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default. 
 
-### Device encryption
-Windows 10 Mobile uses device encryption, based on BitLocker technology, to encrypt all internal storage, including operating system and data storage partitions. The user can activate device encryption, or the IT department can activate and enforce encryption for company-managed devices through MDM tools. When device encryption is turned on, all data stored on the phone is encrypted automatically. A Windows 10 Mobile device with encryption turned on helps protect the confidentiality of data stored if the device is lost or stolen. The combination of Windows Hello lock and data encryption makes it extremely difficult for an unauthorized party to retrieve sensitive information from the device.
+When you do not want all data encrypted by default – because it would create a poor user experience – developers should consider enlightening apps by adding code and compiling them using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that:
+-	Don’t use common controls for saving files.
+-	Don’t use common controls for text boxes.
+-	Work on personal and enterprise data simultaneously (e.g., contact apps that display personal and enterprise data in a single view or a browser that displays personal and enterprise web pages on tabs within a single instance).
 
-You can customize how device encryption works to meet your unique security requirements. Device encryption even enables you to define your own cipher suite. For example, you can specify the algorithm and key size that Windows 10 Mobile uses for data encryption, which Transport Layer Security (TLS) cipher suites are permitted, and whether Federal Information Processing Standard (FIPS) policy is enabled. Table 2 lists the policies you can change to customize device encryption on Windows 10 Mobile devices.
+In many cases, most apps don’t require enlightenment for them to use Windows Information Protection. Simply adding them to the allow list is the only step you need to take. Line-of-Business (LOB) apps are a good example of where this works well because they only handle corporate data.
 
-Table 2. Windows 10 cryptography policies
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Area name</th>
-<th align="left">Policy name</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Cryptography</p></td>
-<td align="left"><p>Allow FIPS Algorithm Policy</p></td>
-<td align="left"><p>Enable or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>BitLocker</p></td>
-<td align="left"><p>Encryption Method</p></td>
-<td align="left"><p>Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Cryptography</p></td>
-<td align="left"><p>TLS Cipher Suite</p></td>
-<td align="left"><p>This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections.</p></td>
-</tr>
-</tbody>
-</table>
- 
-For a complete list of policies available, see [Policy CSP](https://technet.microsoft.com/library/dn904962.aspx).
+**When is app enlightenment required?** 
+-	**Required** 
+    -	App needs to work with both personal and enterprise data.
+-	**Recommended** 
+    -	App handles only corporate data, but needs to modify a file (such as a configuration file) in order to launch, uninstall itself, update etc. Without enlightenment you wouldn’t be able to properly revoke these apps.
+    -	App needs to access enterprise data, while protection under lock is activated.
+-	**Not required**
+    -	App handles only corporate data 
+    -	App handles only personal data
 
-### <a href="" id="enterprise-data-protection--"></a>Enterprise data protection
+### <a href="" id="companion-devices"></a>Data leakage control
 
-Enterprises have seen huge growth in the convergence of personal and corporate data storage. Personal data is frequently stored on corporate devices and vice versa. This situation increases the potential for compromise of sensitive corporate data.
+To configure Windows Information Protection in a Mobile Device Management (MDM) solution that supports it, simply add authorized apps to the allow list. When a device running Windows 10 Mobile enrolls in the MDM solution, unauthorized apps will not have access to enterprise data.
 
-One growing risk is authorized users’ accidental disclosure of sensitive data—a risk that is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. One example is common among organizations: an employee connects his or her personal phone to the company’s Microsoft Exchange Server instance for email. He or she uses the phone to work on email that includes attachments with sensitive data. When sending the email, the user accidentally copies a supplier. Content protection is only as strong as the weakest link, and in this example, the unintended sharing of sensitive data with unauthorized people might not have been prevented with standard data encryption.
+Windows Information Protection works seamlessly until users try to access enterprise data with or paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but Window Information Protection can block users from copying enterprise data from an authorized app to an unauthorized app. Likewise, it will block users from using an unauthorized app to open a file that contains enterprise data.
 
-In Windows 10 Mobile, Windows Information Protection (WIP) helps separate personal and enterprise data and prevent data leakage. Key features include its ability to:
+The extent to which users will be prevented from copying and pasting data from authorized apps to unauthorized apps or locations on the web depends on which protection level is set:
+-	**Block.** Windows Information Protection blocks users from completing the operation.
+-	**Override.** Windows Information Protection notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log.
+-	**Audit.** Windows Information Protection does not block or notify users but logs the operation in the audit log.
+-	**Off.** Windows Information Protection does not block or notify users and does not log operations in the audit log.
 
--   Automatically tag personal and corporate data.
--   Protect data while it’s at rest on local or removable storage.
--   Control which apps can access corporate data.
--   Control which apps can access a virtual private network (VPN) connection.
--   Prevent users from copying corporate data to public locations.
+### <a href="" id="companion-devices"></a>Data separation
 
-> **Note:** WIP is currently being tested in select customer evaluation programs. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip).
- 
-### <a href="" id="enlightenment--"></a>Enlightenment
+Most third-party solutions require an app wrapper that directs enterprise data into a password-protected container and keeps personal data outside the container. Depending on the implementation, this may require two different versions of the same apps to be running on the device: one for personal data and another for enterprise data.
 
-Third-party data loss protection solutions usually require developers to wrap their apps. In contrast, WIP puts the intelligence in Windows 10 Mobile so that it doesn’t require wrappers. As a result, most apps require nothing extra to work with WIP.
+Windows Information Protection provides data separation without requiring a container or special version of an app to access business or personal data. There is no separate login required to see your corporate data or open your corporate applications. Windows Information Protection identifies enterprise data and encrypts it to only enterprise use. Data separation is automatic and seamless. 
 
-WIP can enforce policy without the need for an app to change. This means that an app that always handles business data (such as an LOB app) can be added to the allowed list and will always encrypt all data that it handles. However, if the app does not use common controls, cut and paste operations from this app to a non-enterprise app will silently fail. In addition, if the app needs to handle personal data, this data will also be encrypted.
-Therefore, to improve the user experience, in some cases, developers should enlighten their apps by adding code to and compiling them to use the WIP application programming interfaces. Those cases include apps that:
--   Don’t use common controls for saving files.
--   Don’t use common controls for text boxes.
--   Work on personal and enterprise data simultaneously (for example, contact apps that display personal and enterprise data in a single view; a browser that displays personal and enterprise web pages on tabs within a single instance).
+### <a href="" id="companion-devices"></a>Encryption
 
-Figure 1 summarizes when an app might require enlightenment to work with WIP. Microsoft Word is a good example. Not only can Word access personal and enterprise data simultaneously, but it can also transmit enterprise data (for example, email attachments containing enterprise data).
+Windows 10 Mobile uses device encryption, based on BitLocker technology, to encrypt all internal storage, including operating systems and data storage partitions. The user can activate device encryption, or the IT department can activate and enforce encryption for company-managed devices through MDM tools. When device encryption is turned on, all data stored on the phone is encrypted automatically. A Windows 10 Mobile device with encryption turned on helps protect the confidentiality of data stored – even if the device is lost or stolen. The combination of Windows Hello lock and data encryption makes it extremely difficult for an unauthorized party to retrieve sensitive information from the device.
 
-In any case, most apps don’t require enlightenment for them to use WIP protection. Simply adding them to the WIP allow list is all you must do. Because unenlightened apps cannot automatically tag data as personal or enterprise, if they are in a WIP policy, they treat all data as enterprise data. An LOB app is a good example. Adding an LOB app to a WIP policy protects all data that the app handles. Another example is a legacy app that cannot be updated, which you can add to a WIP policy and use without even being aware that WIP exists.
+You can customize how device encryption works to meet your unique security requirements. Device encryption even enables you to define your own cipher suite. For example, you can specify the algorithm and key size that Windows 10 Mobile uses for data encryption, which Transport Layer Security (TLS) cipher suites are permitted, and whether Federal Information Processing Standard (FIPS) policy is enabled. The list below shows the policies you can change to customize device encryption on Windows 10 Mobile devices.
+-	Cryptography 
+    -	Allow FIPS Algorithm: This policy enables or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled.
+    -	TLS Cipher Suite: This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections.
+-	BitLocker 
+    -	Encryption Method: Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one.
 
-![figure 1](images/mobile-security-guide-fig1.png)
+To help make the device even more secured against outside interference, Windows 10 Mobile also now includes protection-under-lock. That means that encryption keys are removed from memory whenever a device is locked. Apps are unable to access sensitive data while the device is in a locked state, so hackers and malware have no way to find and co-opt keys. Everything is locked up tight with the TPM until the user unlocks the device with Windows Hello.
 
-Figure 1. When is enlightenment required?
+### <a href="" id="companion-devices"></a>Government Certifications
 
-### Data leakage control
-
-To configure WIP in an MDM solution that supports it, add authorized apps to the WIP allow list. When a device running Windows 10 Mobile enrolls in the MDM solution, apps that this policy doesn’t authorize won’t have access to enterprise data.
-
-WIP works seamlessly until users try to access enterprise data with or try to paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but WIP blocks users from copying enterprise data from an authorized app to an unauthorized app. Likewise, WIP blocks users from using an unauthorized app to open a file that contains enterprise data.
-In addition, users cannot copy and paste data from authorized apps to unauthorized apps or locations on the Web without triggering one of the WIP protection levels:
--   **Block.** WIP blocks users from completing the operation.
--   **Override.** WIP notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log.
--   **Audit.** WIP does not block or notify users but logs the operation in the audit log.
--   **Off.** WIP does not block or notify users and does not log operations in the audit log.
-
-### Data separation
-
-As the name suggests, data separation separates personal from enterprise data. Most third-party solutions require an app wrapper, and from here, enterprise data goes in a container while personal data is outside the container. Often, people must use two different apps for the same purpose: one for personal data and another for enterprise data.
-
-WIP provides the same data separation but neither uses containers nor requires a special version of an app to access business data, and then a second instance of it to access personal data. There are no containers, partitions, or special folders to physically separate personal and business data. Instead, Windows 10 Mobile is the access control broker, identifying enterprise data because it’s encrypted to the enterprise. Therefore, WIP provides data separation by virtue of encrypting enterprise data.
-
-### Visual cues
-
-In Windows 10 Mobile, visual cues indicate the status of WIP to users (see Figure 2):
-
--   **Start screen.** On the Start screen, apps that a WIP policy manages display a visual cue.
--   **Files.** In File Explorer, a visual cue indicates whether a file or folder contains enterprise data and is therefore encrypted.
-For example, Erwin is an employee at Fabrikam. He opens Microsoft Edge from the Start screen and sees that the tile indicates that a WIP policy manages the browser. Erwin opens the Fabrikam sales website and downloads a spreadsheet. In File Explorer, Erwin sees that the file he downloaded has a visual cue which indicates that it’s encrypted and contains enterprise data. When Erwin tries to paste data from that spreadsheet into an app that no WIP policy manages (for example, his Twitter app), Erwin might see a message that allows him to override protection while logging the action, depending on the protection level configured in the WIP policy.
-
-![figure 2](images/mobile-security-guide-fig2.png)
-
-Figure 2. Visual cues in WIP
+Windows 10 Mobile supports both [FIPS 140 standards](http://csrc.nist.gov/groups/STM/cavp/validation.html) for cryptography and [Common Criteria](https://www.niap-ccevs.org/Product/Compliant.cfm?pid=10694) The FIPS 140 certification validates the effectiveness of the cryptographic algorithms used in Windows 10 Mobile. Microsoft has also received Common Criteria certification for Windows 10 Mobile running on Lumia 950, 950 XL, 550, 635, as well as Surface Pro 4, giving customers assurance that securety functionality is implemented properly.
 
 ## Malware resistance
 
-Just as software has automated so much of our lives, malware has automated attacks on our devices. Those attacks are relentless. Malware is constantly changing, and when it infects a device, it can be difficult to detect and remove.
-The best way to fight malware is to prevent the infection from happening. Windows 10 Mobile provides strong malware resistance because it takes advantage of secured hardware and protects both the startup process and the core operating system architecture.
-
-Table 3 lists specific malware threats and the mitigation that Windows 10 Mobile provides.
-
-Table 3. Threats and Windows 10 Mobile mitigations
+The best way to fight malware is prevention. Windows 10 Mobile provides strong malware resistance through secured hardware, startup process defenses, core operating system architecture, and application-level protections.
+The table below outlines how Windows 10 Mobile mitigates specific malware threats.
 
 <table>
 <colgroup>
-<col width="50%" />
-<col width="50%" />
+<col width="40%" />
+<col width="60%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Threat</th>
-<th align="left">Windows 10 Mobile mitigation</th>
+<th align="left">Windows 10 Mobile mitigation</th>
 </tr>
 </thead>
 <tbody>
@@ -266,11 +181,11 @@ Table 3. Threats and Windows 10 Mobile mitigations
 </tr>
 <tr class="even">
 <td align="left"><p>An app infects other apps or the operating system with malware.</p></td>
-<td align="left"><p>All Windows 10 Mobile apps run inside an AppContainer that isolates them from all other processes and sensitive operating system components. Apps cannot access any resources outside their AppContainer.</p></td>
+<td align="left"><p>All Windows 10 Mobile apps run inside an AppContainer that isolates them from all other processes and sensitive operating system components. Apps cannot access any resources outside their AppContainer.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>An unauthorized app or malware attempts to start on the device.</p></td>
-<td align="left"><p>All Windows 10 Mobile apps must come from Windows Store or Windows Store for Business. Device Guard enforces administrative policies to select exactly which apps are allowed to run.</p></td>
+<td align="left"><p>All Windows 10 Mobile apps must come from Windows Store or Windows Store for Business. Device Guard enforces administrative policies to select exactly which apps are allowed to run.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>User-level malware exploits a vulnerability in the system or an application and owns the device.</p></td>
@@ -291,249 +206,164 @@ Table 3. Threats and Windows 10 Mobile mitigations
 </tr>
 </tbody>
 </table>
- 
-> **Note:**  Windows 10 Mobile devices use a System on a Chip (SoC) design provided by SoC vendors such as Qualcomm. With this architecture, the SoC vendor and device manufacturers provide the pre-UEFI bootloaders and the UEFI environment. The UEFI environment implements the UEFI Secure Boot standard described in section 27 of the UEFI specification, which can be found at [http://www.uefi.org/specsandtesttools](http://go.microsoft.com/fwlink/p/?LinkId=722912). This standard describes the process by which all UEFI drivers and applications are validated against keys provisioned into a UEFI-based device before they are executed.
- 
-The following sections describe these improvements in more detail.
 
-### <a href="" id="secure-hardware"></a>Enterprise-grade secure hardware
+>**Note:** The Windows 10 Mobile devices use a System on a Chip (SoC) design provided by SoC vendors such as Qualcomm. With this architecture, the SoC vendor and device manufacturers provide the pre-UEFI bootloaders and the UEFI environment. The UEFI environment implements the UEFI Secure Boot standard described in section 27 of the UEFI specification, which can be found at [www.uefi.org/specs]( http://www.uefi.org/specs). This standard describes the process by which all UEFI drivers and applications are validated against keys provisioned into a UEFI-based device before they are executed.
 
-Taking full advantage of Windows 10 Mobile security features requires advancements in hardware-based security. These advances include UEFI with Secure Boot, TPM, and biometric sensors (hardware dependent).
+### <a href="" id="companion-devices"></a>UEFI with Secure Boot
 
-### <a href="" id="uefi-with-secure-boot--"></a>UEFI with Secure Boot
+When a Windows 10 Mobile device starts, it begins the process of loading the operating system by locating the bootloader in the device’s storage system. Without safeguards in place, the phone might simply hand control over to the bootloader without even determining whether it’s a trusted operating system or malware.
 
-When a Windows 10 Mobile device starts, it begins the process of loading the operating system by locating the bootloader in the device’s storage system. Without safeguards in place, the phone might simply hand control over to the bootloader without even determining whether it’s a trusted operating system or malware.
+UEFI is a standards-based solution that offers a modern-day replacement for the BIOS. In fact, it provides the same functionality as BIOS while adding security features and other advanced capabilities. Like BIOS, UEFI initializes devices, but UEFI components with the Secure Boot feature (version 2.3.1 or later) also helps to ensure that only trusted firmware in Option ROMs, UEFI apps, and operating system bootloaders can start on the mobile phone.
+
+UEFI can run internal integrity checks that verify the firmware’s digital signature before running it. Because only the mobile phone’s manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI has protection against firmware-based malware that loads before Windows 10 Mobile and to try and hide its malicious behavior from the operating system. Firmware-based malware of this nature is typically called bootkits.
 
-UEFI is a standards-based solution that offers a modern-day replacement for the BIOS. In fact, it provides the same functionality as BIOS while adding security features and other advanced capabilities. Like BIOS, UEFI initializes devices, but UEFI components with the Secure Boot feature (version 2.3.1 or later) also help ensure that only trusted firmware in Option ROMs, UEFI apps, and operating system bootloaders can start on the mobile phone.
-UEFI can run internal integrity checks that verify the firmware’s digital signature before running it. Because only the mobile phone’s manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI has protection against firmware-based malware that loads before Windows 10 Mobile and can successfully hide its malicious behavior from Windows 10 Mobile. Firmware-based malware of this nature is typically called a bootkit.
 When a mobile device with UEFI and Secure Boot starts, the UEFI firmware verifies the bootloader’s digital signature to verify that no one has modified it after it was digitally signed. The firmware also verifies that a trusted authority issued the bootloader’s digital signature. This check helps to ensure that the system starts only after checking that the bootloader is both trusted and unmodified since signing.
-All Windows 10 Mobile devices always have Secure Boot enabled. In addition, they trust only the Windows operating system signature.
 
-Neither Windows 10 Mobile, apps, or even malware can change the UEFI configuration. For more information about UEFI with Secure Boot, read [Protecting the pre-OS environment with UEFI](http://go.microsoft.com/fwlink/p/?LinkId=722909).
+All Windows 10 Mobile devices always have Secure Boot enabled. In addition, they trust only the Windows operating system signature. Neither Windows 10 Mobile, apps, or even malware can change the UEFI configuration. For more information about UEFI with Secure Boot, read [Protecting the pre-OS environment with UEFI](http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx)
 
-### <a href="" id="trusted-platform-module--"></a>Trusted Platform Module
+### <a href="" id="companion-devices"></a>Trusted Platform Module
 
-A Trusted Platform Module is a tamper-resistant cryptographic module that enhances the security and privacy of computing platforms. The TPM is incorporated as a component in a trusted computing platform like a PC, tablet, or mobile phone. A trusted computing platform is specially designed to work with the TPM to support privacy and security scenarios that software alone cannot achieve. It is a Windows 10 Mobile device hardware certification requirement to include a TPM in every Windows 10 Mobile device.
+A Trusted Platform Module (TPM) is a tamper-resistant cryptographic module that enhances the security and privacy of computing platforms. The TPM is incorporated as a component in a trusted computing platform like a PC, tablet, or smartphone. A trusted computing platform is specially designed to work with the TPM to support privacy and security scenarios that software alone cannot achieve. A TPM is required to receive Windows 10 Mobile device hardware certification.
 
-A proper implementation of a TPM as part of a trusted computing platform provides a hardware root of trust, meaning that the hardware behaves in a trusted way. For example, if you create a key in a TPM with the property that no one can export that key from the TPM, the key absolutely cannot leave the TPM. The close integration of a TPM with a platform increases the transparency of the boot process and supports device health scenarios by enabling reliable report of the software used to start a platform.
+A proper implementation of a TPM as part of a trusted computing platform provides a hardware root of trust, meaning that the hardware behaves in a trusted way. For example, if you create a key in a TPM with the property that no one can export that key from the TPM, the key absolutely cannot leave the TPM. The close integration of a TPM with a platform increases the transparency of the boot process and supports device health scenarios by enabling a reliable report of the software used to start a platform.
 
-The following list describes key functionality that a TPM provides in Windows 10 Mobile:
--   **Manage cryptographic keys.** A TPM can create, store, and permit the use of keys in defined ways. Windows 10 Mobile uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and various other keys.
--   **Safeguard and report integrity measurements.**Windows 10 Mobile uses the TPM to record and help protect integrity-related measurements of select hardware and Windows boot components for the Measured Boot feature. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the device’s TPM. From here, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 Mobile device.
--   **Prove a TPM is really a TPM.** Managing cryptographic keys and measuring integrity are so central to protecting privacy and security that a TPM must differentiate itself from malware that masquerades as a TPM.
+The following list describes key functionality that a TPM provides in Windows 10 Mobile:
+-	**Managing cryptographic keys.** A TPM can create, store, and permit the use of keys in defined ways. Windows 10 Mobile uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and various other keys.
+-	**Safeguarding and reporting integrity measurements.** Windows 10 Mobile uses the TPM to record and help protect integrity-related measurements of select hardware and Windows boot components for the Measured Boot feature. In this scenario, Measured Boot measures each component – from firmware up through the drivers – and then stores those measurements in the device’s TPM. From here, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 Mobile device.
+-	**Proving a TPM is really a TPM.** Managing cryptographic keys and measuring integrity are so central to protecting privacy and security that a TPM must differentiate itself from malware masquerading as a TPM.
 
-Windows 10 Mobile supports TPM implementations that comply with the 2.0 standard. The TPM 2.0 standard includes several improvements that make it superior to the 1.2 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. At the time the TPM 1.2 standard appeared in the early 2000s, the security community considered these algorithms cryptographically strong. Since that time, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection as well as the ability to plug in algorithms that certain geographies or industries may prefer. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself.
-Many people assume that original equipment manufacturers (OEMs) must implant a TPM in hardware on a motherboard as a discrete module, but TPM can also be effective when implemented in firmware. Windows 10 Mobile supports only firmware TPM that complies with the 2.0 standard. Windows does not differentiate between discrete and firmware-based solutions because both must meet the same implementation and security requirements; therefore, any Windows 10 feature that can take advantage of TPM can be used with Windows 10 Mobile.
+Windows 10 Mobile supports TPM implementations that comply with the 2.0 standard. The TPM 2.0 standard includes several improvements that make it superior to the 1.2 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. When the TPM 1.2 standard appeared in the early 2000s, the security community considered these algorithms cryptographically strong. Since then, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection, as well as the ability to plug-in algorithms that certain geographies or industries may prefer. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself.
 
-> **Note:**  Microsoft requires TPM 2.0 on devices running any version of Windows 10 Mobile. For more information, see [Minimum hardware requirements](http://go.microsoft.com/fwlink/p/?LinkId=733964).
- 
-Several Windows 10 Mobile security features require TPM:
--   Virtual smart cards
--   Measured Boot
--   Health attestation (requires TPM 2.0 or later)
-Still other features will use the TPM if it is available. For example, Microsoft Passport does not require TPM but uses it if it’s available. Organizations can configure policy to require TPM for Microsoft Passport.
+Many assume that original equipment manufacturers (OEMs) must implant a TPM in hardware on a motherboard as a discrete module, but TPM can also be effective when implemented in firmware. Windows 10 Mobile supports only firmware TPM that complies with the 2.0 standard. Windows does not differentiate between discrete and firmware-based solutions because both must meet the same implementation and security requirements. Therefore, any Windows 10 feature that can take advantage of TPM can be used with Windows 10 Mobile.
 
-### <a href="" id="biometrics--"></a>Biometrics
+>Microsoft requires TPM 2.0 on devices running any version of Windows 10 Mobile. For more information, see [minimum hardware requirements](https://technet.microsoft.com/library/dn915086.aspx)
 
-Windows 10 Mobile makes biometrics a core security feature. Microsoft has fully integrated biometrics into the Windows 10 Mobile security components, not just tacked it on top of the platform (as was the case in previous versions of Windows). This is a big change. Earlier biometric implementations were largely front-end methods that simplified authentication. Under the hood, the system used biometrics to access a password, which it then used for authentication behind the scenes. Biometrics may have provided convenience but not necessarily enterprise-grade authentication.
-Microsoft has been evangelizing the importance of enterprise-grade biometric sensors to the OEMs that create Windows 10 Mobile devices. These facial-recognition and iris-scanning sensors are fully supported by MFA features such as Microsoft Passport and Windows Hello.
-In the future, Microsoft expects OEMs to produce even more advanced enterprise-grade biometric sensors and to continue to integrate them into mobile devices. As a result, biometrics will become a commonplace authentication method as part of an MFA system.
+Several Windows 10 Mobile security features require TPM:
+-	Virtual smart cards
+-	Measured Boot
+-	Health attestation (requires TPM 2.0 or later)
 
-### <a href="" id="enterprise-grade-secure-windows-startup--"></a>Enterprise-grade secure Windows startup
+Still other features will use the TPM if it is available. For example, Windows Hello does not require TPM but uses it if it’s available. Organizations can configure policy to require TPM for Windows Hello.
 
-UEFI with Secure Boot uses hardware technologies to help protect users from bootkits. Secure Boot can validate the integrity of the devices, firmware, and bootloader. After the bootloader launches, users must rely on the operating system to protect the integrity of the remainder of the system.
+### <a href="" id="companion-devices"></a>Biometrics
 
-### <a href="" id="trusted-boot--"></a>Trusted Boot
+Windows 10 Mobile makes biometrics a core security feature. Microsoft has fully integrated biometrics into the Windows 10 Mobile security components, not just tacked it on top of the platform (as was the case in previous versions of Windows). This is a big change. Earlier biometric implementations were largely front-end methods that simplified authentication. Under the hood, the system used biometrics to access a password, which it then used for authentication behind the scenes. Biometrics may have provided convenience, but not necessarily enterprise-grade authentication.
 
-When UEFI with Secure Boot verifies that it trusts the bootloader and starts Windows 10 Mobile, the Windows Trusted Boot feature protects the rest of the startup process by verifying that all Windows startup components are trustworthy (for example, signed by a trusted source) and have integrity. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, and startup files.
+Microsoft has been evangelizing the importance of enterprise-grade biometric sensors to the OEMs that create Windows 10 Mobile devices. These facial-recognition and iris-scanning sensors are fully supported by Windows Hello.
 
-If someone has modified a file (for example, if malware has tampered with it or it has been corrupted), Trusted Boot will detect the problem and attempt to automatically repair the corrupted component. When repaired, Windows will start normally after only a brief delay.
+In the future, Microsoft expects OEMs to produce even more advanced enterprise-grade biometric sensors and to continue integrating them into mobile devices. As a result, biometrics will become a commonplace authentication method as part of an MFA system.
 
-### <a href="" id="measured-boot--"></a>Measured Boot
+### <a href="" id="trusted-boot"></a>Trusted Boot
 
-The biggest challenge with rootkits and bootkits in earlier versions of Windows was that they could frequently be undetectable to the client. Because they often started before Windows defenses and the antimalware solution—and they had system-level privileges—rootkits and bootkits could completely disguise themselves while continuing to access system resources. Although UEFI with Secure Boot and Trusted Boot could prevent most rootkits and bootkits, intruders could still potentially exploit a few attack vectors (for example, if someone compromised the signature used to sign a boot component, such as a non-Microsoft driver, and used it to sign a malicious one).
-Windows 10 Mobile implements the Measured Boot feature, which uses the TPM hardware component to record a series of measurements for critical startup-related components, including firmware, Windows boot components, and drivers. Because Measured Boot uses the hardware-based security capabilities of TPM, which isolates and protects the measurement data against malware attacks, the log data is well protected against even sophisticated attacks.
-Measured Boot focuses on acquiring the measurement data and protecting it against tampering. You must couple it, however, with a service that can analyze the data to determine device health and provide a more complete security service. The next section introduces just such a service.
+UEFI with Secure Boot uses hardware technologies to help protect users from bootkits. Secure Boot can validate the integrity of the device, firmware, and bootloader. After the bootloader launches, users must rely on the operating system to protect the integrity of the remainder of the system.
 
-### <a href="" id="device-health-attestation--"></a>Device health attestation
+When UEFI with Secure Boot verifies that it trusts the bootloader and starts Windows 10 Mobile, the Windows Trusted Boot feature protects the rest of the startup process by verifying that all Windows startup components are trustworthy (e.g., signed by a trusted source) and have integrity. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, and startup files.
 
-Device health attestation is new feature in Windows 10 Mobile that helps prevent low-level malware infections. Device health attestation uses a device’s TPM and firmware to measure the critical security properties of the device’s BIOS and Windows startup processes. These measurements are made in such a way that even on a system infected with kernel-level malware or a rootkit, an attacker is unlikely to spoof the properties.
-You can integrate Device health attestation with Microsoft Intune or non-Microsoft MDM solutions and combine these hardware-measured security properties with other device properties to gain an overall view of the device’s health and compliance state. From there, you can use this integration in a variety of scenarios, from detecting jailbroken devices to monitoring device compliance, generating compliance reports, alerting users or administrators, initiating corrective action on the device, and managing conditional access to resources such as Office 365.
+### <a href="" id="measured-boot"></a>Measured Boot
 
-### <a href="" id="conditional-access--"></a>Conditional Access
+In earlier versions of Windows, the biggest challenge with rootkits and bootkits was that they could frequently be undetectable to the client. Because they often started before Windows defenses and the antimalware solution – and they had system-level privileges – rootkits and bootkits could completely disguise themselves while continuing to access system resources. Although UEFI with Secure Boot and Trusted Boot could prevent most rootkits and bootkits, intruders could still potentially exploit a few attack vectors (e.g., if someone compromised the signature used to sign a boot component, such as a non-Microsoft driver, and used it to sign a malicious one).
 
-The example that follows shows how Windows 10 protective measures integrate and work with Intune and non-Microsoft MDM solutions. It demonstrates how the phone security architecture in Windows 10 Mobile helps you monitor and verify compliance and how the security and trust rooted in the device hardware protect corporate resources end to end.
+Windows 10 Mobile implements the Measured Boot feature, which uses the TPM hardware component to record a series of measurements for critical startup-related components, including firmware, Windows boot components, and drivers. Because Measured Boot uses the hardware-based security capabilities of TPM, which isolates and protects the measurement data against malware attacks, the log data is well protected against even sophisticated attacks.
 
-When a user turns on a phone:
-1.  The Secure Boot feature in Windows 10 Mobile helps protect the startup sequence, allows the device to boot into a defined and trusted configuration, and loads a factory-trusted boot loader.
-2.  Windows 10 Mobile Trusted Boot takes control when the Secure Boot process is complete, verifying the digital signature of the Windows kernel and the components that are loaded and executed during the startup process.
-3.  In parallel to steps 1 and 2, the phone’s TPM runs independently in a hardware-protected security zone (isolated from the boot execution path, which monitors boot activities). It creates a protected, tamper-evident audit trail, signed with a secret that only the TPM can access.
-4.  Devices that a Device health attestation-enabled MDM solution manage send a copy of this audit trail to the Microsoft Health Attestation Service (HAS) in a protected, tamper-resistant, and tamper-evident communication channel.
-5.  HAS reviews the audit trails, issues an encrypted and signed report, and forwards it to the device.
-6.  From your Device health attestation-enabled MDM solution, you can review the report in a protected, tamper-resistant, and tamper-evident communication channel to assess whether the device is running in a compliant (healthy) state, allow access, or trigger corrective action aligned with the organization’s security needs and policies.
-Because this solution can detect and prevent low-level malware that may be extremely difficult to detect any other way, Microsoft recommends that you consider implementing a Device health attestation-enabled MDM system like Intune that takes advantage of the Windows 10 Mobile cloud-based health attestation server feature to detect and block devices infected with advanced malware.
+Measured Boot focuses on acquiring the measurement data and protecting it against tampering. To provide more complete security, it must be coupled with a service that can analyze the data to determine device health. 
 
-## <a href="" id="app-platform-security--"></a>App platform security
+### <a href="" id="device-health-attestation"></a>Device Health Attestation
 
-Applications built for Windows are designed to be secure and free of defects, but the reality is that human error can create vulnerabilities in code. When malicious users and software identify such vulnerabilities, they may attempt to manipulate data in memory in the hope that they can compromise the system and take control.
+Device Health Attestation (DHA) is a new feature in Windows 10 Mobile that helps prevent low-level malware infections. DHA uses a device’s TPM and firmware to measure the critical security properties of the device’s BIOS and Windows startup processes. These measurements are made in such a way that even on a system infected with kernel-level malware or a rootkit, an attacker is unlikely to spoof the properties.
 
-To mitigate these risks, Windows 10 Mobile includes a series of improvements to make it more difficult for malware to compromise the device. Windows 10 Mobile even enables organizations to choose which apps are allowed to run on mobile devices. In addition, it includes improvements that can dramatically reduce the likelihood that newly discovered vulnerabilities can be successful exploited. It takes detailed knowledge of operating system architecture and malware exploit techniques to fully appreciate the impact of these improvements, but the sections that follow explain them at a high level.
+You can use DHA with Microsoft Intune (sold separately) or a third-party MDM solution to combine hardware-measured security properties with other device properties and gain an overall view of the device’s health and compliance state. This integration can be useful in a variety of scenarios, including detecting jailbroken devices, monitoring device compliance, generating compliance reports, alerting users or administrators, initiating corrective action on the device, and managing conditional access to resources such as Office 365.
 
-### <a href="" id="device-guard--"></a>Device Guard
+The example that follows shows how Windows 10 protective measures integrate and work with Intune and third-party MDM solutions. It demonstrates how the phone security architecture in Windows 10 Mobile can help you monitor and verify compliance and how the security and trust rooted in the device hardware can protect end-to-end corporate resources.
 
-Device Guard is a feature set that consists of both hardware and software system integrity-hardening features. These features revolutionize Windows operating system security by moving the entire operating system to a trust-nothing model.
+When a user turns a phone on:
+1.	The Secure Boot feature in Windows 10 Mobile helps protect the startup sequence, allows the device to boot into a defined and trusted configuration, and loads a factory-trusted boot loader.
+2.	Windows 10 Mobile Trusted Boot takes control when the Secure Boot process is complete, verifying the digital signature of the Windows kernel and the components that are loaded and executed during the startup process.
+3.	In parallel to steps 1 and 2, the phone’s TPM runs independently in a hardware-protected security zone (isolated from the boot execution path, which monitors boot activities). It creates a protected, tamper-evident audit trail, signed with a secret that only the TPM can access.
+4.	Devices that are DHA-enabled send a copy of this audit trail to the Microsoft Health Attestation service (HAS) in a protected, tamper-resistant, and tamper-evident communication channel.
+5.	HAS reviews the audit trails, issues an encrypted and signed report, and forwards it to the device.
+6.	From your DHA-enabled MDM solution, you can review the report in a protected, tamper-resistant, and tamper-evident communication channel to assess whether the device is running in a compliant (healthy) state, allow access, or trigger corrective action aligned with the organization’s security needs and policies.
+Because this solution can detect and prevent low-level malware that may be extremely difficult to detect any other way, Microsoft recommends that you consider implementing a DHA-enabled MDM system like Intune. It can take advantage of the Windows 10 Mobile cloud-based health attestation server feature to detect and block devices infected with advanced malware.
 
-All apps on Windows 10 Mobile must be digitally signed and come from Windows Store or a trusted enterprise store. Device Guard implements policies that further restrict this. By default, Device Guard supports all apps from Windows Store. You can create policies that define the apps that can and cannot run on the Windows 10 Mobile device. If the app doesn’t have a digital signature or is prevented by policy, or it does not come from a trusted store, it will not run on Windows 10 Mobile.
+### <a href="" id="device-guard"></a>Device Guard
 
-Advanced hardware features (described earlier in the [Enterprise-grade secure hardware](#secure-hardware) section) drive these security offerings. By integrating these hardware features further into the core operating system, Windows 10 Mobile can use them in new ways. To deliver this additional security, Device Guard requires UEFI with Secure Boot.
+Device Guard is a feature set that consists of both hardware and software system integrity–hardening features. These features revolutionize Windows operating system security by moving the entire operating system to a trust-nothing model.
 
-### <a href="" id="appcontainer--"></a>AppContainer
+All apps on Windows 10 Mobile must be digitally signed and come from Windows Store or a trusted enterprise store. Device Guard implements policies that further restrict this. By default, Device Guard supports all apps from Windows Store. You can create policies that define the apps that can and cannot run on the Windows 10 Mobile device. If the app does not have a digital signature, is prevented by policy, or does not come from a trusted store, it will not run on Windows 10 Mobile.
 
-The Windows 10 Mobile security model is based on the principle of least privilege and uses isolation to achieve it. Every app and even portions of the operating system itself run inside their own isolated sandbox called an AppContainer—a secured isolation boundary within which an app and its processes can run. Each AppContainer is defined and implemented through a security policy.
+Advanced hardware features, described above, drive these security offerings. By integrating these hardware features further into the core operating system, Windows 10 Mobile can use them in new ways. To deliver this additional security, Device Guard requires UEFI with Secure Boot.
 
-The security policy of a specific AppContainer defines the operating system capabilities that apps have access to from within the AppContainer. A capability is a Windows 10 Mobile device resource such as geographical location information, camera, microphone, networking, and sensors.
+### <a href="" id="address-space-layout-randomaization"></a>Address Space Layout Randomization
 
-A set of default permissions are granted to all AppContainers, including access to a unique, isolated storage location. In addition, access to other capabilities can be declared within the app code itself. Access to additional capabilities and privileges cannot be requested at run time, as can be done with traditional desktop applications.
+One of the most common techniques used by attackers to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data reside, and overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations.
 
-The AppContainer concept is advantageous for the following reasons:
-
--   **Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions.
--   **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Windows Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent.
--   **App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communications channels and data types.
-
-Apps receive the minimal privileges they need to perform their legitimate tasks. This means that even if a malicious attacker exploits an app, the potential damage is limited because the app cannot elevate its privileges and is contained within its AppContainer. Windows Store displays the permissions that the app requires along with the app’s age rating and publisher.
-
-The combination of Device Guard and AppContainer help to prevent unauthorized apps from running. In the event malware slips into the app ecosystem, the AppContainer helps to constrain the app and limit potential damage. The Windows 10 Mobile trust-nothing model doesn’t assume that any component is perfect, however, potential vulnerabilities in apps, AppContainers, and Windows 10 Mobile itself could give an attacker a chance to compromise a system. For this reason, we need redundant vulnerability mitigations. The next several topics describe some of the redundant mitigations in Windows 10 Mobile.
-
-### <a href="" id="address-space-layout-randomization--"></a>Address Space Layout Randomization
-One of the most common techniques attackers use to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data reside, and then overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations.
-
-Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works, showing how the locations of different critical Windows components can change in memory between restarts.
+Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. The below diagram illustrates how ASLR works, showing how the locations of different critical Windows components can change in memory between restarts.
 
 ![figure 3](images/mobile-security-guide-figure3.png)
 
-Figure 3. ASLR at work
+Microsoft has substantively improved the ASLR implementation in Windows 10 Mobile over previous versions, applying it across the entire system rather than only in specific apps. With 64bit system and application processes that can take advantage of a vastly increased memory space, it is even more difficult for malware to predict where Windows 10 Mobile stores vital data. When used on systems that have TPMs, ASLR memory randomization becomes increasingly unique across devices, adding additional degrees of difficulty for repurposing successful exploits to another system.
 
-Microsoft has substantively improved the ASLR implementation in Windows 10 Mobile over previous versions, especially with 64-bit system and application processes that can take advantage of a vastly increased memory space, making it even more difficult for malware to predict where Windows 10 Mobile stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, making it even more difficult for a successful exploit that works on one system to work reliably on another. Microsoft also holistically applied ASLR across the entire system in Windows 10 Mobile rather than it working only on specific apps.
+### <a href="" id="data-execution-prevention"></a>Data Execution Prevention
 
-### <a href="" id="data-execution-prevention--"></a>Data Execution Prevention
+Malware depends on its ability to insert a malicious payload into memory with the hope that an unsuspecting user will execute it later. While ASLR makes that more difficult, Windows 10 Mobile extends that protection to prevent malware from running if written to an area that you have allocated solely for the storage of information. Data Execution Prevention (DEP) substantially reduces the range of memory that malicious code can use for its benefit. DEP uses the **No execute** bit on modern CPUs to mark blocks of memory as read-only so that malware can’t use those blocks to execute malicious code. All Windows 10 and Windows 10 Mobile devices support DEP.
 
-Malware depends on its ability to put a malicious payload into memory with the hope that an unsuspecting user will execute it later. ASLR makes that much more difficult.
-
-Extending that protection, it would be great if you could prevent malware from running if it wrote to an area that you have allocated solely for the storage of information. Data Execution Prevention (DEP) does exactly that, substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the **No execute** bit on modern CPUs to mark blocks of memory as read only so that malware can’t use those blocks to execute malicious code. All Windows 10 and Windows 10 Mobile devices support DEP.
-
-### <a href="" id="windows-heap--"></a>Windows heap
+### <a href="" id="companion-devices"></a>Windows heap
 
 The heap is a location in memory that Windows uses to store dynamic application data. Microsoft continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that an attacker could use.
-Windows 10 Mobile has several important improvements to the security of the heap over previous versions of Windows:
+Windows 10 Mobile has made several important improvements to the security of the heap over previous versions of Windows:
+-	Internal data structures that the heap uses are better protected against memory corruption.
+-	Heap memory allocations have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 Mobile adds a random offset to the address of a newly allocated heap, making the allocation much less predictable.
+-	Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app.
 
--   Internal data structures that the heap uses are better protected against memory corruption.
--   Heap memory allocations have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 Mobile adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable.
--   Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app.
+### <a href="" id="memeory-reservation"></a>Memory reservations
 
-### <a href="" id="memory-reservations--"></a>Memory reservations
+Microsoft reserves the lowest 64 KB of process memory for the operating system. Apps are no longer allowed to allocate that portion of the memory, making it more difficult for malware to overwrite critical system data structures in memory.
 
-Microsoft reserves the lowest 64 KB of process memory for the operating system. Apps are no longer allowed to allocate that portion of the memory, which makes it more difficult for malware to overwrite critical system data structures in memory.
+### <a href="" id="control-flow-guard"></a>Control Flow Guard
 
-### <a href="" id="control-flow-guard--"></a>Control Flow Guard
+When Windows loads applications into memory, it allocates space to those applications based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships among the code locations are well known – they are written in the code itself. However, until Windows 10 Mobile, the operating system didn’t enforce the flow among these locations, giving attackers the opportunity to change the flow to meet their needs. In other words, an application exploit takes advantage of this behavior by running code that the application may not typically run.
 
-When Windows loads applications into memory, it allocates space to those applications based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships among the code locations are well known—they are written in the code itself—but until Windows 10 Mobile, the operating system didn’t enforce the flow among these locations, giving attackers the opportunity to change the flow to meet their needs. In other words, an application exploit takes advantage of this behavior by running code that the application may not typically run.
-Windows 10 Mobile mitigates this kind of threat through the Control Flow Guard (CFG) feature. When a trusted application that its creator compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If CFG doesn’t trust the location, it immediately terminates the application as a potential security risk.
+Windows 10 Mobile mitigates this kind of threat through Control Flow Guard (CFG). When a trusted application that its creator compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If CFG doesn’t trust the location, it immediately terminates the application as a potential security risk.
 
-You cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when he or she compiles the application. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. Of course, browsers are a key entry point for attacks; thus Microsoft Edge and other Windows features take full advantage of CFG.
+You cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when he or she compiles the application. Because browsers are a key entry point for attacks, Microsoft Edge takes full advantage of CFG.
 
-### <a href="" id="protected-processes--"></a>Protected processes
+### <a href="" id="protected-processes"></a>Protected Processes
 
-In general, preventing a computer security incident is more cost-effective than repairing the damage an incident can cause. For malware in particular, most security controls are designed to prevent an attack from being initially successful. The reasoning is that if malware cannot infect the system, the system is immune to malware.
+Unfortunately, no device is immune to malware. Despite all the best preventative controls, malware can eventually find a way to infect any operating system or hardware platform. So, although prevention with a defense-in-depth strategy is important, additional malware controls are required. 
+If malware is running on a system, you need to limit what it can do Protected Processes prevents untrusted processes from tampering with those that have been specially signed. Protected Processes defines levels of trust for processes: it prevents less trusted processes from interacting with and therefore attacking more trusted processes. Windows 10 Mobile uses Protected Processes broadly throughout the operating system.
 
-Unfortunately, no device is immune to malware. Despite all the best preventative controls, malware can eventually find a way to infect any operating system or hardware platform. So, although prevention with a defense-in-depth strategy is important, it cannot be the only type of malware control.
+### <a href="" id="appcontainer"></a>AppContainer
 
-The key security scenario is to assume that malware is running on a system but limit what it can do. Windows 10 Mobile has security controls and design features in place to reduce compromise from existing malware infections. Protected Processes is one such feature.
+The Windows 10 Mobile security model is based on the principle of least privilege and uses isolation to achieve it. Every app and even portions of the operating system itself run inside their own isolated sandbox called an AppContainer – a secured isolation boundary within which an app and its processes can run. Each AppContainer is defined and implemented through a security policy.
 
-With Protected Processes, Windows 10 Mobile prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes: it prevents less trusted processes from interacting with and therefore attacking more trusted processes. Windows 10 Mobile uses Protected Processes more broadly across the operating system.
+The security policy of a specific AppContainer defines the operating system capabilities that apps have access to from within the AppContainer, such as geographical location information, camera, microphone, networking, or sensors.
 
-### Store for Business
+A set of default permissions are granted to all AppContainers, including access to a unique, isolated storage location. Access to other capabilities can be declared within the app code itself. Unlike traditional desktop applications, access to additional capabilities and privileges cannot be requested at run time.
 
-Store for Business allows IT pros to find, acquire, distribute, and manage apps for their organization. The model provides flexible ways to distribute apps, depending on the size of your organization, and does not require additional infrastructure in some scenarios.
+The AppContainer concept is advantageous because it provides:
+-	**Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions.
+-	**User consent and control.** Capabilities that apps use are automatically published to the app details page in the Windows Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent.
+-	**App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communication channels and data types.
 
-UWP apps are inherently more secure than typical applications because they are sandboxed, which restricts the app’s risk of compromise or tampering with in a way that would put the system, data, and other applications at risk. Windows Store can further reduce the likelihood that malware will infect devices by reviewing all applications that enter the Windows Store ecosystem before making them available. Store for Business extends this concept by enabling you to distribute custom LOB apps, and even some Windows Store apps, to Windows 10 Mobile devices through the same Windows Store infrastructure.
+Apps receive the minimal privileges they need to perform their legitimate tasks. This means that even if a malicious attacker exploits an app, the potential damage is limited because the app cannot elevate its privileges and is contained within its AppContainer. Windows Store displays the permissions that the app requires along with the app’s age rating and publisher.
 
-Regardless of how users acquire UWP apps, they can use them with increased confidence. UWP apps run in an AppContainer sandbox with limited privileges and capabilities. For example, the apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission.
+The combination of Device Guard and AppContainer help to prevent unauthorized apps from running. In the event malware slips into the app ecosystem, the AppContainer helps to constrain the app and limit potential damage. The Windows 10 Mobile trust-nothing model doesn’t assume that any component is perfect. However, potential vulnerabilities in apps, AppContainers, and Windows 10 Mobile itself could give an attacker a chance to compromise a system. For this reason, redundant vulnerability mitigations are needed. The next several topics describe some of the redundant mitigations in Windows 10 Mobile.
 
-In addition, all UWP apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is significantly limited and should be contained within the sandbox. Windows Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher.
+### <a href="" id="microsoft-edge"></a>Microsoft Edge
 
-The Windows Store app-distribution process and the app sandboxing capabilities of Windows 10 Mobile can dramatically reduce the likelihood that users encounter malicious apps on the system.
+The web browser is a critical component of any security strategy. It is the user’s interface to the Internet, an environment teeming with malicious sites and potentially dangerous content. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks.
 
-For more information about Store for Business, see [Windows Store for Business overview](../whats-new/windows-store-for-business-overview.md).
+Windows 10 Mobile includes Microsoft Edge, an entirely new web browser that goes beyond browsing with features like Reading View. Microsoft Edge is more secure than previous Microsoft web browsers in several ways:
+-	**Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability. 
+-	**Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps.
+-	**Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design.
 
-### App management
+## Summary
 
-An enterprise typically exerts some configuration and control over the apps installed on devices. In this way, the organization accomplishes several business goals, such managing software licenses, ensuring mandatory app deployment on required devices, and preventing the installation of unacceptable apps on corporate devices.
+Windows 10 Mobile provides security on personal and corporate-owned devices to protect against unauthorized access, data leakage, and malware threats. All of the features covered in this paper – multifactor authentication, data separation, and malware resistance – are seamlessly incorporated into the operating system. This means enterprises are protected without compromising the productivity and ease of use that drives users to bring mobile devices into the workplace. 
 
-An important component in delivering on these goals is Store for Business, which builds on the Windows Store infrastructure that Microsoft hosts and enables you to deploy Windows Store apps across your Windows 10-based devices. Store for Business is both powerful and highly flexible. It allows you to extend and customize features without having to stand up new on-premises infrastructure. It supports and integrates with your existing MDM service but doesn’t require one. (Ask your MDM service vendor about integration with Store for Business.) You can configure Store for Business for a wide variety of scenarios, including online and offline licensing and different app-distribution options. For a more detailed description of the available Store for Business scenarios, see [Windows Store for Business overview](../whats-new/windows-store-for-business-overview.md).
+## Revision History
 
-A web-based portal for IT pros simplifies Windows 10 Mobile app deployment. The familiar look of Windows Store was used to design the Store for Business experience. It showcases apps relevant to business use, hand-selected and sorted by category. The store can use Azure AD accounts for all users, linking them to a single, unique organizational identity.
+November 2015 		Updated for Windows 10 Mobile (version 1511)
 
-Another key benefit is licensing. Store for Business enables you to track and manage licenses for all UWP apps. You can easily determine which users have installed specific apps, track remaining licenses left, and acquire new licenses directly through the web interface. Those new licenses are added within Store for Business and do not require complex export and import processes. As long as your clients are online and have Internet connectivity, the licensing scenario with Store for Business is a great improvement over manual licensing tasks.
+July 2016		Updated for Windows 10 Mobile Anniversary Update (version 1607)
 
-Store for Business allows you to find the right apps for your users, acquire them, manage app licenses, and distribute apps to individuals. The best way to understand Store for Business is to look at the steps involved in a common scenario: delivering apps to Windows 10 Mobile users without an MDM—specifically, deploying apps to Windows 10 Mobile users. In this scenario, you identify several apps that must be on each mobile device that are currently available for free in the Windows Store (for example, a VPN app for your Dell SonicWALL solution) and some internally developed LOB apps.
-
-### The IT side
-
-You begin the app deployment process by preparing the private store and the apps before your users receive their new Windows 10 Mobile devices.
-
-First, you open [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) and use an Azure AD account to log in. This account is linked to the company’s unique organizational identity and must have an Azure AD tenant. In addition, the account must have Azure AD Enterprise Admin permissions if this is the first time you’re using Store for Business. You can delegate later access through permissions within Store for Business.
-Next, you locate and acquire any apps you want to deploy to the mobile devices, adding the apps and licenses to the organization’s inventory.
-
-Along with existing Windows Store apps, you can use Store for Business to manage custom LOB apps that are developed for your organization. First, you grant permission for a trusted app developer to submit the apps. You and the developer submit these apps through the [Windows Dev Center](http://go.microsoft.com/fwlink/p/?LinkId=722911), and they must be digitally signed with a trusted certificate. These apps are not published to the retail Windows Store catalog and are not visible to anyone outside the organization.
-
-You can deliver the apps through a private store within Windows Store. The next step, then, is for you to mark the app to be available in the private store, which you do through the Store for Business web portal.
-
-Alternatively, you can choose one of two other app-distribution options in Store for Business web portal:
--   Assign the app to people in your organization by selecting one or more Azure AD identities
--   Add the app to the organization’s private store, and allow all users to discover and install it.
-For details about app distribution, see [Distribute apps using your private store](../manage/distribute-apps-from-your-private-store.md).
-
-The IT process for preparing Store for Business for app deployment is shown in Figure 4.
-
-![figure 4](images/mobile-security-guide-figure4.png)
-
-Figure 4. The IT process for Store for Business
-
-For details about the process of distributing apps through Store for Business, see [Find and acquire apps](../manage/find-and-acquire-apps-overview.md).
-
-### <a href="" id="the-user-side--"></a>The user side
-
-After you have prepared Store for Business, the user side of the process takes over. This side of the process is designed to be user friendly, with the primary app deployment method—through Store for Business—streamlined and straightforward. This process doesn’t require an MDM system or any on-premises infrastructure. In fact, the user never sees the “for Business” label, just the familiar Windows Store.
-
-1.  The user opens the Windows Store app on his or her Windows 10 Mobile device.
-
-2.  The same Windows Store interface appears, with the addition of the private store you created. The private store appears as a new page, similar to Games and Music. The interface integrates the public Windows Store with the organization’s private store, which contains curated apps.
-
-3.  The user simply selects and installs apps as usual.
-
-If the user wants to make a private purchase of apps, music, movies, or TV shows with his or her Microsoft account, that’s an option, as well. The user pays for and owns his or her purchase, independent of the company. This flexibility enables hybrid scenarios for devices in many bring your own device environments.
-
-### Microsoft Edge
-
-Windows 10 Mobile includes critical improvements designed to thwart attacks and malware. The environment is now more resistant to malware thanks to significant improvements to SmartScreen Filters. Internet browsing is a safer experience thanks to Microsoft Edge, a completely new browser.
-
-Windows 10 Mobile includes Microsoft Edge, an entirely new web browser that goes beyond browsing with features like Reading View. Microsoft Edge is more secure than previous Microsoft web browsers in several ways:
--   **Microsoft Edge does not support non-Microsoft binary extensions.** Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions but includes no non-Microsoft binary extensions, such as ActiveX controls or Java.
--   **Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps.
--   **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design.
-
-The web browser is a critical component of any security strategy, and for good reason: it is the user’s interface to the Internet, an environment teeming with malicious sites and nefarious content. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks.
-
-## Related topics
-
-
-[Windows 10 security overview](windows-10-security-guide.md)
-
-[Windows 10 Mobile and MDM](../manage/windows-10-mobile-and-mdm.md)
-
-[Windows 10 and Windows 10 Mobile](../index.md)
-
-[Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910)
-
-[Windows Store for Business overview](../whats-new/windows-store-for-business-overview.md)
diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md
index e0fac10aa2..6a822ec11e 100644
--- a/windows/keep-secure/windows-10-security-guide.md
+++ b/windows/keep-secure/windows-10-security-guide.md
@@ -7,6 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: challum
 ---
 
diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md
index 71894a0846..de89c2fde6 100644
--- a/windows/keep-secure/windows-defender-block-at-first-sight.md
+++ b/windows/keep-secure/windows-defender-block-at-first-sight.md
@@ -8,6 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/keep-secure/windows-defender-enhanced-notifications.md b/windows/keep-secure/windows-defender-enhanced-notifications.md
index e7ce19cd26..c3f51393f2 100644
--- a/windows/keep-secure/windows-defender-enhanced-notifications.md
+++ b/windows/keep-secure/windows-defender-enhanced-notifications.md
@@ -8,6 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md
index e052d1a3bb..7ad3e53061 100644
--- a/windows/keep-secure/windows-defender-in-windows-10.md
+++ b/windows/keep-secure/windows-defender-in-windows-10.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: medium
 author: jasesso
 ---
 
diff --git a/windows/keep-secure/windows-defender-offline.md b/windows/keep-secure/windows-defender-offline.md
index bdd1e45d8b..a90a308ed7 100644
--- a/windows/keep-secure/windows-defender-offline.md
+++ b/windows/keep-secure/windows-defender-offline.md
@@ -8,6 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/keep-secure/windows-security-baselines.md b/windows/keep-secure/windows-security-baselines.md
index 690b516662..f0db2dc596 100644
--- a/windows/keep-secure/windows-security-baselines.md
+++ b/windows/keep-secure/windows-security-baselines.md
@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/manage/administrative-tools-in-windows-10.md b/windows/manage/administrative-tools-in-windows-10.md
index cc42197767..ba99073d18 100644
--- a/windows/manage/administrative-tools-in-windows-10.md
+++ b/windows/manage/administrative-tools-in-windows-10.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Administrative Tools in Windows 10
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index 67f0217f4c..f45e2f1553 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -17,7 +17,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
 
 | New or changed topic | Description |
 | --- | --- |
-| [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) | Updated sample XML for combined Start and taskbar layout |
+| [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) | Updated sample XML for combined Start and taskbar layout; added note to explain the difference between applying taskbar configuration by Group Policy and by provisioning package |
 
 ## RELEASE: Windows 10, version 1607
 
diff --git a/windows/manage/changes-to-start-policies-in-windows-10.md b/windows/manage/changes-to-start-policies-in-windows-10.md
index ad0589981e..a1f2799e53 100644
--- a/windows/manage/changes-to-start-policies-in-windows-10.md
+++ b/windows/manage/changes-to-start-policies-in-windows-10.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # Changes to Group Policy settings for Windows 10 Start
diff --git a/windows/manage/configure-windows-10-taskbar.md b/windows/manage/configure-windows-10-taskbar.md
index b96590c3b1..aaa7856125 100644
--- a/windows/manage/configure-windows-10-taskbar.md
+++ b/windows/manage/configure-windows-10-taskbar.md
@@ -6,7 +6,7 @@ ms.prod: W10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 # Configure Windows 10 taskbar
 
@@ -40,6 +40,9 @@ To configure the taskbar:
    * Use `<taskbar:DesktopApp>` and Desktop Application Link Path to pin desktop applications. 
 3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md).
 
+>[!IMPORTANT]
+>If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
+
 ### Tips for finding AUMID and Desktop Application Link Path
 
 In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path. 
diff --git a/windows/manage/customize-and-export-start-layout.md b/windows/manage/customize-and-export-start-layout.md
index 68d1056ac3..fca7068700 100644
--- a/windows/manage/customize-and-export-start-layout.md
+++ b/windows/manage/customize-and-export-start-layout.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # Customize and export Start layout
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
index 6c7c63c9cd..22fe513406 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # Customize Windows 10 Start and taskbar with Group Policy
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 2fcd71d6ad..b2cf0eebb1 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -23,6 +23,9 @@ localizationpriority: medium
 
 In Windows 10 Enterprise and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
 
+>[!IMPORTANT]
+>If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
+
 **Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
 
 ## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
diff --git a/windows/manage/index.md b/windows/manage/index.md
index eba6dd0e9c..e3a69f2e47 100644
--- a/windows/manage/index.md
+++ b/windows/manage/index.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Manage and update Windows 10
diff --git a/windows/manage/introduction-to-windows-10-servicing.md b/windows/manage/introduction-to-windows-10-servicing.md
index 8e531b3827..1e73d06398 100644
--- a/windows/manage/introduction-to-windows-10-servicing.md
+++ b/windows/manage/introduction-to-windows-10-servicing.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security, servicing
 author: greg-lindsay
+localizationpriority: high
 ---
 
 # Windows 10 servicing options
diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md
index c3bdd6979a..f291375dbb 100644
--- a/windows/manage/manage-corporate-devices.md
+++ b/windows/manage/manage-corporate-devices.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: devices
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # Manage corporate devices
diff --git a/windows/manage/manage-tips-and-suggestions.md b/windows/manage/manage-tips-and-suggestions.md
index f64642592b..2fbb2e3cda 100644
--- a/windows/manage/manage-tips-and-suggestions.md
+++ b/windows/manage/manage-tips-and-suggestions.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: devices
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # Manage Windows 10 and Windows Store tips, tricks, and suggestions
diff --git a/windows/manage/new-policies-for-windows-10.md b/windows/manage/new-policies-for-windows-10.md
index 6dc1d6a75b..15b40a44f3 100644
--- a/windows/manage/new-policies-for-windows-10.md
+++ b/windows/manage/new-policies-for-windows-10.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # New policies for Windows 10
diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/manage/windows-10-mobile-and-mdm.md
index a7d4e10a34..1ce5e8bf3f 100644
--- a/windows/manage/windows-10-mobile-and-mdm.md
+++ b/windows/manage/windows-10-mobile-and-mdm.md
@@ -1,75 +1,61 @@
 ---
-title: Windows 10 Mobile and mobile device management (Windows 10)
-description: This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system.
+title: Windows 10 Mobile deployment and management guide (Windows 10)
+description: This guide helps IT professionals plan for and deploy Windows 10 Mobile devices.
 ms.assetid: 6CAA1004-CB65-4FEC-9B84-61AAD2125E5E
-keywords: telemetry, BYOD, MDM
+keywords: Mobile, telemetry, BYOD, MDM
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile, devices, security
-author: AMeeus
 localizationpriority: high
+author: AMeeus
 ---
 
-# Windows 10 Mobile and mobile device management
+# Windows 10 Mobile deployment and management guide
 
-**Applies to**
--   Windows 10 Mobile
+*Applies to:  Windows 10 Mobile, version 1511 and Windows 10 Mobile, version 1607*
 
-This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system. It describes how mobile device management (MDM) systems use the built-in device management client to deploy, configure, maintain, and support phones and small tablets running Windows 10 Mobile.
+<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
-Bring Your Own Device (BYOD—that is, personal devices) and corporate devices are key scenarios that Windows 10 Mobile MDM capabilities support. The operating system offers a flexible approach to registering devices with directory services and MDM systems, and IT organizations can provision comprehensive device-configuration profiles based on their company’s need to control and secure mobile business data.
-Windows 10 Mobile not only delivers more comprehensive, restrictive configuration settings than Windows Phone 8.1 did but also provides capabilities to deploy and manage apps built on the Universal Windows Platform (UWP). Companies can distribute apps directly from Windows Store or by using their MDM system. They can control and distribute custom line-of-business (LOB) apps the same way.
+This guide helps IT professionals plan for and deploy Windows 10 Mobile devices.
 
-## Overview
+Employees increasingly depend on smartphones to complete daily work tasks, but these devices introduce unique management and security challenges. Whether providing corporate devices or allowing people to use their personal devices, IT needs to deploy and manage mobile devices and apps quickly to meet business goals. However, they also need to ensure that the apps and data on those mobile devices are protected against cybercrime or loss. Windows 10 Mobile helps organizations directly address these challenges with robust, flexible, built-in mobile device and app management technologies.
+Windows 10 supports end-to-end device lifecycle management to give companies control over their devices, data, and apps. Devices can easily be incorporated into standard lifecycle practices, from device enrollment, configuration, and application management to maintenance, monitoring, and retirement using a comprehensive mobile device management solution.
 
-Organizations’ users increasingly depend on their mobile devices, but phones and tablets bring new and unfamiliar challenges for IT departments. IT must be able to deploy and manage mobile devices and apps quickly to support the business while balancing the growing need to protect corporate data because of evolving laws, regulations, and cybercrime. IT must ensure that the apps and data on those mobile devices are safe, especially on personal devices. Windows 10 Mobile helps organizations address these challenges by providing a robust, flexible, built-in MDM client. IT departments can use the MDM system of their choice to manage this client.
+**In this article**
+-	Deploy
+-	Configure
+-	Apps
+-	Manage
+-	Retire
 
-### <a href="" id="built-in-mdm-client--"></a>Built-in MDM client
+
+## Deploy
+
+Windows 10 Mobile has a built-in device management client to deploy, configure, maintain, and support smartphones. Common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT), this client provides a single interface through which Mobile Device Management (MDM) solutions can manage any device that runs Windows 10. Because the MDM client integrates with identity management, the effort required to manage devices throughout the lifecycle is greatly reduced.
+Windows 10 includes comprehensive MDM capabilities that can be managed by Microsoft management solutions, such as Microsoft Intune or System Center Configuration Manager, as well as many third-party MDM solutions. There is no need to install an additional, custom MDM app to enroll devices and bring them under MDM control. All MDM system vendors have equal access to Windows 10 Mobile device management application programming interfaces (APIs), giving IT organizations the freedom to select whichever system best fits their management requirements, whether Microsoft Intune or a third-party MDM product. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050).
+
+### <a href="" id="deployment-scenarios"></a>Deployment scenarios
+
+*Applies to: Corporate and personal devices*
 
 The built-in MDM client is common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT). The client provides a single interface through which you can manage any device that runs Windows 10. The client has two important roles: device enrollment in an MDM system and device management.
 
--   **Device enrollment.** Users can enroll in the MDM system. On Windows 10, a user can register a device with Microsoft Azure Active Directory (Azure AD) and enroll in an MDM system at the same time so that the system can manage the device, the apps running on it, and the confidential data it holds. Enrollment establishes the management authority for the device. Only one management authority (or MDM enrollment) is possible at a time, which helps prevent unauthorized access to devices and ensures their stability and reliability.
--   **Device management.** The MDM client allows the MDM system to configure policy settings; deploy apps and updates; and perform other management tasks, such as remotely wiping the device. The MDM system sends configuration requests and collects inventory through the MDM client. The client uses [configuration service providers (CSPs)](http://go.microsoft.com/fwlink/p/?LinkId=734049) to configure and inventory settings. A CSP is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. (The security architecture of Windows 10 Mobile prevents direct access to registry settings and operating system files. For more information, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md).)
+Organizations typically have two scenarios to consider when it comes to device deployment: Bring Your Own (BYO) personal devices and Choose Your Own (CYO) company-owned devices. In both cases, the device must be enrolled in an MDM system, which would configure it with settings appropriate for the organization and the employee. 
+Windows 10 Mobile device management capabilities support both personal devices used in the BYO scenario and corporate devices used in the CYO scenario. The operating system offers a flexible approach to registering devices with directory services and MDM systems. IT organizations can provision comprehensive device-configuration profiles based on their business needs to control and protect mobile business data. Apps can be provisioned easily to personal or corporate devices through the Windows Store for Business, or by using their MDM system, which can also work with the Windows Store for Business for public store apps. 
+Knowing who owns the device and what the employee will use it for are the major factors in determining your management strategy and which controls your organization should put in place. Whether personal devices, corporate devices, or a mixture of the two, deployment processes and configuration policies may differ. 
 
-The MDM client is an integral part of Windows 10 Mobile. As a result, there is no need for an additional, custom MDM app to enroll the device or to allow an MDM system to manage it. All MDM systems have equal access to Windows 10 Mobile MDM application programming interfaces (APIs), so you can choose Microsoft Intune or a third-party MDM product to manage Windows 10 Mobile devices. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050).
+For **personal devices**, companies need to be able to manage corporate apps and data on the device without impeding the employee’s ability to personalize it to meet their individual needs. The employee owns the device and corporate policy allows them to use it for both business and personal purposes, with the ability to add personal apps at their discretion. The main concern with personal devices is how organizations can prevent corporate data from being compromised, while still keeping personal data private and under the sole control of the employee. This requires that the device be able to support separation of apps and data with strict control of business and personal data traffic.
 
-### <a href="" id="mobile-edition"></a>Windows 10 Mobile editions
+For **corporate devices**, organizations have a lot more control. IT can provide a selected list of supported device models to employees, or they can directly purchase and preconfigure them. Because devices are owned by the company, employees can be limited as to how much they can personalize these devices. Security and privacy concerns may be easier to navigate, because the device falls entirely under existing company policy. 
 
-Every device that runs Windows 10 Mobile includes all the enterprise mobile device security and management capabilities the MDM client provides. Microsoft also offers an Enterprise edition of Windows 10 Mobile, which includes three additional capabilities. To enable these capabilities, you can provision a license file without reinstalling the operating system:
+### <a href="" id="device-enrollment"></a>Device enrollment
 
--   **Ability to postpone software updates.**Windows 10 Mobile gets software updates directly from Windows Update, and you cannot curate updates prior to deployment. Windows 10 Mobile Enterprise, however, allows you to curate and validate updates prior to deploying them.
--   **No limit on the number of self-signed LOB apps that you can deploy to a single device.** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device, more than 20 if your organization’s devices run Windows 10 Mobile Enterprise.
--   **Set telemetry to security level.** The telemetry security level configures the operating system to gather only the telemetry information required to keep devices secured.
+*Applies to: Corporate and personal devices*
 
->**Note:**  Your organization can opt to purchase a code signing certificate from Verisign to sign LOB apps or use [Windows Store for Business](windows-store-for-business.md) to obtain apps. With either method, you can distribute more than 20 apps to a single device without activating Windows 10 Mobile Enterprise on that device by using your MDM system.
- 
-To activate Windows 10 Mobile Enterprise on any Windows 10 Mobile device, use your company’s MDM system or a provisioning package to inject a license onto the device. You can download a Windows 10 Mobile Enterprise license from the Business Support Portal.
+The way in which personal and corporate devices are enrolled into an MDM system differs. Your operations team should consider these differences when determining which approach is best for mobile workers in your organization. 
 
-### <a href="" id="lifecycle-management--"></a>Lifecycle management
-
-Windows 10 Mobile supports end-to-end lifecycle device management to give companies control of their devices, data, and apps. Comprehensive MDM systems use the built-in MDM client to manage devices throughout their lifecycle, as Figure 1 illustrates. The remainder of this guide describes the operating system’s mobile device and app management capabilities through each phase of the lifecycle, showing how MDM systems use specific features.
-
-![figure 1](images/win10-mobile-mdm-fig1.png)
-
-Figure 1. Device management lifecycle
-
-## <a href="" id="device-deployment--"></a>Device deployment
-
-Device deployment includes the initial registration and configuration of the device, including its enrollment with an MDM system. Sometimes, companies preinstall apps. The major factors in how you deploy devices and which controls you put in place are device ownership and how the user will use the device. This guide covers two scenarios:
-
-1.  Companies allow users to personalize their devices because the users own the devices or because company policy doesn’t require tight controls (defined as *personal devices* in this guide).
-2.  Companies don’t allow users to personalize their devices or they limit personalization, usually because the organization owns the devices and security considerations are high (defined as *corporate devices* in this guide).
-
-Often, employees can choose devices from a list of supported models, or companies provide devices that they preconfigure, or bootstrap, with a baseline configuration.
-
-Microsoft recommends Azure AD Join and MDM enrollment and management for corporate devices and Azure AD Registration and MDM enrollment and management for personal devices.
-
-### <a href="" id="deployment-scenarios--"></a>Deployment scenarios
-
-Most organizations support both personal and corporate device scenarios. The infrastructure for these scenarios is similar, but the deployment process and configuration policies differ. Table 1 describes characteristics of the personal and corporate device scenarios. Activation of a device with an organizational identity is unique to Windows 10 Mobile.
-
-Table 1. Characteristics of personal and corporate device scenarios
+**Device initialization and enrollment considerations**
 
 <table>
 <colgroup>
@@ -80,35 +66,49 @@ Table 1. Characteristics of personal and corporate device scenarios
 <tbody>
 <tr class="odd">
 <td align="left"></td>
-<td align="left">Personal devices</td>
-<td align="left">Corporate devices</td>
+<td align="left"><strong>Personal devices</strong></td>
+<td align="left">Corporate devices</strong></td>
 </tr>
 <tr class="even">
-<td align="left">Ownership</td>
-<td align="left">User</td>
+<td align="left"><strong>Ownership</strong></td>
+<td align="left">Employee</td>
 <td align="left">Organization</td>
 </tr>
 <tr class="odd">
-<td align="left">Primary use</td>
-<td align="left">Personal</td>
-<td align="left">Work</td>
+<td align="left"><strong>Device Innitialization</strong>
+
+In the Out-of-the-Box Experience (OOBE), the first time the employee starts the device, they are requested to add a cloud identity to the device.</td>
+<td align="left">The primary identity on the device is a personal identity. Personal devices are initiated with a Microsoft Account (MSA), which uses a personal email address. </td>
+<td align="left">The primary identity on the device is an organizational identity. Corporate devices are initialized with an organizational account (account@corporatedomain.ext).
+Initialization of a device with a corporate account is unique to Windows 10. No other mobile platform currently offers this capability. The default option is to use an Azure Active Directory organizational identity. 
+Skipping the account setup in OOBE will result in the creation of a local account. The only option to add a cloud account later is to add an MSA, putting this device into a personal device deployment scenario. To start over, the device will have to be reset.
+</td>
 </tr>
 <tr class="even">
-<td align="left">Deployment</td>
-<td align="left">The primary identity on the device is a personal identity. A Microsoft account is the default option for Windows 10 Mobile.</td>
-<td align="left">The primary identity on the device is an organizational identity. An Azure AD account is the default option for Windows 10 Mobile.</td>
+<td align="left"><strong>Device Enrollment</strong> 
+
+Enrolling devices in an MDM system helps control and protect corporate data while keeping workers productive. </td>
+<td align="left">Device enrollment can be initiated by employees. They can add an Azure account as a secondary account to the Windows 10 Mobile device. Provided the MDM system is registered with your Azure AD, the device is automatically enrolled in the MDM system when the user adds an Azure AD account as a secondary account (MSA+AAD+MDM). If your organization does not have Azure AD, the employee’s device will automatically be enrolled into your organization’s MDM system (MSA+MDM).
+MDM enrollment can also be initiated with a provisioning package. This option enables IT to offer easy-to-use self-service enrollment of personal devices. Provisioning is currently only supported for MDM-only enrollment (MSA+MDM). 
+</td>
+<td align="left">The user initiates MDM enrollment by joining the device to the Azure AD instance of their organization. The device is automatically enrolled in the MDM system when the device registers in Azure AD. This requires your MDM system to be registered with your Azure AD (AAD+MDM).</td>
 </tr>
 </tbody>
 </table>
- 
-### <a href="" id="identity-management--"></a>Identity management
 
-People can use only one account to activate a device, so it’s imperative that your organization control which account you enable first. The account you choose will determine who controls the device and influence your management capabilities. The following list describes the impact that users’ identities have on management (Table 2 summarizes these considerations):
+**Recommendation:** Microsoft recommends Azure AD registration and automatic MDM enrollment for corporate devices (AAD+MDM) and personal devices (MSA+AAD+MDM). This requires Azure AD Premium.
 
--   **Personal identity.** In this scenario, employees use their Microsoft account to activate the device. Then, they use their Azure AD account (organizational identity) to register the device in Azure AD and enroll it with the company’s MDM solution. You can apply policies to help protect and contain corporate apps and data on the devices, designed to prevent intellectual property leaks, but users keep full control over personal activities, such as downloading and installing apps and games.
--   **Organizational identity.** In this scenario, employees use their Azure AD account to register the device to Azure AD and automatically enroll it with the organization’s MDM solution. In this case, companies can block personal use of devices. Using organizational Identities to initialize devices gives organizations complete control over devices and allows them to prevent personalization.
+### <a href="" id="identity-management"></a>Identity management 
 
-Table 2. Personal vs. organizational identity
+*Applies to: Corporate and personal devices*
+
+Employees can use only one account to initialize a device so it’s imperative that your organization controls which account is enabled first. The account chosen will determine who controls the device and influence your management capabilities. 
+
+>**Note:** Why must the user add an account to the device in OOBE? Windows 10 Mobile are single user devices and the user accounts give access to a number of default cloud services that enhance the productivity and entertainment value of the phone for the user. Such services are: Store for downloading apps, Groove for music and entertainment, Xbox for gaming, etc. Both an [MSA](https://www.microsoft.com/en-us/account/) and an [Azure AD account](https://www.microsoft.com/en-us/server-cloud/products/azure-active-directory/?WT.srch=1&WT.mc_id=SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=azure%20ad&utm_campaign=Enterprise_Mobility_Suite) give access to these services. 
+
+The following table describes the impact of identity choice on device management characteristics of the personal and corporate device scenarios. 
+
+**Identity choice considerations for device management**
 
 <table>
 <colgroup>
@@ -119,1187 +119,959 @@ Table 2. Personal vs. organizational identity
 <tbody>
 <tr class="odd">
 <td align="left"></td>
-<td align="left">Personal identity</td>
-<td align="left">Corporate identity</td>
+<td align="left"><strong>Personal identity</strong></td>
+<td align="left"><strong>Work identity</td>
 </tr>
 <tr class="even">
-<td align="left">First account on the device</td>
-<td align="left">Microsoft account</td>
+<td align="left"><strong>First account on the device</strong></td>
+<td align="left">Microsoft Account</td>
 <td align="left">Azure AD account</td>
 </tr>
 <tr class="odd">
-<td align="left">Device sign-in</td>
-<td align="left">Users cannot sign in to devices with Azure AD credentials, even if they add the credentials after initial activation with a Microsoft account.</td>
-<td align="left">Users can unlock devices with an Azure AD account. Organizations can block the addition of a personal identity.</td>
+<td align="left"><strong>Ease of enrollment</td>
+<td align="left">Employees use their Microsoft Account to activate the device. Then, they use their Azure AD account (organizational identity) to register the device in Azure AD and enroll it with the company’s MDM solution (MSA+AAD+MDM).</td>
+<td align="left">Employees use their Azure AD account to register the device in Azure AD and automatically enroll it with the organization’s MDM solution (AAD+MDM – requires Azure AD Premium).</td>
 </tr>
 <tr class="even">
-<td align="left">User settings and data roaming across devices</td>
-<td align="left">User and app settings roam across devices activated with the same personal identity over personal OneDrive.</td>
-<td align="left">Windows 10 Mobile currently does not support users and app settings roaming over the enterprise cloud. It can block the roaming of personal cloud settings.</td>
+<td align="left"><strong>Credential management</strong></td>
+<td align="left">Employees sign in to the device with Microsoft Account credentials.
+Users cannot sign in to devices with Azure AD credentials, even if they add the credentials after initial activation with a Microsoft account. 
+</td>
+<td align="left">Employees sign in to the device with Azure AD credentials. 
+IT can block the addition of a personal identity, such as an MSA or Google Account. IT controls all devices access policies, without limitations. 
+</td>
 </tr>
-<tr class="odd">
-<td align="left">Ability to block the use of a personal identity on the device</td>
+<tr class="even">
+<td align="left"><strong>Ability to block the use of a personal identity on the device</strong></td>
 <td align="left">No</td>
 <td align="left">Yes</td>
 </tr>
 <tr class="even">
-<td align="left">Level of control</td>
-<td align="left"><p>Organization can apply most* restrictive policies to devices, but they cannot remove the Microsoft account from them. Device users can reclaim full control over their devices by un-enrolling them from the organization’s MDM solution.</p>
-<div class="alert">
-<strong>Note</strong>  
-<p>* MDM functionality on personal devices might be limited in the future.</p>
-</div>
-<div>
- 
-</div></td>
-<td align="left">Organizations are free to apply the restrictive policies to devices that policy standards and compliance regulations require and prevent the user from un-enrolling the device from the enterprise.</td>
+<td align="left"><strong>User settings and data roaming across multiple Windows devices</td>
+<td align="left">User and app settings roam across all devices activated with the same personal identity through OneDrive.</td>
+<td align="left">If the device is activated with an MSA, then adds an Azure AD account, user an app settings roam. If you add your MSA to an Azure AD- joined device, this will not be the case. Microsoft is investigating Enterprise roaming for a future release.</td>
+</tr>
+<tr class="even">
+<td align="left"><strong>Level of control</strong></td>
+<td align="left">Organizations can apply most of the available restrictive policies to devices and disable the Microsoft account. You can prevent users from reclaiming full control over their devices by unenrolling them from the organization’s MDM solution or resetting the device. Legal limitations may apply. For more information, contact your legal department.</td>
+<td align="left">Organizations are free to apply any restrictive policies to devices to bring them in line with corporate standards and compliance regulations. They can also prevent the user from unenrolling the device from the enterprise.</td>
+</tr>
+<tr class="even">
+<td align="left"><strong>Information Protection</strong></td>
+<td align="left">You can apply policies to help protect and contain corporate apps and data on the devices and prevent intellectual property leaks, but still provide employees with full control over personal activities like downloading and installing apps and games.</td>
+<td align="left">Companies can block personal use of devices. Using organizational identities to initialize devices gives organizations complete control over devices and allows them to prevent personalization.</td>
+</tr>
+<tr class="even">
+<td align="left"><strong>App purchases</strong></td>
+<td align="left">Employees can purchase and install apps from the Store using a personal credit card.</td>
+<td align="left">Employees can install apps from your Store for Business. Employees cannot install or purchase app from the Store without the addition of an MSA.</td>
 </tr>
 </tbody>
 </table>
- 
-### <a href="" id="infrastructure-requirements--"></a>Infrastructure requirements
 
-For both device scenarios, the essential infrastructure and tools required to deploy and manage Windows 10 Mobile devices include an Azure AD subscription and an MDM system.
 
-Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid solution. Azure AD has three editions: Free, Basic, and Premium (see [Azure Active Directory editions](http://go.microsoft.com/fwlink/p/?LinkId=723980)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state. Organizations that use Microsoft Office 365 or Intune are already using Azure AD.
+>**Note:** In the context of [Windows-as-a-Service](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing), differentiation of MDM capabilities will change in the future.
 
->**Note:**  Most industry-leading MDM vendors already support integration with Azure AD or are working on integration. You can find the MDM vendors that support Azure AD in [Azure Marketplace](http://go.microsoft.com/fwlink/p/?LinkId=723981).
- 
-Users can enroll Windows 10 Mobile devices in third-party MDM systems without using an Azure AD organizational account. (By default, Intune uses Azure AD and includes a license). If your organization doesn’t use Azure AD, you must use a personal identity to activate devices and enable common scenarios, such as downloading apps from Windows Store.
+### <a href="" id="Infrastructure choices"></a>Infrastructure choices
 
-Multiple MDM systems that support Windows 10 Mobile are available. Most support personal and corporate device deployment scenarios. Microsoft offers [Intune](http://go.microsoft.com/fwlink/p/?LinkId=723983), which is part of the [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984) and a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management, so employees use the same credentials to enroll devices in Intune or sign in to Office 365. Intune supports devices that run other operating systems, as well, such as iOS and Android, to provide a complete MDM solution.
+*Applies to: Corporate and personal devices*
 
-You can also integrate Intune with System Center Configuration Manager to gain a single console in which to manage all devices—in the cloud and on premises. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=734051). For guidance on choosing between a stand-alone Intune installation and Intune integrated with Configuration Manager, see [Choose between Intune by itself or integrating Intune with System Center Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=723985).
-In addition to Intune, other MDM providers support Windows 10 Mobile. Currently, the following MDM systems claim to support Windows 10 and Windows 10 Mobile: [AirWatch](http://go.microsoft.com/fwlink/p/?LinkId=723986), [Citrix](http://go.microsoft.com/fwlink/p/?LinkId=723987), [Lightspeed Systems](http://go.microsoft.com/fwlink/p/?LinkId=723988), [Matrix42](http://go.microsoft.com/fwlink/p/?LinkId=723989), [MobileIron](http://go.microsoft.com/fwlink/p/?LinkId=723990), [SAP](http://go.microsoft.com/fwlink/p/?LinkId=723991), [SOTI](http://go.microsoft.com/fwlink/p/?LinkId=723992), and [Symantec](http://go.microsoft.com/fwlink/p/?LinkId=723993).
+For both personal and corporate deployment scenarios, an MDM system is the essential infrastructure required to deploy and manage Windows 10 Mobile devices. An Azure AD premium subscription is recommended as an identity provider and required to support certain capabilities. Windows 10 Mobile allows you to have a pure cloud-based infrastructure or a hybrid infrastructure that combines Azure AD identity management with an on-premises management system to manage devices. Microsoft now also supports a pure on-premises solution to manage Windows 10 Mobile devices with [Configuration Manager](https://technet.microsoft.com/en-us/library/mt627908.aspx).
 
-All MDM vendors have equal access to the [Windows 10 MDM APIs](http://go.microsoft.com/fwlink/p/?LinkId=734050). The extent to which they implement these APIs depends on the vendor. Contact your preferred MDM vendor to determine its level of support.
+**Azure Active Directory** 
+Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid identity solution. Organizations that use Microsoft Office 365 or Intune are already using Azure AD, which has three editions: Free Basic, and Premium (see [Azure Active Directory editions](http://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state. 
 
->**Note:**  Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365.
-In addition, Microsoft recently added MDM capabilities powered by Intune to Office 365. MDM for Office 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. MDM for Office 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (for example, passcode requirements). For more information about MDM for Office 365 capabilities, see [Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052).
- 
-### <a href="" id="provisioning--"></a>Provisioning
+**Mobile Device Management**
+Microsoft [Intune](http://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/overview.aspx), part of the Enterprise Mobility + Security, is a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management so employees use the same credentials to enroll devices in Intune that they use to sign into Office 365. Intune supports devices that run other operating systems, such as iOS and Android, to provide a complete MDM solution.
+You can also integrate Intune with Configuration Manager to gain a single console for managing all devices in the cloud and on premises, mobile or PC. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](http://technet.microsoft.com/en-us/library/jj884158.aspx). For guidance on choosing between a stand-alone Intune installation and Intune integrated with System Center Configuration Manager, see Choose between Intune by itself or integrating Intune with System Center Configuration Manager.
+Multiple MDM systems support Windows 10 and most support personal and corporate device deployment scenarios. MDM providers that support Windows 10 Mobile currently include: AirWatch, Citrix, MobileIron, SOTI, Blackberry and others. Most industry-leading MDM vendors already support integration with Azure AD. You can find the MDM vendors that support Azure AD in [Azure Marketplace](http://azure.microsoft.com/en-us/marketplace/). If your organization doesn’t use Azure AD, the user must use an MSA during OOBE before enrolling the device in your MDM using a corporate account.
 
-Provisioning is new to Windows 10 and uses the MDM client in Windows 10 Mobile. You can create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10.
-To assist users with MDM system enrollment, use a provisioning package. To do so, use the [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911) to create a provisioning package, and then install that package on the device.
-Users can perform self-service MDM enrollment based on the following deployment scenarios:
+>**Note:** Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365.
+In addition, Microsoft recently added MDM capabilities powered by Intune to Office 365. MDM for Office 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. MDM for Office 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (e.g., passcode requirements). For more information about MDM for Office 365 capabilities, see [Overview of Mobile Device Management for Office 365](http://technet.microsoft.com/en-us/library/ms.o365.cc.devicepolicy.aspx). 
 
--   **Corporate device.** During the out-of-the-box experience (OOBE), you can instruct the user to select **This device is owned by my organization** and join the device to Azure AD and the MDM system.
--   **Personal device.** The user activates the device with a Microsoft account, but you can instruct him or her to register the device with Azure AD and enroll in Intune. To do so in Windows 10 Mobile, the user clicks, **Settings**, clicks **Accounts**, and then clicks **Work access**.
-To automate MDM enrollment, use provisioning packages as follows:
--   **Corporate device.** You can create a provisioning package and apply it to a corporate device before delivery to the user, or instruct the user to apply the package during OOBE. After application of the provisioning package, the OOBE process automatically chooses the enterprise path and requires the user to register the device with Azure AD and enroll it in the MDM system.
--   **Personal device.** You can create a provisioning package and make it available to users who want to enroll their personal device in the enterprise. The user enrolls the device in the corporate MDM for further configuration by applying the provisioning package. To do so in Windows 10 Mobile, the user clicks **Settings**, clicks **Accounts**, and then clicks **Provisioning**).
+**Cloud services**
+On mobile devices that run Windows 10 Mobile, users can easily connect to cloud services that provide user notifications and collect telemetry (usage data). Windows 10 Mobile enables organizations to manage how devices consume these cloud services.
 
-Distribute provisioning packages to devices by publishing them in an easily accessible location (e.g., an email attachment or a web page). You can cryptographically sign or encrypt provisioning packages and require that the user enter a password to apply them.
+**Windows Push Notification Services**
+The Windows Push Notification Services enable software developers to send toast, tile, badge, and raw updates from their cloud services. It provides a mechanism to deliver updates to users in a power-efficient and dependable way.
+However, push notifications can affect battery life so the battery saver in Windows 10 Mobile limits background activity on the devices to extend battery life. Users can configure battery saver to turn on automatically when the battery drops below a set threshold. Windows 10 Mobile disables the receipt of push notifications to save energy when battery saver is on.
+However, there is an exception to this behavior. In Windows 10 Mobile, the Always allowed battery saver setting (found in the Settings app) allows apps to receive push notifications even when battery saver is on. Users can manually configure this list, or IT can use the MDM system to configure the battery saver settings URI scheme in Windows 10 Mobile (ms-settings:batterysaver-settings).
 
-See [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=734054) for more information on creating provisioning packages.
+For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md).
 
-## Device configuration
+**Windows Update for Business**
+Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing updates.  
 
-The following sections describe the device configuration capabilities of the built-in Windows 10 Mobile MDM client. This client exposes the capabilities to any MDM system compatible with Windows 10. Configurable settings include:
+**Windows Store for Business**
+The Windows Store for Business is the place where IT administrators can find, acquire, manage, and distribute apps to Windows 10 devices. This includes both internal line-of-business (LOB) apps, as well as commercially available third-party apps. 
 
--   [Email accounts](#email)
--   [Account restrictions](#restrictions)
--   [Device lock restrictions](#device-lock)
--   [Hardware restrictions](#hardware)
--   [Certificate management](#certificate)
--   [Wi-Fi](#wifi)
--   [Proxy](#proxy)
--   [Virtual private network (VPN)](#vpn)
--   [Access point name (APN) profiles](#apn)
--   [Data leak prevention](#data)
--   [Storage management](#storage)
+## Configure
 
->**Note:**  Although all the MDM settings this section describes are available in Windows 10 Mobile, not all MDM systems may show them in their user interface. In addition, naming may vary among MDM systems. Consult your MDM system’s documentation for more information.
- 
-### <a href="" id="email"></a>Email accounts
+MDM administrators can define and implement policy settings on any personal or corporate device enrolled in an MDM system. What configuration settings you use will differ based on the deployment scenario, and corporate devices will offer IT the broadest range of control.
 
-You can use your corporate MDM system to manage corporate email accounts. Define email account profiles in the MDM system, and then deploy them to devices. You would usually deploy these settings immediately after enrollment, regardless of scenario.
+>**Note:** This guide helps IT professionals understand management options available for the Windows 10 Mobile OS. Please consult your MDM system documentation to understand how these policies are enabled by your MDM vendor. 
+Not all MDM systems support every setting described in this guide. Some support custom policies through OMA-URI XML files. See [Microsoft Intune support for Custom Policies](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#custom-uri-settings-for-windows-10-devices). Naming conventions may also vary among MDM vendors. 
 
-This capability extends to email systems that use EAS. Table 3 lists settings that you can configure in EAS email profiles.
+### <a href="" id="account-profile"></a>Account profile
 
-Table 3. Windows 10 Mobile settings for EAS email profiles
+*Applies to: Corporate devices*
 
-| Setting                    | Description                                                                                                                                                                                |
-|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Email Address              | The email address associated with the EAS account                                                                                                                                          |
-| Domain                     | The domain name of the Exchange Server instance                                                                                                                                            |
-| Account Name               | A user-friendly name for the email account on the device                                                                                                                                   |
-| Password                   | The password for the email account                                                                                                                                                         |
-| Server Name                | The server name that the email account uses                                                                                                                                                |
-| User Name                  | The user name for the email account                                                                                                                                                        |
-| Calendar Age Filter        | The age of calendar items to be synchronized with the device (for example, synchronizing calendar items within the past 7 days)                                                            |
-| Logging                    | The level of diagnostic logging                                                                                                                                                            |
-| Mail Body Type             | The email body format type: text, HTML, RTF, or Multipurpose Internet Mail Extensions                                                                                                      |
-| Mail HTML Truncation       | The maximum size of an HTML-formatted email message before the message is synchronized to the device (Any HTML-formatted email message that exceeds this size is automatically truncated.) |
-| Mail Plain Text Truncation | The maximum size of a text-formatted email message before the message is synchronized to the device (Any text-formatted email message that exceeds this size is automatically truncated.)  |
-| Schedule                   | The schedule for synchronizing email between the Exchange Server instance and the device                                                                                                   |
-| Use SSL                    | Establishes whether Secure Sockets Layer (SSL) is required when syncing                                                                                                                    |
-| Mail Age Filter            | The age of messages to be synchronized with the device (for example, synchronizing messages within the past 7 days)                                                                        |
-| Content Types              | The content type that is synchronized (e.g., email, contacts, calendar, task items)                                                                                                        |
- 
-Table 4 lists settings that you can configure in other email profiles.
+Enforcing what accounts employees can use on a corporate device is important for avoiding data leaks and protecting privacy. Limiting the device to just one account controlled by the organization will reduce the risk of a data breach. However, you can choose to allow employees to add a personal Microsoft Account or other consumer email accounts. 
 
-Table 4. Windows 10 Mobile settings for other email profiles
+-   **Allow Microsoft Account** Specifies whether users are allowed to add a Microsoft Account to the device and use this account to authenticate to cloud services, such as purchasing apps in Windows Store, Xbox, or Groove.
+-   **Allow Adding Non-Microsoft Accounts** Specifies whether users are allowed to add email accounts other than Microsoft accounts.
 
-| Setting                                   | Description                                                                                                                                          |
-|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
-| User logon name                           | The user logon name for the email account                                                                                                            |
-| Outgoing authentication required          | Whether the outgoing server requires authentication                                                                                                  |
-| Password                                  | The password for the account in the **User logon name** field                                                                                        |
-| Domain                                    | The domain name for the account in the **User logon name** field                                                                                     |
-| Days to download                          | How much email (measured in days) should be downloaded from the server                                                                               |
-| Incoming server                           | The incoming server name and port number, where the value format is *server\_name:port\_number* (The port number is optional.)                       |
-| Send and receive schedule                 | The length of time (in minutes) between email send-and-receive updates                                                                               |
-| IMAP4 maximum attachment size             | The maximum size for message attachments for Internet Message Access Protocol version 4 (IMAP4) accounts                                             |
-| Send mail display name                    | The name of the sender displayed on a sent email                                                                                                     |
-| Outgoing server                           | The outgoing server name and port number, where the value format is *server\_name:port\_number* (The port number is optional.)                       |
-| Reply address                             | The user’s reply email address                                                                                                                       |
-| Email service name                        | The name of the email service                                                                                                                        |
-| Email service type                        | The email service type (for example, POP3, IMAP4).                                                                                                   |
-| Maximum receive message size              | The maximum size (in bytes) of messages retrieved from the incoming email server (Messages that exceed this size are truncated to the maximum size.) |
-| Delete message action                     | How messages are deleted on the server (Messages can either be permanently deleted or sent to the Trash folder.)                                     |
-| Use cellular only                         | Whether the account should be used only with cellular connections and not Wi-Fi connections                                                          |
-| Content types to synchronize              | The content types supported for synchronization (in other words, mail messages, contacts, calendar items)                                            |
-| Content synchronization server            | The name of the content synchronization server, if it’s different from the email server                                                              |
-| Calendar synchronization server           | The name of the calendar synchronization server, if it’s different from the email server                                                             |
-| Contact server requires SSL               | Whether the contact server requires an SSL connection                                                                                                |
-| Calendar server requires SSL              | Whether the calendar server requires an SSL connection                                                                                               |
-| Contact items synchronization schedule    | The schedule for syncing contact items                                                                                                               |
-| Calendar items synchronization schedule   | The schedule for syncing calendar items                                                                                                              |
-| Alternative SMTP email account            | The display name associated with a user’s alternative Simple Mail Transfer Protocol (SMTP) email account                                             |
-| Alternate SMTP domain name                | The domain name for the user’s alternative SMTP email account                                                                                        |
-| Alternate SMTP account enabled            | Whether the user’s alternative SMTP account is enabled                                                                                               |
-| Alternate SMTP password                   | The password for the user’s alternative SMTP account                                                                                                 |
-| Incoming and outgoing servers require SSL | A group of properties that specify whether the incoming and outgoing email servers use SSL                                                           |
- 
-### <a href="" id="restrictions"></a>Account restrictions
+### <a href="" id="email-account"></a>Email accounts
 
-On a corporate device registered with Azure AD and enrolled in the MDM system, you can control whether users can use a Microsoft account or add other consumer email accounts. Table 5 lists the settings that you can use to manage accounts on Windows 10 Mobile devices.
+*Applies to: Corporate and personal devices*
 
-Table 5. Windows 10 Mobile account management settings
-| Setting | Description |
-| - | -|
-| Allow Microsoft Account | Specifies whether users are allowed to add a Microsoft account to the device after MDM enrollment and use this account for connection authentication and services, such as purchasing apps in Windows Store, or cloud-based consumer services, such as Xbox or Groove. If a device was activated with a Microsoft account, the MDM system would not be able to block that account from being used. |
-| Allow Adding Non Microsoft Accounts | Specifies whether users are allowed to add email accounts other than Microsoft accounts after MDM enrollment. If **Allow Microsoft Account** is applied, user can also not use a Microsoft account. |
-| Allow “Your Account” | Specifies whether users are able to change account configuration in the **Your Email and Accounts** panel in Settings.|
- 
-### <a href="" id="device-lock"></a>Device lock restrictions
+Email and associated calendar and contacts are the primary apps that users access on their smartphones. Configuring them properly is key to the success of any mobility program. In both corporate and personal device deployment scenarios, these email account settings get deployed immediately after enrollment. Using your corporate MDM system, you can define corporate email account profiles, deploy them to devices, and manage inbox policies. 
 
-It’s common sense to lock a device when it is not in use. Microsoft recommends that you secure Windows 10 Mobile devices and implement a device lock policy. A device password or PIN lock is a best practice for securing apps and data on devices. [Windows Hello](http://go.microsoft.com/fwlink/p/?LinkId=723994) is the name given to the new biometric sign-in option that allows users to use their face, iris, or fingerprints to unlock their compatible device, all of which Windows 10 supports.
+-   Most corporate email systems leverage **Exchange ActiveSync (EAS)**. For more details on configuring EAS email profiles, see the [ActiveSync CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920017(v=vs.85).aspx).
+-   **Simple Mail Transfer Protocol (SMTP)** email accounts can also be configured with your MDM system. For more detailed information on SMTP email profile configuration, see the [Email CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904953(v=vs.85).aspx). Microsoft Intune does not currently support the creation of an SMTP email profile. 
 
->**Note:**  In addition to the device lock restrictions discussed in this section, Windows 10 supports Microsoft Passport for Work, which lets you access apps and services without a password.
- 
-Table 6 lists the MDM settings in Windows 10 Mobile that you can use to configure device lock restrictions.
+### <a href="" id="device-lock-restrictions"></a>Device Lock restrictions
 
-Table 6. Windows 10 Mobile device lock restrictions
+*Applies to: Corporate and personal devices*
+
+It’s common practice to protect a device that contains corporate information with a passcode when it is not in use. As a best practice, Microsoft recommends that you implement a device lock policy for Windows 10 Mobile devices for securing apps and data. You can use a complex password or numeric PIN to lock devices. Introduced with Windows 10, [Windows Hello](http://windows.microsoft.com/en-us/windows-10/getstarted-what-is-hello) allows you to use a PIN, a companion device (like Microsoft band), or biometrics to validate your identity to unlock Windows 10 Mobile devices. 
+
+>**Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
+To use Windows Hello with biometrics, specialized hardware, including fingerprint reader, illuminated IR sensor, or other biometric sensors is required. Hardware based protection of the Windows Hello credentials requires TPM 1.2 or greater; if no TPM exists or is configured, credentials/keys protection will be software-based.
+Companion devices must be paired with Windows 10 PC’s via Bluetooth. To use a Windows Hello companion device that enables the user to roam with their Windows Hello credentials requires Pro or Enterprise edition on the Windows 10 PC being signed into.
+
+Most of the device lock restriction policies have been available via ActiveSync and MDM since Windows Phone 7 and are still available today for Windows 10 Mobile. If you are deploying Windows 10 devices in a personal device deployment scenario, these settings would apply. 
+
+-   **Device Password Enabled** Specifies whether users are required to use a device lock password.
+-   **Allow Simple Device Password** Whether users can use a simple password (e.g., 1111 or 1234).
+-   **Alphanumeric Device Password Required** Whether users need to use an alphanumeric password. When configured, Windows prompts the user with a full device keyboard to enter a complex password. When not configured, the user will be able to enter a numeric PIN on the keyboard.
+-   **Min Device Password Complex Characters** The number of password element types (i.e., uppercase letters, lowercase letters, numbers, or punctuation) required to create strong passwords.
+-   **Device Password History** The number of passwords Windows 10 Mobile remembers in the password history (Users cannot reuse passwords in the history to create new passwords.)
+-   **Min Device Password Length** The minimum number of characters required to create new passwords.
+-   **Max Inactivity Time Device Lock** The number of minutes of inactivity before devices are locked and require a password to unlock.
+-   **Allow Idle Return Without Password** Whether users are required to re-authenticate when their devices return from a sleep state before the inactivity time was reached.
+-   **Max Device Password Failed Attempts** The number of authentication failures allowed before a device is wiped (A value of zero disables device wipe functionality.)
+-   **Screen Timeout While Locked** The number of minutes before the lock screen times out (this policy influences device power management).
+-   **Allow Screen Timeout While Locked User Configuration** Whether users can manually configure screen timeout while the device is on the lock screen (Windows 10 Mobile ignores the **Screen Timeout While Locked** setting if you disable this setting).
+
+Settings related to Windows Hello would be important device lock settings to configure if you are deploying devices using the corporate deployment scenario.
+Microsoft made it a requirement for all users to create a numeric passcode as part of Azure AD Join. This policy default requires users to select a four-digit passcode, but this can be configured with an AAD-registered MDM system to whatever passcode complexity your organization desires. If you are using Azure AD with an automatic MDM enrollment mechanism, these policy settings are automatically applied during device enrollment.
+
+You will notice that some of the settings are very similar, specifically those related to passcode length, history, expiration, and complexity. If you set the policy in multiple places, both policies will be applied, with the strongest policy retained. Read [PassportForWork CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn987099(v=vs.85).aspx), [DeviceLock CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904945(v=vs.85).aspx) (Windows Phone 8.1), and [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#DeviceLock_AllowIdleReturnWithoutPassword) for more detailed information. 
+
+### <a href="" id="prevent-of-settings"></a>Prevent changing of settings 
+
+*Applies to: Corporate devices*
+
+Employees are usually allowed to change certain personal device settings that you may want to lock down on corporate devices. Employees can interactively adjust certain settings of the phone through the settings applets. Using MDM, you can limit what users are allowed to change.
+
+-   **Allow Your Account** Specifies whether users are able to change account configuration in the Your Email and Accounts panel in Settings
+-   **Allow VPN** Allows the user to change VPN settings</td>
+-   **Allow Data Sense** Allows the user to change Data Sense settings</td>
+-   **Allow Date Time** Allows the user to change data and time setting
+-   **Allow Edit Device Name** Allows users to change the device name
+-   **Allow Speech Model Update** Specifies whether the device will receive updates to the speech recognition and speech synthesis models (to improve accuracy and performance)
+
+### <a href="" id="hardware-restrictions"></a>Hardware restrictions
+
+*Applies to: Corporate devices*
+
+Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi Fi. You can use hardware restrictions to control the availability of these features. 
+
+The following lists the MDM settings that Windows 10 Mobile supports to configure hardware restrictions.
+
+>**Note:** Some of these hardware restrictions provide connectivity and assist in data protection. 
+
+-   **Allow NFC:** Whether the NFC radio is enabled
+-   **Allow USB Connection:** Whether the USB connection is enabled (doesn’t affect USB charging)
+-   **Allow Bluetooth:** Whether users can enable and use the Bluetooth radio on their devices
+-   **Allow Bluetooth Advertising:** Whether the device can act as a source for Bluetooth advertisements and be discoverable to other devices
+-   **Allow Bluetooth Discoverable Mode:** Whether the device can discover other devices (e.g., headsets)
+-   **Allow Bluetooth pre-pairing** Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device
+-   **Bluetooth Services Allowed List:** The list of Bluetooth services and profiles to which the device can connect
+-   **Set Bluetooth Local Device Name:** The local Bluetooth device name
+-   **Allow Camera:** Whether the camera is enabled
+-   **Allow Storage Card:** Whether the storage card slot is enabled
+-   **Allow Voice Recording:** Whether the user can use the microphone to create voice recordings
+-   **Allow Location:** Whether the device can use the GPS sensor or other methods to determine location so applications can use location information
+
+### <a href="" id="certificates"></a>Certificates 
+
+*Applies to: Personal and corporate devices*
+
+Certificates help improve security by providing account authentication, Wi Fi authentication, VPN encryption, and SSL encryption of web content. Although users can manage certificates on devices manually, it’s a best practice to use your MDM system to manage those certificates throughout their entire lifecycle – from enrollment through renewal and revocation. 
+To install certificates manually, you can post them on Microsoft Edge website or send them directly via email, which is ideal for testing purposes. 
+Using SCEP and MDM systems, certificate management is completely transparent and requires no user intervention, helping improve user productivity, and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device (as long as the MDM system supports the Simple Certificate Enrollment Protocol (SCEP) or Personal Information Exchange (PFX)). The MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired.
+In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates. The table below lists the Windows 10 Mobile PFX certificate deployment settings.
+Get more detailed information about MDM certificate management in the [Client Certificate Install CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920023(v=vs.85).aspx) and [Install digital certificates on Windows 10 Mobile](../keep-secure/installing-digital-certificates-on-windows-10-mobile.md).
+Use the Allow Manual Root Certificate Installation setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidently.
+
+>**Note:** To diagnose certificate-related issues on Windows 10 Mobile devices, use the free Certificates app in Windows Store. This Windows 10 Mobile app can help you:
+-   View a summary of all personal certificates
+-   View the details of individual certificates
+-   View the certificates used for VPN, Wi-Fi, and email authentication
+-   Identify which certificates may have expired
+-   Verify the certificate path and confirm that you have the correct intermediate and root CA certificates
+-   View the certificate keys stored in the device TPM
+
+### <a href="" id="wi-fi-profiles"></a>Wi-Fi profiles
+
+*Applies to: Corporate and personal devices*
+
+Wi-Fi is used on mobile devices as much as, or more than, cellular data connections. Most corporate Wi Fi networks require certificates and other complex information to restrict and secure user access. This advanced Wi Fi information is difficult for typical users to configure, but MDM systems can fully configure these Wi-Fi profiles without user intervention.
+You can create multiple Wi-Fi profiles in your MDM system. The below table lists the Windows 10 Mobile Wi Fi connection profile settings that can be configured by administrators.
+
+-   **SSID** The case-sensitive name of the Wi Fi network Service Set Identifier
+-   **Security type** The type of security the Wi Fi network uses; can be one of the following authentication types:
+    -   Open 802.11
+    -   Shared 802.11
+    -   WPA-Enterprise 802.11
+    -   WPA-Personal 802.11
+    -   WPA2-Enterprise 802.11
+    -   WPA2-Personal 802.11
+-   **Authentication encryption** The type of encryption the authentication uses; can be one of the following encryption methods:
+    -   None (no encryption)
+    -   Wired Equivalent Privacy
+    -   Temporal Key Integrity Protocol
+    -   Advanced Encryption Standard (AES)
+-   **Extensible Authentication Protocol Transport Layer Security (EAP-TLS)** WPA-Enterprise 802.11 and WPA2-Enterprise 802.11 security types can use EAP-TLS with certificates for authentication
+-   **Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2)** WPA-Enterprise 802.11 and WPA2-Enterprise 802.11 security types can use PEAP-MSCHAPv2 with a user name and password for authentication
+-   **Shared key** WPA-Personal 802.11 and WPA2-Personal 802.11 security types can use a shared key for authentication.
+-   **Proxy** The configuration of any network proxy that the Wi Fi connection requires (to specify the proxy server, use its fully qualified domain name [FQDN], Internet Protocol version 4 [IPv4] address, IP version 6 [IPv6] address, or IPvFuture address)
+-   **Disable Internet connectivity checks** Whether the Wi Fi connection should check for Internet connectivity
+-   **Proxy auto-configuration URL** A URL that specifies the proxy auto-configuration file
+-   **Enable Web Proxy Auto-Discovery Protocol (WPAD)** Specifies whether WPAD is enabled
+
+In addition, you can set a few device wide Wi-Fi settings. 
+-   **Allow Auto Connect to Wi Fi Sense Hotspots** Whether the device will automatically detect and connect to Wi-Fi  networks
+-   **Allow Manual Wi-Fi Configuration** Whether the user can manually configure Wi-Fi  settings
+-   **Allow Wi-Fi** Whether the Wi-Fi hardware is enabled
+-   **Allow Internet Sharing** Allow or disallow Internet sharing
+-   **WLAN Scan Mode** How actively the device scans for Wi-Fi  networks
+
+Get more detailed information about Wi-Fi connection profile settings in the [Wi-Fi CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904981(v=vs.85).aspx) and [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx).
+
+### <a href="" id="apn-profiles"></a>APN profiles
+
+*Applies to: Corporate devices*
+
+An Access Point Name (APN) defines network paths for cellular data connectivity. Typically, you define just one APN for a device in collaboration with a mobile operator, but you can define multiple APNs if your company uses multiple mobile operators.
+An APN provides a private connection to the corporate network that is unavailable to other companies on the mobile operator network. 
+You can define and deploy APN profiles in MDM systems that configure cellular data connectivity for Windows 10 Mobile. Devices running Windows 10 Mobile can have only one APN profile. The following lists the MDM settings that Windows 10 Mobile supports for APN profiles.
+
+-   **APN name** The APN name 
+-   *IP connection type* The IP connection type; set to one of the following values:
+    -	IPv4 only
+    -	IPv6 only
+    -	IPv4 and IPv6 concurrently
+    -	IPv6 with IPv4 provided by 46xlat 
+-   **LTE attached** Whether the APN should be attached as part of an LTE Attach 
+-   **APN class ID** The globally unique identifier that defines the APN class to the modem
+-   **APN authentication type** The APN authentication type; set to one of the following values:
+    -	None
+    -	Auto
+    -	PAP
+    -	CHAP
+    -	MSCHAPv2 
+-   **User name** The user account when users select Password Authentication Protocol (PAP), CHAP, or MSCHAPv2 authentication in APN authentication type
+-   **Password** The password for the user account specified in User name
+-   **Integrated circuit card ID** The integrated circuit card ID associated with the cellular connection profile
+-   **Always on** Whether the connection manager will automatically attempt to connect to the APN whenever it is available
+-   **Connection enabled** Specifies whether the APN connection is enabled
+-   **Allow user control** Allows users to connect with other APNs than the enterprise APN
+-   **Hide view** Whether the cellular UX will allow the user to view enterprise APNs
+
+Get more detailed information about APN settings in the [APN CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn958617(v=vs.85).aspx).
+
+### <a href="" id="proxy"></a>Proxy
+
+*Applies to: Corporate devices*
+
+The below lists the Windows 10 Mobile settings for managing APN proxy settings for Windows 10 Mobile device connectivity.
+
+-   **Connection name** Specifies the name of the connection the proxy is associated with (this is the APN name of a configured connection)
+-   **Bypass Local** Specifies if the proxy should be bypassed when local hosts are accessed by the device
+-   **Enable** Specifies if the proxy is enabled
+-   **Exception** Specifies a semi-colon delimited list of external hosts which should bypass the proxy when accessed
+-   **User Name** Specifies the username used to connect to the proxy
+-   **Password** Specifies the password used to connect to the proxy
+-   **Server** Specifies the name of the proxy server
+-   **Proxy connection type** The proxy connection type, supporting: Null proxy, HTTP, WAP, SOCKS4 
+-   **Port** The port number of the proxy connection
+
+For more details on proxy settings, see [CM_ProxyEntries CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914762(v=vs.85).aspx).
+
+### <a href="" id="vpn"></a>VPN
+
+*Applies to: Corporate and personal devices*
+
+Organizations often use a VPN to control access to apps and resources on their company’s intranet. In addition to native Microsoft Point to Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Internet Key Exchange Protocol version 2 (IKEv2) VPNs, Windows 10 Mobile supports SSL VPN connections, which require a downloadable plugin from the Windows Store and are specific to the VPN vendor of your choice. These plugins work like apps and can be installed directly from the Windows Store using your MDM system (see App Management).
+
+You can create and provision multiple VPN connection profiles and then deploy them to managed devices that run Windows 10 Mobile. 
+To create a VPN profile that uses native Windows 10 Mobile VPN protocols (such as IKEv2, PPTP, or L2TP), you can use the following settings:
+
+-   **VPN Servers** The VPN server for the VPN profile
+-   **Routing policy type** The type of routing policy the VPN profile uses can be set to one of the following values: 
+    -   Split tunnel. Only network traffic destined to the intranet goes through the VPN connection
+    -   Force tunnel. All traffic goes through the VPN connection
+-   **Tunneling protocol type** The tunneling protocol used for VPN profiles that use native Windows 10 Mobile VPN protocols can be one the following values: PPTP, L2TP, IKEv2, Automatic
+-   **User authentication method** The user authentication method for the VPN connection can have a value of EAP or MSChapv2 (Windows 10 Mobile does not support the value MSChapv2 for IKEv2-based VPN connections)
+-   **Machine certificate** The machine certificate used for IKEv2-based VPN connections
+-   **EAP configuration** To create a single sign-on experience for VPN users using certificate authentication, you need to create an Extensible Authentication Protocol (EAP) configuration XML file and include it in the VPN profile 
+-   **L2tpPsk** The pre-shared key used for an L2TP connection
+-   **Cryptography Suite** Enable the selection of cryptographic suite attributes used for IPsec tunneling
+
+>**Note:** The easiest way to create a profile for a single sign-on experience with an EAP configuration XML is through the rasphone tool on a Windows 10 PC. Once you run the rasphone.exe, the configuration wizard will walk you through the necessary steps. For step-by-step instructions on creating the EAP configuration XML blob, see EAP configuration. You can use the resulting XML blob in the MDM system to create the VPN profile on Windows 10 Mobile phone. If you have multiple certificates on the devices, you may want to configure filtering conditions for automatic certificate selection, so the employee does not need to select an authentication certificate every time the VPN is turned on. See this article for details. Windows 10 for PCs and Windows 10 Mobile have the same VPN client.
+
+Windows Store–based VPN plugins for the VPN connection allow you to create a VPN plugin profile with the following attributes:
+
+-   **VPN server** A comma-separated list of VPN servers; you can specify the servers with a URL, fully qualified host name, or IP address
+-   **Custom configuration** An HTML-encoded XML blob for SSL–VPN plugin–specific configuration information (e.g., authentication information) that the plugin provider requires
+-   **Windows Store VPN plugin family name** Specifies the Windows Store package family name for the Windows Store–based VPN plugin
+
+In addition, you can specify per VPN Profile:
+
+-   **App Trigger List** You can add an App Trigger List to every VPN profile. The app specified in the list will automatically trigger the VPN profile for intranet connectivity. When multiple VPN profiles are needed to serve multiple apps, the operating system automatically establishes the VPN connection when the user switches between apps. Only one VPN connection at a time can be active. In the event the device drops the VPN connection, Windows 10 Mobile automatically reconnects to the VPN without user intervention.
+-   **Route List** List of routes to be added to the routing table for the VPN interface. This is required for split tunneling cases where the VPN server site has more subnets that the default subnet based on the IP assigned to the interface.
+-   **Domain Name Information List** Name Resolution Policy Table (NRPT) rules for the VPN profile.
+-   **Traffic Filter List** Specifies a list of rules. Only traffic that matches these rules can be sent via the VPN Interface.
+-   **DNS suffixes** A comma-separated list of DNS suffixes for the VPN connection. Any DNS suffixes in this list are automatically added to Suffix Search List.
+-   **Proxy** Any post-connection proxy support required for the VPN connection; including Proxy server name and Automatic proxy configuration URL. Specifies the URL for automatically retrieving proxy server settings.
+-   **Always on connection** Windows 10 Mobile features always-on VPN, which makes it possible to automatically start a VPN connection when a user signs in. The VPN stays connected until the user manually disconnects it.
+-   **Remember credentials** Whether the VPN connection caches credentials.
+-   **Trusted network detection** A comma-separated list of trusted networks that causes the VPN not to connect when the intranet is directly accessible (Wi-Fi).
+-   **Enterprise Data Protection Mode ID** Enterprise ID, which is an optional field that allows the VPN to automatically trigger based on an app defined with a Windows Information Protection policy.
+-   **Device Compliance** To set up Azure AD-based Conditional Access for VPN and allow that SSO with a certificate different from the VPN Authentication certificate for Kerberos Authentication in the case of Device Compliance.
+-   **Lock Down VPN profile** A Lock Down VPN profile has the following characteristics:
+    -   It is an always-on VPN profile.
+    -   It can never be disconnected.
+    -   If the VPN profile is not connected, the user has no network connectivity.
+    -   No other VPN profiles can be connected or modified.
+-   **ProfileXML** In case your MDM system does not support all the VPN settings you want to configure, you can create an XML file that defines the VPN profile you want to apply to all the fields you require. 
+
+For more details about VPN profiles, see the [VPNv2 CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776(v=vs.85).aspx)
+
+Some device-wide settings for managing VPN connections can help you manage VPNs over cellular data connections, which in turn helps reduce costs associated with roaming or data plan charges.
+-   **Allow VPN** Whether users can change VPN settings
+-   **Allow VPN Over Cellular** Whether users can establish VPN connections over cellular networks
+-   **Allow VPN Over Cellular when Roaming** Whether users can establish VPN connections over cellular networks when roaming
+
+### <a href="" id="storage-management"></a>Storage management
+
+*Applies to: Corporate and personal devices*
+
+Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage. The device encryption in Windows 10 Mobile helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device.
+
+Windows 10 Mobile also has the ability to install apps on a secure digital (SD) card. The operating system stores apps on a partition specifically designated for that purpose. This feature is always on so you don’t need to set a policy explicitly to enable it.
+
+The SD card is uniquely paired with a device. No other devices can see the apps or data on the encrypted partition, but they can access the data stored on the unencrypted partition of the SD card, such as music or photos. This gives users the flexibility to use an SD card while still protecting the confidential apps and data on it. 
+
+You can disable the **Allow Storage Card** setting if you wish to prevent users from using SD cards entirely. If you choose not to encrypt storage, you can help protect your corporate apps and data by using the Restrict app data to the system volume and Restrict apps to the system volume settings. These help ensure that users cannot copy your apps and data to SD cards.
+
+Here is a list of MDM storage management settings that Windows 10 Mobile provides.
+
+-   **Allow Storage Card** Whether the use of storage cards for data storage is allowed
+-   **Require Device Encryption** Whether internal storage is encrypted (when a device is encrypted, you cannot use a policy to turn encryption off)
+-   **Encryption method** Specifies the BitLocker drive encryption method and cipher strength; can be one of the following values:
+    -   AES-Cipher Block Chaining (CBC) 128-bit
+    -   AES-CBC 256-bit
+    -   XEX-based tweaked-codebook mode with cipher text stealing (XTS)–AES (XTS-AES) 128-bit (this is the default)
+    -   XTS-AES-256-bit
+-   **Allow Federal Information Processing Standard (FIPS) algorithm policy** Whether the device allows or disallows the FIPS algorithm policy
+-   **SSL cipher suites** Specifies a list of the allowed cryptographic cipher algorithms for SSL connections
+-   **Restrict app data to the system volume** Specifies whether app data is restricted to the system drive
+-   **Restrict apps to the system volume** Specifies whether apps are restricted to the system drive
+
+
+## Apps
+
+*Applies to: Corporate and personal devices*
+
+User productivity on mobile devices is often driven by apps. 
+
+Windows 10 makes it possible to develop apps that work seamlessly across multiple devices using the Universal Windows Platform (UWP) for Windows apps. UWP converges the application platform for all devices running Windows 10 so that apps run without modification on all editions of Windows 10. This saves developers both time and resources, helping deliver apps to mobile users more quickly and efficiently. This write-once, run-anywhere model also boosts user productivity by providing a consistent, familiar app experience on any device type. 
+
+For compatibility with existing apps, Windows Phone 8.1 apps still run on Windows 10 Mobile devices, easing the migration to the newest platform. Microsoft recommend migrating your apps to UWP to take full advantage of the improvements in Windows 10 Mobile. In addition, bridges have been developed to easily and quickly update existing Windows Phone 8.1 (Silverlight) and iOS apps to the UWP.
+
+Microsoft also made it easier for organizations to license and purchase UWP apps via Windows Store for Business and deploy them to employee devices using the Windows Store, or an MDM system, that can be integrated with the Windows Store for Business. Putting apps into the hands of mobile workers is critical, but you also need an efficient way to ensure those apps comply with corporate policies for data security. 
+
+To learn more about Universal Windows apps, see the [Guide to Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/en-us/library/windows/apps/dn894631.aspx) for additional information, or take this [Quick Start Challenge: Universal Windows Apps in Visual Studio](https://mva.microsoft.com/en-US/training-courses/quick-start-challenge-universal-windows-apps-in-visual-studio-14477?l=Be2FMfgmB_505192797). Also, see [Porting apps to Windows 10](https://msdn.microsoft.com/en-us/windows/uwp/porting/index). 
+
+### <a href="" id="windows-store-for-business"></a>Windows Store for Business: Sourcing the right app
+
+*Applies to: Corporate and personal devices*
+
+The first step in app management is to obtain the apps your users need. You can develop your own apps or source your apps from the Windows Store. With Windows Phone 8.1, an MSA was needed to acquire and install apps from the Windows Store. With the Windows Store for Business, Microsoft enables organizations to acquire apps for employees from a private store with the Windows Store, without the need for MSAs on Windows 10 devices. 
+
+Windows Store for Business is a web portal that allows IT administrators to find, acquire, manage, and distribute apps to Windows 10 devices. 
+
+Azure AD authenticated managers have access to Windows Store for Business functionality and settings, and store managers can create a private category of apps that are specific and private to their organization. (You can get more details about what specific Azure AD accounts have access to Windows Store for Business here). Windows Store for Business enables organizations to purchase app licenses for their organization and make apps available to their employees. In addition to commercially available apps, your developers can publish line-of-business (LOB) apps to Windows Store for Business by request. You can also integrate their Windows Store for Business subscriptions with their MDM systems, so the MDM system can distribute and manage apps from Windows Store for Business.
+
+Windows Store for Business supports app distribution under two licensing models: online and offline. 
+
+The online model (store-managed) is the recommended method, and supports both personal device and corporate device management scenarios. To install online apps, the device must have Internet access at the time of installation. On corporate devices, an employee can be authenticated with an Azure AD account to install online apps. On personal devices, an employee must register their device with Azure AD to be able to install corporate licensed online apps.
+Corporate device users will find company licensed apps in the Store app on their phone in a private catalog. When an MDM system is associated with the Store for Business, IT administrators can present Store apps within the MDM system app catalog where users can find and install their desired apps. IT administrators can also push required apps directly to employee devices without the employee’s intervention. 
+
+Employees with personal devices can install apps licensed by their organization using the Store app on their device. They can use either the Azure AD account or Microsoft Account within the Store app if they wish to purchase personal apps. If you allow employees with corporate devices to add a secondary Microsoft Account (MSA), the Store app on the device provides a unified method for installing personal and corporate apps.
+
+Online licensed apps do not need to be transferred or downloaded from the Windows Store to the MDM system to be distributed and managed. When an employee chooses a company-owned app, it will automatically be installed from the cloud. Also, apps will be automatically updated when a new version is available or can be removed if needed. When an app is removed from a device by the MDM system or the user, Windows Store for Business reclaims the license so it can be used for another user or on another device. 
+
+To distribute an app offline (organization-managed), the app must be downloaded from the Windows Store for Business. This can be accomplished in the Windows Store for Business portal by an authorized administrator. Offline licensing requires the app developer to opt-in to the licensing model, as the Windows Store is no longer able to track licenses for the developer. If the app developer doesn’t allow download of the app from Windows Store, then you must obtain the files directly from the developer or use the online licensing method. 
+
+To install acquired Windows Store or LOB apps offline on a Windows 10 Mobile device, IT administrators can use an MDM system. The MDM system distributes the app packages that you downloaded from Windows Store (also called sideloading) to Windows 10 Mobile devices. Support for offline app distribution depends on the MDM system you are using, so consult your MDM vendor documentation for details. You can fully automate the app deployment process so that no user intervention is required.
+
+Windows Store apps or LOB apps that have been uploaded to the Windows Store for Business are automatically trusted on all Windows devices, as they are cryptographically signed with Windows Store certificates. LOB apps that are uploaded to the Windows Store for Business are private to your organization and are never visible to other companies or consumers. If you do not want to upload your LOB apps, you have to establish trust for the app on your devices. To establish this trust, you’ll need to generate a signing certificate with your Public Key Infrastructure and add your chain of trust to the trusted certificates on the device (see the certificates section). You can install up to 20 self-signed LOB apps per device with Windows 10 Mobile. To install more than 20 apps on a device, you can purchase a signing certificate from a trusted public Certificate Authority, or upgrade your devices to Windows 10 Mobile Enterprise edition.
+
+Learn more about the [Windows Store for Business](windows-store-for-business.md). 
+
+### <a href="" id="managing-apps"></a>Managing apps
+
+*Applies to: Corporate devices*
+
+IT administrators can control which apps are allowed to be installed on Windows 10 Mobile devices and how they should be kept up-to-date. 
+
+Windows 10 Mobile includes AppLocker, which enables administrators to create allow or disallow (sometimes also called whitelist/blacklist) lists of apps from the Windows Store. This capability extends to built-in apps, as well, such as Xbox, Groove, text messaging, email, and calendar, etc. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. However, it is not always an easy approach to find a balance between what employees need or request and security concerns. Creating allow or disallow lists also requires keeping up with the changing app landscape in the Windows Store. 
+
+For more details, see [AppLocker CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920019(v=vs.85).aspx).
+
+In addition to controlling which apps are allowed, IT professionals can also implement additional app management settings on Windows 10 Mobile, using an MDM.
+
+-   **Allow All Trusted Apps** Whether users can sideload apps on the device.
+-   **Allow App Store Auto Update** Whether automatic updates of apps from Windows Store are allowed.
+-   **Allow Developer Unlock** Whether developer unlock is allowed.
+-   **Allow Shared User App Data** Whether multiple users of the same app can share data.
+-   **Allow Store** Whether Windows Store app is allowed to run. This will completely block the user from installing apps from the Store, but will still allow app distribution through an MDM system. 
+-   **Application Restrictions** An XML blob that defines the app restrictions for a device. The XML blob can contain an app allow or deny list. You can allow or deny apps based on their app ID or publisher. See AppLocker above.
+-   **Disable Store Originated Apps** Disables the launch of all apps from Windows Store that came pre-installed or were downloaded before the policy was applied.
+-   **Require Private Store Only** Whether the private store is exclusively available to users in the Store app on the device. If enabled, only the private store is available. If disabled, the retail catalog and private store are both available.
+-   **Restrict App Data to System Volume** Whether app data is allowed only on the system drive or can be stored on an SD card.
+-   **Restrict App to System Volume** Whether app installation is allowed only to the system drive or can be installed on an SD card.
+-   **Start screen layout** An XML blob used to configure the Start screen (see [Start layout for Windows 10 Mobile](http://msdn.microsoft.com/en-us/library/windows/hardware/mt171093(v=vs.85).aspx) for more information).
+
+Find more details on application management options in the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#ApplicationManagement_AllowAllTrustedApps)
+
+### <a href="" id="data-leak-prevention"></a>Data leak prevention
+
+*Applies to: Corporate and personal devices*
+
+One of the biggest challenges in protecting corporate information on mobile devices is keeping that data separate from personal data. Most solutions available to create this data separation require users to login in with a separate username and password to a container that stores all corporate apps and data, an experience that degrades user productivity. 
+
+Windows 10 Mobile includes Windows Information Protection to transparently keep corporate data protected and personal data private. It automatically tags personal and corporate data and applies policies for those apps that can access data classified as corporate. This includes when data is at rest on local or removable storage. Because corporate data is always protected, users cannot copy it to public locations like social media or personal email. 
+
+Windows Information Protection works with all apps, which are classified into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on policies. Corporate data will be encrypted at all times and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps consider all data corporate and encrypt everything by default. 
+
+Any app developed on the UWA platform can be enlightened. Microsoft has made a concerted effort to enlighten several of its most popular apps, including: 
+-   Microsoft Edge
+-   Microsoft People
+-   Mobile Office apps (Word, Excel, PowerPoint, and OneNote) 
+-   Outlook Mail and Calendar
+-   Microsoft Photos
+-   Microsoft OneDrive
+-   Groove Music
+-   Microsoft Movies & TV
+-   Microsoft Messaging
+
+The following table lists the settings that can be configured for Windows Information Protection: 
+-   **Enforcement level*** Set the enforcement level for information protection:
+    -   Off (no protection)
+    -   Silent mode (encrypt and audit only)
+    -   Override mode (encrypt, prompt, and audit)
+    -   Block mode (encrypt, block, and audit)
+-   **Enterprise protected domain names*** A list of domains used by the enterprise for its user identities. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. 
+-   **Allow user decryption** Allows the user to decrypt files. If not allowed, the user will not be able to remove protection from enterprise content through the OS or app user experience. 
+-   **Require protection under lock configuration** Specifies whether the protection under lock feature (also known as encrypt under PIN) should be configured. 
+-   **Data recovery certificate*** Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through MDM instead of Group Policy. 
+-   **Revoke on unenroll** Whether to revoke the information protection keys when a device unenrolls from the management service. 
+-   **RMS template ID for information protection** Allows the IT admin to configure the details about who has access to RMS-protected files and for how long. 
+-   **Allow Azure RMS for information protection** Specifies whether to allow Azure RMS encryption for information protection.
+-   **Show information protection icons** Determines whether overlays are added to icons for information protection secured files in web browser and enterprise-only app tiles in the Start menu.
+-   **Status** A read-only bit mask that indicates the current state of information protection on the device. The MDM service can use this value to determine the current overall state of information protection. 
+-   **Enterprise IP Range*** The enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected.
+-   **Enterprise Network Domain Names*** the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected.
+-   **Enterprise Cloud Resources** A list of Enterprise resource domains hosted in the cloud that need to be protected.
+
+>**Note:** * Are mandatory Windows Information Protection policies. To make Windows Information Protection functional, AppLocker and network isolation settings - specifically Enterprise IP Range and Enterprise Network Domain Names –  must be configured. This defines the source of all corporate data that needs protection and also ensures data written to these locations won’t be encrypted by the user’s encryption key (so that others in the company can access it.
+
+For more information on Windows Information Protection, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634(v=vs.85).aspx) and the following in-depth article series [Protect your enterprise data using Windows Information Protection](../keep-secure/protect-enterprise-data-using-wip.md).  
+
+### <a href="" id="managing-user-activities"></a>Managing user activities
+
+*Applies to: Corporate devices*
+
+On corporate devices, some user activities expose corporate data to unnecessary risk. For example, users might create a screen capture of corporate information out of an internal LOB app. To mitigate the risk, you can restrict the Windows 10 Mobile user experience to help protect corporate data and prevent data leaks. The following demonstrates those capabilities that can be used to help prevent data leaks.
+
+-   **Allow copy and paste** Whether users can copy and paste content
+-   **Allow Cortana** Whether users can use Cortana on the device (where available)
+-   **Allow device discovery** Whether the device discovery user experience is available on the lock screen (for example, controlling whether a device could discover a projector [or other devices] when the lock screen is displayed)
+-   **Allow input personalization** Whether personally identifiable information can leave the device or be saved locally (e.g., Cortana learning, inking, dictation)
+-   **Allow manual MDM unenrollment** Whether users are allowed to delete the workplace account (i.e., unenroll the device from the MDM system)
+-   **Allow screen capture** Whether users are allowed to capture screenshots on the device
+-   **Allow SIM error dialog prompt** Specifies whether to display a dialog prompt when no SIM card is installed
+-   **Allow sync my settings** Whether the user experience settings are synchronized between devices (works with Microsoft accounts only)
+-   **Allow toasts notifications above lock screen** Whether users are able to view toast notification on the device lock screen
+-   **Allow voice recording** Whether users are allowed to perform voice recordings
+-   **Do Not Show Feedback Notifications** Prevents devices from showing feedback questions from Microsoft
+-   **Allow Task Switcher** Allows or disallows task switching on the device to prevent visibility of App screen tombstones in the task switcher
+-   **Enable Offline Maps Auto Update** Disables the automatic download and update of map data
+-   **Allow Offline Maps Download Over Metered Connection** Allows the download and update of map data over metered connections
+
+You can find more details on the experience settings in Policy CSP. 
+
+### <a href="" id="microsoft-edge"></a>Microsoft Edge
+
+*Applies to: Corporate and personal devices*
+
+MDM systems also give you the ability to manage Microsoft Edge on mobile devices. Microsoft Edge is the only browser available on Windows 10 Mobile devices. It differs slightly from the desktop version as it does not support Flash or Extensions. Edge is also an excellent PDF viewer as it can be managed and integrates with Windows Information Protection.
+
+The following settings for Microsoft Edge on Windows 10 Mobile can be managed.
+
+-   **Allow Browser** Whether users can run Microsoft Edge on the device
+-   **Allow Do Not Track headers** Whether Do Not Track headers are allowed
+-   **Allow InPrivate** Whether users can use InPrivate browsing
+-   **Allow Password Manager** Whether users can use Password Manager to save and manage passwords locally
+-   **Allow Search Suggestions in Address Bar** Whether search suggestions are shown in the address bar
+-   **Allow SmartScreen** Whether SmartScreen Filter is enabled
+-   **Cookies**	Whether cookies are allowed
+-   **Favorites** Configure Favorite URLs
+-   **First Run URL** The URL to open when a user launches Microsoft Edge for the first time
+-   **Prevent SmartScreen Prompt Override** Whether users can override the SmartScreen warnings for URLs
+-   **Prevent Smart Screen Prompt Override for Files** Whether users can override the SmartScreen warnings for files
+
+## Manage
+
+In enterprise IT environments, the need for security and cost control must be balanced against the desire to provide users with the latest technologies. Since cyberattacks have become an everyday occurrence, it is important to properly maintain the state of your Windows 10 Mobile devices. IT needs to control configuration settings, keeping them from drifting out of compliance, as well as enforce which devices can access internal applications. Windows 10 Mobile delivers the mobile operations management capabilities necessary to ensure that devices are in compliance with corporate policy. 
+
+### <a href="" id="servicing-options"></a>Servicing options
+
+**A streamlined update process**
+
+*Applies to: Corporate and personal devices*
+
+Microsoft has streamlined the Windows product engineering and release cycle so new features, experiences, and functionality demanded by the market can be delivered more quickly than ever before. Microsoft plans to deliver two Feature Updates per year (12-month period). <strong>Feature Updates</strong> establish a Current Branch or CB, and have an associated version. 
 
 <table>
 <colgroup>
-<col width="50%" />
-<col width="50%" />
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
 </colgroup>
-<thead>
-<tr class="header">
-<th align="left">Setting</th>
-<th align="left">Description</th>
-</tr>
-</thead>
 <tbody>
 <tr class="odd">
-<td align="left">Device Password Enabled</td>
-<td align="left"><p>Specifies whether users are required to use a device lock password</p>
-<div class="alert">
-<strong>Note</strong>  
-<p></p>
-<ul>
-<li><p>When a device is registered with Azure AD and automatic MDM enrollment is not configured, the user will automatically be prompted to set a password PIN of at least six digits (simple PINs are not allowed).</p></li>
-<li><p>If the device is capable of using biometric authentication, the user will be able to enroll an iris or other biometric gesture (depending on hardware) for device lock purposes. When a user uses a biometric gesture, he or she can still use the PIN as a fallback mechanism (for example, if the iris-recognition camera fails).</p></li>
-</ul>
-</div>
-<div>
- 
-</div></td>
+<td align="left"><strong>Branch</strong></td>
+<td align="left"><strong>Version</strong></td>
+<td align="left"><strong>Release Date</strong></td>
 </tr>
 <tr class="even">
-<td align="left">Allow Simple Device Password</td>
-<td align="left">Whether users can use a simple password (for example, 1111 or 1234)</td>
+<td align="left">Current Branch</td>
+<td align="left">1511</td>	      
+<td align="left">November 2015</td>
 </tr>
 <tr class="odd">
-<td align="left">Alphanumeric Device Password Required</td>
-<td align="left">Whether users need to use an alphanumeric password When configured, Windows prompts the user with a full device keyboard to enter a complex password. When not configured, the user will be able to enter a numeric PIN on the keyboard.</td>
+<td align="left">Current Branch for Business</td>
+<td align="left">1511</td>	      
+<td align="left">March 2016</td>
 </tr>
 <tr class="even">
-<td align="left">Min Device Password Complex Characters</td>
-<td align="left">The number of password element types (in other words, uppercase letters, lowercase letters, numbers, or punctuation) required to create strong passwords</td>
-</tr>
-<tr class="odd">
-<td align="left">Device Password Expiration</td>
-<td align="left">The number of days before a password expires (Biometric data does not expire.)</td>
-</tr>
-<tr class="even">
-<td align="left">Device Password History</td>
-<td align="left">The number of passwords Windows 10 Mobile remembers in the password history (Users cannot reuse passwords in the history to create new passwords.)</td>
-</tr>
-<tr class="odd">
-<td align="left">Min Device Password Length</td>
-<td align="left">The minimum number of characters required to create new passwords</td>
-</tr>
-<tr class="even">
-<td align="left">Max Inactivity Time Device Lock</td>
-<td align="left">The number of minutes of inactivity before devices are locked and require a password to unlock</td>
-</tr>
-<tr class="odd">
-<td align="left">Allow Idle Return Without Password</td>
-<td align="left">Whether users are required to re-authenticate when their devices return from a sleep state, before the inactivity time was reached</td>
-</tr>
-<tr class="even">
-<td align="left">Max Device Password Failed Attempts</td>
-<td align="left">The number of authentication failures allowed before a device is wiped (A value of zero disables device wipe functionality.)</td>
-</tr>
-<tr class="odd">
-<td align="left">Screen Timeout While Locked</td>
-<td align="left">The number of minutes before the lock screen times out (This policy influences the device’s power management.)</td>
-</tr>
-<tr class="even">
-<td align="left">Allow Screen Timeout While Locked User Configuration</td>
-<td align="left">Whether users can manually configure screen timeout while the device is on the lock screen (Windows 10 Mobile ignores the <strong>Screen Timeout While Locked</strong> setting if you disable this setting.)</td>
+<td align="left">Current Branch</td>
+<td align="left">1607</td>	      
+<td align="left">July 2016</td>
 </tr>
 </tbody>
 </table>
- 
-### <a href="" id="hardware"></a>Hardware restrictions
 
-Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi-Fi. You can also use hardware restrictions to control the availability of these features. Table 7 lists the MDM settings that Windows 10 Mobile supports to configure hardware restrictions.
+Microsoft will also deliver and install monthly updates for security and stability directly to Windows 10 Mobile devices. These <strong>Quality Updates</strong>, released under Microsoft control via Windows Update, are available for all devices running Windows 10 Mobile. Windows 10 Mobile devices consume Feature Updates and Quality Updates as part of the same standard update process. 
 
->**Note:**  Some of these hardware restrictions provide connectivity and assist in data protection. Enterprise data protection is currently being tested in select customer evaluation programs.
- 
-Table 7. Windows 10 Mobile hardware restrictions
+Quality Updates are usually smaller than Feature Updates, but the installation process and experience is very similar, though larger updates will take more time to install.  Enterprise customers can manage the update experience and process on Windows 10 Mobile devices using an MDM system, after upgrading the devices to Enterprise edition. In most cases, policies to manage the update process will apply to both feature and quality updates. 
 
-| Setting                                    | Description                                                                                                                   |
-|--------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
-| Allow NFC                                  | Whether the NFC radio is enabled                                                                                              |
-| Allow USB Connection                       | Whether the USB connection is enabled (this setting doesn’t affect USB charging)                                              |
-| Allow Bluetooth                            | Whether users can enable and use the Bluetooth radio on their devices                                                         |
-| Allow Bluetooth Advertising                | Whether the device can act as a source for Bluetooth advertisements and be discoverable to other devices                      |
-| Allow Bluetooth Discoverable Mode          | Whether the device can discover other devices (for example, headsets)                                                         |
-| Bluetooth Services Allowed List            | The list of Bluetooth services and profiles to which the device can connect                                                   |
-| Set Bluetooth Local Device Name            | The local Bluetooth device name                                                                                               |
-| Allow Wi-Fi                                | Whether the Wi-Fi radio is enabled                                                                                            |
-| Allow Auto Connect to Wi-Fi Sense Hotspots | Whether the device can automatically connect to Wi-Fi hotspots and friends’ home networks that are shared through Wi-Fi Sense |
-| Allow Manual Wi-Fi Configuration           | Whether users can manually connect to Wi-Fi networks not specified in the MDM system’s list of configured Wi-Fi networks      |
-| WLAN Scan Mode                             | How actively the device scans for Wi-Fi networks (This setting is hardware dependent.)                                        |
-| Allow Camera                               | Whether the camera is enabled                                                                                                 |
-| Allow Storage Card                         | Whether the storage card slot is enabled                                                                                      |
-| Allow Voice Recording                      | Whether the user can use the microphone to create voice recordings                                                            |
-| Allow Location                             | Whether the device can use the GPS sensor or other methods to determine location so applications can use location information |
- 
-### <a href="" id="certificate"></a>Certificate management
-
-Managing certificates can be difficult for users, but certificates are pervasive for a variety of uses, including, account authentication, Wi-Fi authentication, VPN encryption, and SSL encryption of web content. Although users could manage certificates on devices manually, it’s a best practice to use your MDM system to manage those certificates for their entire life cycle, from enrollment through renewal to revocation. You can use the Simple Certificate Enrollment Protocol (SCEP) and Personal Information Exchange (PFX) certificates files to install certificates on Windows 10 Mobile. Certificate management through SCEP and MDM systems is fully transparent to users and requires no user intervention, so it helps improve user productivity and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device. Table 8 lists the SCEP settings that the MDM client in Windows 10 Mobile provides.
-
-Table 8. Windows 10 Mobile SCEP certificate enrollment settings
-
-| Setting                                              | Description                                                                                                                                                                                                                               |
-|------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Certificate enrollment server URLs                   | The certificate enrollment servers (to specify multiple server URLs, separate the URLs with semicolons \[;\])                                                                                                                             |
-| SCEP enrollment challenge                            | The Base64-encoded SCEP enrollment challenge                                                                                                                                                                                              |
-| Extended key use object identifiers                  | The object identifiers (OIDs) for extended key use                                                                                                                                                                                        |
-| Key usage                                            | The key usage bits for the certificate in decimal format                                                                                                                                                                                  |
-| Subject name                                         | The certificate subject name                                                                                                                                                                                                              |
-| Private key storage                                  | Where to store the private key (in other words, the Trusted Platform Module \[TPM\], a software key storage provider \[KSP\], or the Microsoft Passport KSP)                                                                              |
-| Pending retry delay                                  | How long the device will wait to retry when the SCEP server sends a pending status                                                                                                                                                        |
-| Pending retry count                                  | The number of times a device will retry when the SCEP server sends a pending status                                                                                                                                                       |
-| Template name                                        | The OID of the certificate template name                                                                                                                                                                                                  |
-| Private key length                                   | The private key length (in other words, 1024, 2048, or 4096 bits; Microsoft Passport supports only the 2048 key length)                                                                                                                   |
-| Certificate hash algorithm                           | The hash algorithm family (in other words, SHA-1, SHA-2, SHA-3; multiple hash algorithm families are separated by plus signs \[+\])                                                                                                       |
-| Root CA thumbprint                                   | The root CA thumbprint                                                                                                                                                                                                                    |
-| Subject alternative names                            | Subject alternative names for the certificate (Use semicolons to separate multiple subject alternative names.)                                                                                                                            |
-| Valid period                                         | The unit of measure for the period of time the certificate is considered valid (in other words, days, months, or years)                                                                                                                   |
-| Valid period units                                   | The number of units of time that the certificate is considered valid (Use this setting with the **Valid Period** setting. For example, if this setting is **3** and **Valid Period** is **Years**, the certificate is valid for 3 years.) |
-| Custom text to show in Microsoft Passport PIN prompt | The custom text to show on the Microsoft Passport PIN prompt during certificate enrollment                                                                                                                                                |
-| Thumbprint                                           | The current certificate thumbprint, if certificate enrollment succeeds                                                                                                                                                                    |
- 
-In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates. Table 9 lists the Windows 10 Mobile PFX certificate deployment settings.
-
-Table 9. Windows 10 Mobile PFX certificate deployment settings
-
-| Setting                           | Description                                                                                                                                                                  |
-|-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Private key storage               | Where to store the private key (in other words, the TPM, a software KSP, or the Microsoft Passport KSP)                                                                      |
-| Microsoft Passport container name | The tenant identifier of the Azure AD tenant from which the Microsoft Passport is derived, required only if you select **Microsoft Passport KSP** in **Private key storage** |
-| PFX packet                        | The PFX packet with the exported and encrypted certificates and keys in Binary64 format                                                                                      |
-| PFX packet password               | The password that protects the PFX blob specified in **PFX packet**                                                                                                          |
-| PFX packet password encryption    | Whether the MDM system encrypts the PFX certificate password with the MDM certificate                                                                                        |
-| PFX private key export            | Whether the PFX private key can be exported                                                                                                                                  |
-| Thumbprint                        | The thumbprint of the installed PFX certificate                                                                                                                              |
- 
-Use the **Allow Manual Root Certificate Installation** setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidently.
-
->**Note:**  To diagnose certificate-related issues on Windows 10 Mobile devices, use the free [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=723996) in Windows Store. This Windows 10 Mobile app can help you:
-
--   View a summary of all personal certificates.
--   View the details of individual certificates.
--   View the certificates used for VPN, Wi-Fi, and email authentication.
--   Identify which certificates may have expired.
--   Verify the certificate path and confirm that you have the correct intermediate and root CA certificates.
--   View the certificate keys stored in the device TPM.
- 
-### <a href="" id="wifi"></a>Wi-Fi
-
-People use Wi-Fi on their mobile devices as much as or more than cellular data. Most corporate Wi-Fi networks require certificates and other complex information to restrict and secure user access. This advanced Wi-Fi information is difficult for typical users to configure, but you can use your MDM system to fully configure Wi-Fi settings without user intervention.
-
-Table 10 lists the Windows 10 Mobile Wi-Fi connection profile settings. Use the information in this table to help you create Wi-Fi connection profiles in your MDM system.
-
-Table 10. Windows 10 Mobile Wi-Fi connection profile settings
+Microsoft aspires to update Windows 10 Mobile devices with the latest updates automatically and without being disruptive for all customers. Out-of-the-box, a Windows 10 Mobile device will Auto Scan for available updates. However, depending on the device’s network and power status, update methods and timing will vary. 
 
 <table>
 <colgroup>
-<col width="50%" />
-<col width="50%" />
+<col width="15%" />
+<col width="25%" />
+<col width="15%" />
+<col width="15%" />
+<col width="15%" />
+<col width="15%" />
 </colgroup>
-<thead>
-<tr class="header">
-<th align="left">Setting</th>
-<th align="left">Description</th>
-</tr>
-</thead>
 <tbody>
 <tr class="odd">
-<td align="left">SSID</td>
-<td align="left">The case-sensitive name of the Wi-Fi network (service set identifier [SSID])</td>
+<td align="left"><strong>Network connection</strong></td>
+<td align="left"><strong>Description</strong></td>
+<td align="left"><strong>Auto Scan</strong></td>
+<td align="left"><strong>Auto Download</strong></td>
+<td align="left"><strong>Auto Install</strong></td>
+<td align="left"><strong>Auto Restart</strong></td>
 </tr>
 <tr class="even">
-<td align="left">Security type</td>
-<td align="left">The type of security the Wi-Fi network uses; can be one of the following authentication types:
-<ul>
-<li><p>Open 802.11</p></li>
-<li><p>Shared 802.11</p></li>
-<li><p>WPA-Enterprise 802.11</p></li>
-<li><p>WPA-Personal 802.11</p></li>
-<li><p>WPA2-Enterprise 802.11</p></li>
-<li><p>WPA2-Personal 802.11</p></li>
-</ul></td>
+<td align="left"><strong>Wi-Fi</strong></td>
+<td align="left">Device is connected to a personal or corporate Wi-Fi network (no data charges)</td>
+<td align="left">Yes</td>	      
+<td align="left">Yes/td>
+<td align="left">Yes</td>	      
+<td align="left">Yes – outside of Active Hours (forced restart after 7 days if user postpones restart)</td>	      
 </tr>
 <tr class="odd">
-<td align="left">Authentication encryption</td>
-<td align="left">The type of encryption the authentication uses; can be one of the following encryption methods:
-<ul>
-<li><p>None (no encryption)</p></li>
-<li><p>Wired Equivalent Privacy</p></li>
-<li><p>Temporal Key Integrity Protocol</p></li>
-<li><p>Advanced Encryption Standard (AES)</p></li>
-</ul></td>
+<td align="left"><strong>Cellular</strong></td>
+<td align="left">Device is only connected to a cellular network (standard data charges apply)</td>
+<td align="left">Will skip a daily scan if scan was successfully completed in the last 5 days</td>	      
+<td align="left">Will only occur if update package is small and does not exceed the mobile operator data limit or the user clicks “download now”.</td>
+<td align="left">Yes, if the user clicked “download now”</td>	      
+<td align="left">Idem</td>	      
 </tr>
 <tr class="even">
-<td align="left">Extensible Authentication Protocol Transport Layer Security (EAP-TLS)</td>
-<td align="left">WPA-Enterprise 802.11 and WPA2-Enterprise 802.11 security types can use EAP-TLS with certificates for authentication</td>
-</tr>
-<tr class="odd">
-<td align="left">Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2)</td>
-<td align="left">WPA-Enterprise 802.11 and WPA2-Enterprise 802.11 security types can use PEAP-MSCHAPv2 with a user name and password for authentication</td>
-</tr>
-<tr class="even">
-<td align="left">Shared key</td>
-<td align="left">WPA-Personal 802.11 and WPA2-Personal 802.11 security types can use a shared key for authentication.</td>
-</tr>
-<tr class="odd">
-<td align="left">Proxy</td>
-<td align="left">The configuration of any network proxy that the Wi-Fi connection requires (To specify the proxy server, use its fully qualified domain name [FQDN], Internet Protocol version 4 [IPv4] address, IP version 6 [IPv6] address, or IPvFuture address.)</td>
-</tr>
-<tr class="even">
-<td align="left">Disable Internet connectivity checks</td>
-<td align="left">Whether the Wi-Fi connection should check for Internet connectivity</td>
-</tr>
-<tr class="odd">
-<td align="left">Proxy auto-configuration URL</td>
-<td align="left">A URL that specifies the proxy auto-configuration file</td>
-</tr>
-<tr class="even">
-<td align="left">Enable Web Proxy Auto-Discovery Protocol (WPAD)</td>
-<td align="left">Specifies whether WPAD is enabled</td>
+<td align="left"><strong>Cellular -- Roaming</strong></td>
+<td align="left">Device is only connected to a cellular network and roaming charges apply</td>
+<td align="left">No</td>	      
+<td align="left">No</td>
+<td align="left">No</td>	      
+<td align="left">Idem</td>	      
 </tr>
 </tbody>
 </table>
- 
-Table 11 lists the Windows 10 Mobile settings for managing Wi-Fi connectivity.
 
-Table 11. Windows 10 Mobile Wi-Fi connectivity settings
+**Keeping track of updates releases**
 
-| Setting                                    | Configuration                                                              |
-|--------------------------------------------|----------------------------------------------------------------------------|
-| Allow Auto Connect To Wi-Fi Sense Hotspots | Whether the device will automatically detect and connect to Wi-Fi networks |
-| Allow Manual Wi-Fi Configuration           | Whether the user can manually configure Wi-Fi settings                     |
-| Allow Wi-Fi                                | Whether the Wi-Fi hardware is enabled                                      |
-| WLAN Scan Mode                             | How actively the device scans for Wi-Fi networks                           |
- 
-### Proxy
+*Applies to: Corporate and Personal devices*
 
-Apps running on Windows 10 Mobile (for example, Microsoft Edge) can use proxy connections to access Internet content, but Wi-Fi connections on the corporate intranet most typically use proxy connections, instead. You can define multiple proxies in Windows 10 Mobile.
+Microsoft publishes new feature updates for Windows 10 and Windows 10 Mobile on a regular basis. The [Windows release information page](https://technet.microsoft.com/en-us/windows/release-info) is designed to help you determine if your devices are current with the latest Windows 10 feature and quality updates. The release information published on this page, covers both Windows 10 for PCs and Windows 10 Mobile. In addition, the [Windows update history page](http://windows.microsoft.com/en-us/windows-10/update-history-windows-10) helps you understand what these updates are about.
 
->**Note:**  Windows 10 Mobile also supports proxy auto-configuration (PAC) files, which can automatically configure proxy settings. The Web Proxy Auto-Discovery Protocol (WPAD) lets apps use Dynamic Host Configuration Protocol and Domain Name System (DNS) lookups to locate the PAC file.
- 
-Table 12 lists the Windows 10 Mobile settings for proxy connections.
+>**Note:** 
+We invite IT Professionals to participate in the Windows Insider Program to test updates before they are officially released to make Windows 10 Mobile even better. If you find any issues, please send us feedback via the Feedback Hub 
 
-Table 12. Windows 10 Mobile proxy connection settings
+**Windows as a Service**
+
+*Applies to: Corporate and Personal devices*
+
+Microsoft created a new way to deliver and install updates to Windows 10 Mobile directly to devices without Mobile Operator approval. This capability helps to simplify update deployments and ongoing management, broadens the base of employees who can be kept current with the latest Windows features and experiences, and lowers total cost of ownership for organizations who no longer have to manage updates to keep devices secure.
+
+Update availability depends on what servicing option you choose for the device. These servicing options are outlined in the chart below: 
 
 <table>
 <colgroup>
-<col width="50%" />
-<col width="50%" />
+<col width="15%" />
+<col width="22%" />
+<col width="22%" />
+<col width="22%" />
+<col width="22%" />
 </colgroup>
-<thead>
-<tr class="header">
-<th align="left">Settings</th>
-<th align="left">Configuration</th>
-</tr>
-</thead>
 <tbody>
 <tr class="odd">
-<td align="left">Proxy name</td>
-<td align="left">The unique name of the proxy connection</td>
+<td align="left"><strong>Servicing option</strong></td>
+<td align="left"><strong>Availability of new features for installation</strong></td>
+<td align="left"><strong>Minimum length of servicing lifetime</strong></td>
+<td align="left"><strong>Key benefits</strong></td>
+<td align="left"><strong>Supported editions</strong></td>
 </tr>
 <tr class="even">
-<td align="left">Proxy ID</td>
-<td align="left">The unique identifier for the proxy connection</td>
+<td align="left"><strong>Windows Insider Builds</strong></td>
+<td align="left">As appropriate during development cycle, released to Windows Insiders only</td>
+<td align="left">Variable, until the next Insider build is released to Windows Insiders</td>	      
+<td align="left">Allows Insiders to test new feature and application compatibility before a Feature Update is released/td>
+<td align="left">Mobile</td>
 </tr>
 <tr class="odd">
-<td align="left">Name</td>
-<td align="left">The user-friendly name of the proxy connection</td>
+<td align="left"><strong>Current Branch (CB)</strong></td>
+<td align="left">Immediately after the Feature Update is published to Windows Update by Microsoft</td>
+<td align="left">Microsoft typically releases two Feature Updates per 12-month period (approximately every four months, though it can potentially be longer)</td>	      
+<td align="left">Makes new features available to users as soon as possible</td>
+<td align="left">Mobile & Mobile Enterprise</td>	      
 </tr>
 <tr class="even">
-<td align="left">Server address</td>
-<td align="left">The address of the proxy server, which can be the server FQDN or IP address</td>
-</tr>
-<tr class="odd">
-<td align="left">IP address type</td>
-<td align="left">The IP address type that identifies the proxy server, which can be one of the following values:
-<ul>
-<li><p><strong>IPV4</strong></p></li>
-<li><p><strong>IPV6</strong></p></li>
-<li><p><strong>E164</strong></p></li>
-<li><p><strong>ALPHA</strong></p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left">Proxy connection type</td>
-<td align="left">The proxy connection type, which can be one of the following values:
-<ul>
-<li><p><strong>ISA</strong></p></li>
-<li><p><strong>WAP</strong></p></li>
-<li><p><strong>SOCKS</strong></p></li>
-<li><p><strong>NULL</strong></p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left">Ports</td>
-<td align="left">The port information for the proxy connection; includes the following settings:
-<ul>
-<li><p><strong>Port Name.</strong> The unique name of a port that the proxy connection uses, such as <strong>PORT0</strong> or <strong>PORT1</strong></p></li>
-<li><p><strong>Port Name/Port Nbr.</strong> The proxy connection port number for this port</p></li>
-<li><p><strong>Port Name/Services.</strong> The services that use this proxy connection port</p></li>
-<li><p><strong>Services/Service Name.</strong> The name of a service that uses the proxy connection</p></li>
-<li><p><strong>Services/<em>Service Name</em>/Service Name.</strong> The protocol associated with the parent port connection</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left">Configuration reference</td>
-<td align="left">The connection reference information for the proxy connection. The corporation determines the information in this optional setting.</td>
+<td align="left"><strong>Current Branch for Business (CBB)</strong></td>
+<td align="left">A minimum of four months after the corresponding Feature Update is first published to Windows Update by Microsoft</td>
+<td align="left">A minimum of four months, though it potentially can be longerNo</td>	      
+<td align="left">Provides additional time to test new feature before deployment</td>
+<td align="left">Mobile Enterprise only</td>			     
 </tr>
 </tbody>
 </table>
- 
-### VPN
 
-In addition to Wi-Fi, users often use a VPN to securely access apps and resources on their company’s intranet behind a firewall. Windows 10 Mobile supports several VPN vendors in addition to native Microsoft VPNs (such as Point to Point Tunneling Protocol \[PPTP\], Layer 2 Tunneling Protocol \
-[L2TP\], and Internet Key Exchange Protocol version 2 \[IKEv2\]), including:
+**Enterprise Edition**
 
--   IKEv2
--   IP security
--   SSL VPN connections (which require a downloadable plug-in from the VPN server vendor)
+*Applies to: Corporate devices*
 
-You can configure Windows 10 Mobile to use auto-triggered VPN connections, as well. You define a VPN connection for each app that requires intranet connectivity. When users switch between apps, the operating system automatically establishes the VPN connection for that app. In the event the device drops the VPN connection, Windows 10 Mobile automatically reconnects to the VPN without user intervention.
+While Windows 10 Mobile provides updates directly to user devices from Windows Update, there are many organizations that want to track, test, and schedule updates to corporate devices. To support these requirements, we created the Windows 10 Mobile Enterprise edition. 
 
-With always-on VPN, Windows 10 Mobile can automatically start a VPN connection when a user signs-in, as well. The VPN stays connected until the user manually disconnects it.
-MDM support for VPN connections in Windows 10 Mobile includes provisioning and updating VPN connection profiles and associating VPN connections with apps. You can create and provision VPN connection profiles, and then deploy them to managed devices that run Windows 10 Mobile. Table 13 lists the Windows 10 Mobile fields for VPN connection profiles.
+Upgrading to Windows 10 Mobile Enterprise edition provides additional device and app management capabilities for organizations that want to:
+-   **Defer, approve and deploy feature and quality updates:** Windows 10 Mobile devices get updates directly from Windows Update. If you want to curate updates prior to deploying them, an upgrade to Windows 10 Mobile Enterprise edition is required. Once Enterprise edition is enabled, the phone can be set to the Current Branch for Business servicing option, giving IT additional time to test updates before they are released. 
+-   **Deploy an unlimited number of self-signed LOB apps to a single device:** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device. To deploy more than 20 self-signed LOB apps, Windows 10 Mobile Enterprise is required.
+-   **Set the telemetry level:** Microsoft collects telemetry data to help keep Windows devices secure and to help Microsoft improve the quality of Windows and Microsoft services. An upgrade to Windows 10 Mobile Enterprise edition is required to set the telemetry level so that only telemetry information required to keep devices secured is gathered. 
 
-Table 13. Windows 10 Mobile VPN connection profile settings
+To learn more about telemetry, visit [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md).
+
+To activate Windows 10 Mobile Enterprise, use your MDM system or a provisioning package to inject the Windows 10 Enterprise license on a Windows 10 Mobile device. Licenses can be obtained from the Volume Licensing portal. For testing purposes, you can obtain a licensing file from the MSDN download center. A valid MSDN subscription is required.
+
+Details on updating a device to Enterprise edition with [WindowsLicensing CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904983(v=vs.85).aspx)
+
+>**Recommendation:** Microsoft recommends using Enterprise edition only on corporate devices. Once a device has been upgraded, it cannot be downgraded. Even a device wipe or reset will not remove the enterprise license from personal devices. 
+
+**Deferring and Approving Updates with MDM**
+
+*Applies to: Corporate devices with Enterprise edition*
+
+Once a device is upgraded to Windows 10 Mobile Enterprise edition, you can manage devices that receive updates from Windows Update (or Windows Update for Business) with a set of update policies. 
+
+To control Feature Updates, you will need to move your devices to the Current Branch for Business (CBB) servicing option. A device that subscribes to CBB will wait for the next CBB to be published by Microsoft Update. While the device will wait for Feature Updates until the next CBB, Quality Updates will still be received by the device. 
+
+To control monthly Quality Update additional deferral policies, need to be set to your desired deferral period. When Quality Updates are available for your Windows 10 Mobile devices from Windows Update, these updates will not install until your deferral period lapses. This gives IT Professionals some time to test the impact of the updates on devices and apps. 
+
+Before updates are distributed and installed, you may want to test them for issues or application compatibility. IT pros have the ability require updates to be approved. This enables the MDM administrator to select and approve specific updates to be installed on a device and accept the EULA associated with the update on behalf of the user. Please remember that on Windows 10 Mobile all updates are packaged as a “OS updates” and never as individual fixes. 
+
+You may want to choose to handle Quality Updates and Feature Updates in the same way and not wait for the next CBB to be released to your devices. This streamlines the release of updates using the same process for approval and release. You can apply different deferral period by type of update. In version 1607 Microsoft added additional policy settings to enable more granularity to control over updates. 
+
+Once updates are being deployed to your devices, you may want to pause the rollout of updates to enterprise devices. 
+For example, after you start rolling out a quality update, certain phone models are adversely impacted or users are reporting a specific LOB app is not connecting and updating a database. Problems can occur that did not surface during initial testing. 
+IT professionals can pause updates to investigate and remediate unexpected issues. 
+
+The following table summarizes applicable update policy settings by version of Windows 10 Mobile.  All policy settings are backward compatible, and will be maintained in future Feature Updates. Consult the documentation of your MDM system to understand support for these settings in your MDM.
 
 <table>
 <colgroup>
-<col width="50%" />
-<col width="50%" />
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
 </colgroup>
-<thead>
-<tr class="header">
-<th align="left">Setting</th>
-<th align="left">Description</th>
-</tr>
-</thead>
 <tbody>
 <tr class="odd">
-<td align="left">Native VPN protocol profile</td>
-<td align="left"><p>The configuration information when the VPN uses native Windows 10 Mobile VPN protocols (such as IKEv2, PPTP, or L2TP); includes the following settings:</p>
-<ul>
-<li><p><strong>Servers.</strong> The VPN server for the VPN profile</p></li>
-<li><p><strong>Routing policy type.</strong> The type of routing policy the VPN profile uses; can be set to one of the following values:</p>
-<ul>
-<li><p><strong>Split tunnel.</strong> Only network traffic destined to the intranet goes through the VPN connection.</p></li>
-<li><p><strong>Force tunnel.</strong> All traffic goes through the VPN connection.</p></li>
-</ul></li>
-<li><p><strong>Tunneling protocol type.</strong> The tunneling protocol used for VPN profiles that use native Windows 10 Mobile VPN protocols; can be one the following values:</p>
-<ul>
-<li><p><strong>PPTP</strong></p></li>
-<li><p><strong>L2TP</strong></p></li>
-<li><p><strong>IKEv2</strong></p></li>
-<li><p><strong>Automatic</strong></p></li>
-</ul></li>
-<li><p><strong>User authentication method.</strong> The user authentication method for the VPN connection; can have a value of <strong>EAP</strong> or <strong>MSChapv2</strong>. Windows 10 Mobile does not support the value <strong>MSChapv2</strong> for IKEv2-based VPN connections.</p></li>
-<li><p><strong>Machine certificate.</strong> The machine certificate used for IKEv2-based VPN connections.</p></li>
-<li><p><strong>EAP configuration.</strong> An HTML-encoded XML blob of the EAP configuration. For more information about creating the EAP configuration XML blob, see [EAP configuration](http://go.microsoft.com/fwlink/p/?LinkId=734055). You can use the XML blob these steps create in the MDM system to create the VPN profile.</p></li>
-</ul></td>
+<td align="left"><strong>Activity (Policy)</strong></td>
+<td align="left"><strong>Version 1511 settings</strong></td>
+<td align="left"><strong>Version 1607 settings</strong></td>
 </tr>
 <tr class="even">
-<td align="left">VPN plugin profile</td>
-<td align="left">Windows Store–based VPN plug-ins for the VPN connection; includes the following settings:
-<ul>
-<li><p><strong>VPN servers.</strong> A comma-separated list of VPN servers; you can specify the servers with a URL, fully qualified host name, or IP address.</p></li>
-<li><p><strong>Custom configuration.</strong> An HTML-encoded XML blob for SSL–VPN plug-in–specific configuration information (e.g., authentication information) that the plug-in provider requires.</p></li>
-<li><p><strong>Windows Store VPN plugin family name.</strong> Specifies the Windows Store package family name for the Windows Store–based VPN plug-in.</p></li>
-</ul></td>
+<td align="left"><strong>Subscribe device to CBB, to defer Feature Updates</strong></td>
+<td align="left">RequireDeferUpgrade
+
+Defers Feature Update until next CBB release. Device will receive quality updates from Current Branch for Business (CBB).
+Defers feature update for minimum of 4 months after Current Branch was release.</td>
+<td align="left">BranchReadinessLevel
+
+Defers Feature Update until next CBB release. Device will receive quality updates from Current Branch for Business (CBB).
+Defers feature update for minimum of 4 months after Current Branch was release.</td></tr>
+<tr class="odd">
+<td align="left"><strong>Defer Updates</strong></td>
+<td align="left">DeferUpdatePeriod
+
+Defer Quality Updates for 4 weeks or 28 days</td>
+<td align="left">DeferQualityUpdatePeriodInDays
+
+Defer Feature and Quality Updates for up to 30 days.</td></tr>
+<tr class="even">
+<td align="left"><strong>Approve Updates</strong></td>
+<td align="left">RequireUpdateApproval
+  
+</td>
+<td align="left">RequireUpdateApproval
+  
+</td>	      
 </tr>
 <tr class="odd">
-<td align="left">Always on connection</td>
-<td align="left">Whether the VPN connects at user sign-in and stays connected until the user manually disconnects the VPN connection.</td>
-</tr>
-<tr class="even">
-<td align="left">App trigger list</td>
-<td align="left">A list of apps that automatically initiate the VPN connection. Each app trigger in the list includes the following settings:
-<ul>
-<li><p><strong>App ID.</strong> The app identity for the app that automatically initiates the VPN connection Any apps in this list can send data through the VPN connection; set it to one of the following values:</p>
-<ul>
-<li><p>Unique name of the Windows Store app (<strong>Package Family Name</strong>). The package family name is a unique name for each app. For example, the package family name for the Skype app is <em>Microsoft.SkypeApp_kzf8qxf38zg5c</em>.</p></li>
-<li><p>Fully qualified path to the app (such as C:\Windows\System\Notepad.exe).</p></li>
-<li><p>Kernel driver name.</p></li>
-</ul></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left">DNS suffixes</td>
-<td align="left">A comma-separated list of DNS suffixes for the VPN connection. Any DNS suffixes in this list are automatically added to <strong>Suffix Search List</strong>.</td>
-</tr>
-<tr class="even">
-<td align="left">LockDown VPN profile</td>
-<td align="left">Whether this VPN connection is a LockDown profile. A LockDown VPN profile has the following characteristics:
-<ul>
-<li><p>It is an always-on VPN profile.</p></li>
-<li><p>It can never be disconnected.</p></li>
-<li><p>If the VPN profile is not connected, the user has no network connectivity.</p></li>
-<li><p>No other VPN profiles can be connected or modified.</p></li>
-</ul>
-<p>You must delete a LockDown VPN profile before you can add, remove, or connect other VPN profiles.</p></td>
-</tr>
-<tr class="odd">
-<td align="left">Name Resolution Policy Table rules</td>
-<td align="left">A list of Name Resolution Policy Table rules for the VPN connection. Each rule in the list includes the following settings:
-<ul>
-<li><p><strong>Domain name.</strong> The namespace for the policy; can be an FQDN or a domain suffix.</p></li>
-<li><p><strong>Domain name type.</strong> The type of namespace in <strong>Domain name</strong>; has a value of either <strong>FQDN</strong> or <strong>Suffix</strong>.</p></li>
-<li><p>DNS servers. A comma-separated list of DNS server IP addresses to use for the namespace specified in <strong>Domain name</strong>.</p></li>
-<li><p><strong>Web proxy servers</strong>. The IP address for the web proxy server (if the intranet redirects traffic through a web proxy server).</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left">Proxy</td>
-<td align="left">Any post connection proxy support required for the VPN connection; includes the following settings:
-<ul>
-<li><p><strong>Proxy server.</strong> Specifies the fully qualified host name or IP address of the proxy server when a specific proxy server is required.</p></li>
-<li><p><strong>Automatic proxy configuration URL.</strong> Specifies the URL for automatically retrieving proxy server settings.</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left">Remember credentials</td>
-<td align="left">Whether the VPN connection caches credentials.</td>
-</tr>
-<tr class="even">
-<td align="left">Route list</td>
-<td align="left">A list of routes to add to the routing table for the VPN connection. Each route in the list includes the following settings:
-<ul>
-<li><p><strong>Address.</strong> The destination subnet address in IPv4 or IPv6 format (such as <em>192.168.0.0</em>).</p></li>
-<li><p><strong>Prefix size.</strong> The portion of the address used to identify the destination subnet address (such as <em>16</em> to produce the subnet <em>192.168.0.0/16</em>).</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left">Traffic filter list</td>
-<td align="left">A list of traffic rules that define the traffic that can be sent through the VPN connection. Each rule in the list includes the following settings:
-<ul>
-<li><p><strong>App ID.</strong> The app identity for the traffic filter based on a specific app (app-based traffic filter). Any apps in this list can send data through the VPN connection; set to one of the following values:</p>
-<ul>
-<li><p>Unique name of the Windows Store app (<strong>Package Family Name</strong>). The package family name is a unique name for each app. For example, the package family name for the Skype app is Microsoft.<em>SkypeApp_kzf8qxf38zg5c</em>.</p></li>
-<li><p>Fully qualified path to the app (such as C:\Windows\System\Notepad.exe).</p></li>
-<li><p>Kernel driver name.</p></li>
-</ul></li>
-<li><p><strong>Protocol.</strong> The IP protocol to use for the traffic filter rule (for example, TCP = 6, UDP = 17).</p></li>
-<li><p><strong>Local port ranges.</strong> Specifies a comma-separated list of local IP port ranges (for example, 100–180, 200, 300–350).</p></li>
-<li><p><strong>Remote port ranges.</strong> A comma-separated list of remote IP port ranges (for example, 100–180, 200, 300–350).</p></li>
-<li><p><strong>Local address ranges.</strong> A comma-separated list of local IP address ranges that are allowed to use the VPN connection (for example, 192.168.0.1–192.168.0.255, 172.16.10.0–172.16.10.255).</p></li>
-<li><p><strong>Remote address ranges.</strong> A comma-separated list of remote IP address ranges that are allowed to use the VPN connection (for example, 192.168.0.1–192.168.0.255, 172.16.10.0–172.16.10.255).</p></li>
-<li><p><strong>Routing policy type.</strong> The type of IP tunnel for the VPN connection; set to one of the following:</p>
-<ul>
-<li><p><strong>Split tunnel.</strong> Only traffic destined for the intranet is sent through the VPN connection.</p></li>
-<li><p><strong>Force tunnel.</strong> All traffic is sent through the VPN connection.</p></li>
-</ul></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left">Trusted network detection</td>
-<td align="left">A comma-separated list of trusted networks that causes the VPN not to connect when the intranet is directly accessible.</td>
+<td align="left"><strong>Pause Update rollout once an approved update is being deployed, pausing the rollout of the update.</strong></td>
+<td align="left">PauseDeferrals
+
+Pause Feature Updates for up to 35 days</td>			     
+<td align="left">PauseQualityUpdates
+
+Pause Feature Updates for up to 35 days</td>			     
 </tr>
 </tbody>
 </table>
- 
-Table 14 lists the Windows 10 Mobile settings for managing VPN connections. These settings help you manage VPNs over cellular data connections, which in turn help reduce costs associated with roaming or data plan charges.
-
-Table 14. Windows 10 Mobile VPN management settings
-
-| Setting                              | Description                                                                     |
-|--------------------------------------|---------------------------------------------------------------------------------|
-| Allow VPN                            | Whether users can change VPN settings                                           |
-| Allow VPN Over Cellular              | Whether users can establish VPN connections over cellular networks              |
-| Allow VPN Over Cellular when Roaming | Whether users can establish VPN connections over cellular networks when roaming |
- 
-### <a href="" id="apn"></a>APN profiles
-
-An APN defines network paths for cellular data connectivity. Typically, you define just one APN for a device in collaboration with a mobile operator, but you can define multiple APNs if your company uses multiple mobile operators.
-
-An APN provides a private connection to the corporate network that is unavailable to other companies on the mobile operator network. Corporations in Europe and the Asia-Pacific use APNs, but they are not common in the United States.
-
-You can define and deploy APN profiles in MDM systems that configure cellular data connectivity for Windows 10 Mobile. Devices running Windows 10 Mobile can have only one APN profile. Table 15 lists the MDM settings that Windows 10 Mobile supports for APN profiles.
-
-Table 15. Windows 10 Mobile APN profile settings
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Setting</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left">APN name</td>
-<td align="left">The APN name</td>
-</tr>
-<tr class="even">
-<td align="left">IP connection type</td>
-<td align="left">The IP connection type; set to one of the following values:
-<ul>
-<li><p><strong>IPv4 only</strong></p></li>
-<li><p><strong>IPv6 only</strong></p></li>
-<li><p><strong>IPv4 and IPv6 concurrently</strong></p></li>
-<li><p><strong>IPv6 with IPv4 provided by 46xlat</strong></p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left">LTE attached</td>
-<td align="left">Whether the APN should be attached as part of an LTE Attach</td>
-</tr>
-<tr class="even">
-<td align="left">APN class ID</td>
-<td align="left">The globally unique identifier that defines the APN class to the modem</td>
-</tr>
-<tr class="odd">
-<td align="left">APN authentication type</td>
-<td align="left">The APN authentication type; set to one of the following values:
-<ul>
-<li><p><strong>None</strong></p></li>
-<li><p><strong>Auto</strong></p></li>
-<li><p><strong>PAP</strong></p></li>
-<li><p><strong>CHAP</strong></p></li>
-<li><p><strong>MSCHAPv2</strong></p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left">User name</td>
-<td align="left">The user account when users select Password Authentication Protocol (PAP), CHAP, or MSCHAPv2 authentication in <strong>APN authentication type</strong></td>
-</tr>
-<tr class="odd">
-<td align="left">Password</td>
-<td align="left">The password for the user account specified in <strong>User name</strong></td>
-</tr>
-<tr class="even">
-<td align="left">Integrated circuit card ID</td>
-<td align="left">The integrated circuit card ID associated with the cellular connection profile</td>
-</tr>
-</tbody>
-</table>
- 
-### <a href="" id="data"></a>Data leak protection
-
-Some user experiences can risk corporate data stored on corporate devices. For example, allowing users to copy and paste information out of the organization’s LOB app can put data at risk. To mitigate the risk, you can restrict the Windows 10 Mobile user experience to help protect corporate data 
-and prevent data leaks. For example, you can prevent settings synchronization, copy-and-paste operations, and screen captures. Table 16 lists the MDM settings in Windows 10 Mobile that you can use to help prevent data leaks.
-
-Table 16. Windows 10 Mobile data leak protection settings
-
-| Setting                                      | Description                                                                                                                                                                                                              |
-|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Allow copy and paste                         | Whether users can copy and paste content                                                                                                                                                                                 |
-| Allow Cortana                                | Whether users can use Cortana on the device, where available                                                                                                                                                             |
-| Allow device discovery                       | Whether the device discovery user experience is available on the lock screen (For example, this setting can control whether a device could discover a projector \[or other devices\] when the lock screen is displayed.) |
-| Allow input personalization                  | Whether personally identifiable information can leave the device or be saved locally (for example, Cortana learning, inking, dictation)                                                                                  |
-| Allow manual MDM unenrollment                | Whether users are allowed to delete the workplace account (in other words, unenroll the device from the MDM system)                                                                                                      |
-| Allow screen capture                         | Whether users are allowed to capture screenshots on the device                                                                                                                                                           |
-| Allow SIM error dialog prompt                | Specifies whether to display a dialog prompt when no SIM card is installed                                                                                                                                               |
-| Allow sync my settings                       | Whether the user experience settings are synchronized between devices (works with Microsoft accounts only)                                                                                                               |
-| Allow toasts notifications above lock screen | Whether users are able to view toast notification on the device lock screen                                                                                                                                              |
-| Allow voice recording                        | Whether users are allowed to perform voice recordings.                                                                                                                                                                   |
- 
-### <a href="" id="storage"></a>Storage management
-
-Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage by using the device encryption in Windows 10 Mobile. This encryption helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device.
-
-A feature in Windows 10 Mobile is the ability to install apps on a secure digital (SD) card. The operating system stores apps on a partition specifically designated for that purpose. This feature is always on, so you don’t need to set a policy explicitly to enable it.
-The SD card is uniquely paired with a device. No other devices can see the apps or data on the encrypted partition, but they can access the data stored on the unencrypted partition of the SD card, such as music or photos.
-You can disable the **Allow Storage Card** setting to prevent users from using SD cards altogether, but the primary advantage of the SD card app partition–encryption feature is that organizations can give users the flexibility to use an SD card while still protecting the confidential apps and data on it.
-
-If you don’t encrypt storage, you can help protect your corporate apps and data by using the **Restrict app data to the system volume** and **Restrict apps to the system volume** settings. They help ensure that users cannot copy your apps and data to SD cards.
-
-Table 17 lists the MDM storage-management settings that Windows 10 Mobile provides.
-
-Table 17. Windows 10 Mobile storage management settings
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Setting</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left">Allow Storage Card</td>
-<td align="left">Whether users can use storage cards for device storage (This setting does not prevent programmatic access to the storage cards.)</td>
-</tr>
-<tr class="even">
-<td align="left">Require Device Encryption</td>
-<td align="left">Whether internal storage is encrypted (When a device is encrypted, you cannot use a policy to turn encryption off.)</td>
-</tr>
-<tr class="odd">
-<td align="left">Encryption method</td>
-<td align="left">Specifies the BitLocker drive encryption method and cipher strength; can be one of the following values:
-<ul>
-<li><p>AES-Cipher Block Chaining (CBC) 128-bit</p></li>
-<li><p>AES-CBC 256-bit</p></li>
-<li><p>XEX-based tweaked-codebook mode with cipher text stealing (XTS)–AES (XTS-AES) 128-bit (this is the default)</p></li>
-<li><p>XTS-AES-256-bit</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left">Allow Federal Information Processing Standard (FIPS) algorithm policy</td>
-<td align="left">Whether the device allows or disallows the FIPS algorithm policy</td>
-</tr>
-<tr class="odd">
-<td align="left">SSL cipher suites</td>
-<td align="left">Specifies a list of the allowed cryptographic cipher algorithms for SSL connections</td>
-</tr>
-<tr class="even">
-<td align="left">Restrict app data to the system volume</td>
-<td align="left">Specifies whether app data is restricted to the system drive</td>
-</tr>
-<tr class="odd">
-<td align="left">Restrict apps to the system volume</td>
-<td align="left">Specifies whether apps are restricted to the system drive</td>
-</tr>
-</tbody>
-</table>
- 
-## <a href="" id="--app-management"></a> App management
-
-Apps help improve user productivity on mobile devices. New to Windows 10 is the ability for organizations purchase apps from Windows Store for their employees and deploy those apps from Windows Store or an MDM system. App management is becoming a key capability of MDM systems, helping reduce the effort required to perform common app-related tasks, such as distributing apps, and protecting data through app policies. This section describes the app management features in Windows 10 Mobile and includes the following topics:
-
--   [Universal Windows Platform (UWP)](#uwp)
--   [Sourcing the right app](#sourcing)
--   [Windows Store for Business](#store)
--   [Mobile application management (MAM) policies](#mam)
--   [Microsoft Edge](#edge)
-
-### <a href="" id="uwp"></a>Universal Windows Platform
-
-Windows 10 introduces UWP, converging the application platform for all devices running some edition of Windows 10. UWP apps run without modification on all editions of Windows 10, and Windows Store now has apps that you can license and purchased for all your Windows 10 devices. Windows Phone 8.1 and Windows 8.1 apps still run on Windows 10 devices, but the MAM improvements in Windows 10 work only with UWP apps. See the [Guide to Universal Windows Platform (UWP) apps](http://go.microsoft.com/fwlink/p/?LinkId=734056) for additional information.
-
-### <a href="" id="sourcing"></a>Sourcing the right app
-
-The first step in app management is to obtain the apps your users need, and you can now acquire apps from Windows Store. Developers can also create apps specific to an organization, known as *line-of-business (LOB) apps* (the developers of these apps are *LOB publishers*). An LOB developer (internal or external) can now publish these apps to Windows Store at your request, or you can obtain the app packages offline and distribute them through your MDM system.
-
-To install Windows Store or LOB apps, use the Windows Store cloud service or your MDM system to distribute the app packages. Your MDM system can deploy apps online by redirecting the user to a licensed app in Windows Store or offline by distributing a package that you downloaded from Windows Store (also called *sideloading*) on Windows 10 Mobile devices. You can fully automate the app deployment process so that no user intervention is required.
-
-IT administrators can obtain apps through Store for Business. Most apps can be distributed online, meaning that the user must be logged in to the device with an Azure AD account and have Internet access at the time of installation. To distribute an app offline, the developer must opt in. If the app developer doesn’t allow download of the app from Windows Store, then you must obtain the files directly from the developer or use the online method. See [Windows Store for Business](windows-store-for-business.md) for additional information about apps obtained through Store for Business.
-Windows Store apps are automatically trusted. For custom LOB apps developed internally or by a trusted software vendor, ensure that the device trusts the app signing certificate. There are two ways to establish this trust: use a signing certificate from a trusted source, or generate your own signing certificate and add your chain of trust to the trusted certificates on the device. You can install up to 20 self-signed apps on a Windows 10 Mobile device. When you purchase a signing certificate from a public CA, you can install more than 20 apps on a device, although you can install more than 20 self-signed apps per device with [Windows 10 Mobile Enterprise](#mobile-edition).
-
-Users can install apps from Windows Store that the organization purchases through the Store app on their device. If you allow your users to log in with a Microsoft account, the Store app on the device provides a unified method for installing personal and corporate apps.
-
-### <a href="" id="store"></a>Store for Business
-
-[Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) is a web portal that IT pros and purchasers use to find, acquire, manage, and distribute apps to Windows 10 devices. This online portal gives Azure AD authenticated managers access to Store for Business functionality and settings. Store managers can create a private section of Windows Store in which organizations can manage apps specific and private to them. Store for Business allows organizations to make apps available to their users and purchase app licenses for them. They can also integrate their Store for Business subscriptions with their MDM systems, so the MDM system can deploy apps from their free Store for Business subscription.
-
-The process for using Store for Business is as follows:
-
-1.  Create a Store for Business subscription for your organization.
-2.  In the Store for Business portal, acquire apps from Windows Store (only free apps are available at this time).
-3.  In Store for Business, distribute apps to users, and manage the app licenses for the apps acquired in the previous step.
-4.  Integrate your MDM system with your organization’s Store for Business subscription.
-5.  Use your MDM system to deploy the apps.
-
-For more information about Store for Business, see [Windows Store for Business](windows-store-for-business.md).
-
-### <a href="" id="mam"></a>Mobile application management (MAM) policies
-
-With MDM, you can manage Device Guard on Windows 10 Mobile and create an allow (whitelist) or deny (blacklist) list of apps. This capability extends to built-in apps, as well, such as phone, text messaging, email, and calendar. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes.
-
-You can also control users’ access to Windows Store and whether the Store service updates apps automatically. You can manage all these capabilities through your MDM system. Table 18 lists the Windows 10 Mobile app management settings.
-
-Table 18. Windows 10 Mobile app management settings
-
-| Setting                                        | Description                                                                                                                                                                          |
-|------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Allow All Trusted Apps                         | Whether users can sideload apps on the device                                                                                                                                        |
-| Allow App Store Auto Update                    | Whether automatic updates of apps from Windows Store are allowed                                                                                                                     |
-| Allow Developer Unlock                         | Whether developer unlock is allowed                                                                                                                                                  |
-| Allow Shared User App Data                     | Whether multiple users of the same app can share data                                                                                                                                |
-| Allow Store                                    | Whether Windows Store app is allowed to run                                                                                                                                          |
-| Allow Windows Bridge For Android App Execution | Whether the Windows Bridge for Android app is allowed to run                                                                                                                         |
-| Application Restrictions                       | An XML blob that defines the app restrictions for a device (The XML blob can contain an app allow or deny list. You can allow or deny apps based on their app ID or publisher.)      |
-| Require Private Store Only                     | Whether the private store is exclusively available to users (If enabled, only the private store is available. If disabled, the retail catalog and private store are both available.) |
-| Restrict App Data To System Volume             | Whether app data is allowed only on the system drive                                                                                                                                 |
-| Restrict App To System Volume                  | Whether app installation is allowed only to the system drive                                                                                                                         |
-| Start screen layout                            | An XML blob used to configure the Start screen (See [Start layout for Windows 10 Mobile editions](http://go.microsoft.com/fwlink/p/?LinkId=734057) for more information.)            |
- 
-One potential security issue is that users can register as Windows 10 Mobile app developers and turn on developer features on their device, potentially installing apps from unknown sources and opening the device to malware threats. To prevent users from turning on developer features on their devices, set the **Disable development unlock (side loading)** policy, which you can configure through your MDM system.
-
-### <a href="" id="edge"></a>Microsoft Edge
-
-MDM systems give you the ability to manage Microsoft Edge on mobile devices. Table 19 lists the Microsoft Edge settings for Windows 10 Mobile.
-
-Table 19. Microsoft Edge settings for Windows 10 Mobile
-
-| Setting                                         | Description                                                                                           |
-|-------------------------------------------------|-------------------------------------------------------------------------------------------------------|
-| Allow Active Scripting                          | Whether active scripting is allowed                                                                   |
-| Allow Autofill                                  | Whether values are automatically filled on websites                                                   |
-| Allow Browser                                   | Whether Internet Explorer is allowed on the device                                                    |
-| Allow Cookies                                   | Whether cookies are allowed                                                                           |
-| Allow Do Not Track headers                      | Whether Do Not Track headers are allowed                                                              |
-| Allow InPrivate                                 | Whether users can use InPrivate browsing                                                              |
-| Allow Password Manager                          | Whether users can use Password Manager to save and manage passwords locally                           |
-| Allow Search Suggestions in Address Bar         | Whether search suggestions are shown in the address bar                                               |
-| Allow SmartScreen                               | Whether SmartScreen Filter is enabled                                                                 |
-| First Run URL                                   | The URL to open when a user launches Microsoft Edge for the first time                                |
-| Prevent Smart Screen Prompt Override For Files  | Whether users can override the SmartScreen Filter warnings about downloading unverified files         |
- 
-## Device operations
-
-In this section, you learn how MDM settings in Windows 10 Mobile enable the following scenarios:
-
--   [Device update](#device-update)
--   [Device compliance monitoring](#device-comp)
--   [Device inventory](#data-inv)
--   [Remote assistance](#remote-assist)
--   [Cloud services](#cloud-serv)
-
-### Device update
-
-To help protect mobile devices and their data, you must keep those devices updated. Windows Update automatically installs updates and upgrades when they become available.
-
-The device update features described in this section are available only in [Windows 10 Mobile Enterprise](#mobile-edition). You can use your MDM system to postpone system upgrades when you activate an Enterprise license on managed Windows 10 Mobile devices and control how updates and upgrades are applied. For example, you can disable updates altogether, defer updates and upgrades, and schedule the day and time to install updates, as you would with Windows Server Update Services (WSUS) on Windows 10 desktops running the [Current Branch for Business](introduction-to-windows-10-servicing.md). 
-Table 20 lists the Windows 10 Mobile Enterprise settings that you can use to configure updates and upgrades.
-
-Table 20. Windows 10 Mobile Enterprise update management settings
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Setting</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left">Allow automatic update</td>
-<td align="left">The automatic update behavior for scanning, downloading, and installing updates; the behavior can be one of the following:
-<ul>
-<li><p>Notify users prior to downloading updates.</p></li>
-<li><p>Automatically install updates, and then notify users to schedule a restart (this is the default behavior).</p></li>
-<li><p>Automatically install and restart devices with user notification.</p></li>
-<li><p>Automatically install and restart devices at a specified time.</p></li>
-<li><p>Automatically install and restart devices without user interaction.</p></li>
-<li><p>Turn off automatic updates.</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left">Allow non Microsoft signed update</td>
-<td align="left">Whether automatic updates will accept updates that entities other than Microsoft have signed</td>
-</tr>
-<tr class="odd">
-<td align="left">Allow update service</td>
-<td align="left">Whether devices can obtain updates from Windows Update, WSUS, or Windows Store</td>
-</tr>
-<tr class="even">
-<td align="left">Monthly security updates deferred</td>
-<td align="left">Whether monthly updates (for example, security patches) are deferred (You can defer updates up to 4 weeks.)</td>
-</tr>
-<tr class="odd">
-<td align="left">Nonsecurity upgrades deferred</td>
-<td align="left">Whether nonsecurity upgrades are deferred (You can defer upgrades up to 4 weeks.)</td>
-</tr>
-<tr class="even">
-<td align="left">Pause update deferrals</td>
-<td align="left">Whether the device should skip an update cycle (This setting is valid only when you configure devices to defer updates or upgrades.)</td>
-</tr>
-<tr class="odd">
-<td align="left">Require update approval</td>
-<td align="left">Whether approval is required before updates can be installed on devices (If approval is required, any updates that have an End User License Agreement [EULA] are automatically accepted on the user’s behalf.)</td>
-</tr>
-<tr class="even">
-<td align="left">Schedule install time</td>
-<td align="left">The scheduled time at which updates are installed</td>
-</tr>
-<tr class="odd">
-<td align="left">Scheduled install day</td>
-<td align="left">The schedule of days on which updates are installed</td>
-</tr>
-<tr class="even">
-<td align="left">Update deferral period</td>
-<td align="left">How long updates should be deferred</td>
-</tr>
-<tr class="odd">
-<td align="left">Update service URL</td>
-<td align="left">The name of a WSUS server from which to download updates instead of Windows Update</td>
-</tr>
-<tr class="even">
-<td align="left">Upgrade deferral period</td>
-<td align="left">How long Windows 10 Mobile upgrades should be deferred</td>
-</tr>
-</tbody>
-</table>
- 
-In addition to configuring how Windows 10 Mobile Enterprise obtains updates, you can manage individual Windows 10 Mobile updates. Table 21 provides information about approved updates to help you control the rollout of new updates to Windows 10 Mobile Enterprise devices.
-
-Table 21. Windows 10 Mobile Enterprise approved update information
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Setting</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left">Approved updates</td>
-<td align="left">A list of approved updates. Each update in the list includes the <strong>Approved Time</strong> setting, which specifies the update approval time. Any approved updates automatically accept EULAs on behalf of users.</td>
-</tr>
-<tr class="even">
-<td align="left">Failed updates</td>
-<td align="left">A list of updates that failed during installation. Each update in the list includes the following settings:
-<ul>
-<li><p><strong>H Result.</strong> The update failure code</p></li>
-<li><p><strong>Status.</strong> The failed update state (for example, <strong>download</strong>, <strong>install</strong>)</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left">Installed updates</td>
-<td align="left">A list of updates that are installed on the device.</td>
-</tr>
-<tr class="even">
-<td align="left">Installable updates</td>
-<td align="left">A list of updates that are available for installation. Each update in the list includes the following settings:
-<ul>
-<li><p><strong>Type.</strong> The type of update available for installation, set to one of the following values:</p>
-<ul>
-<li><p><strong>0</strong> (no type)</p></li>
-<li><p><strong>1</strong> (security)</p></li>
-<li><p><strong>2</strong> (critical)</p></li>
-</ul></li>
-<li><p><strong>Revision Number.</strong> The revision number for the update used to get metadata for the update during synchronization.</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left">Pending reboot updates</td>
-<td align="left">A list of updates that require a restart to complete update installation. Each update in the last has the <strong>Installed Time</strong> setting enabled, which specifies installation time for the update.</td>
-</tr>
-<tr class="even">
-<td align="left">Last successful scan time</td>
-<td align="left">The last time a successful update scan was completed.</td>
-</tr>
-<tr class="odd">
-<td align="left">Defer upgrade</td>
-<td align="left">Whether the upgrade is deferred until the next update cycle.</td>
-</tr>
-</tbody>
-</table>
- 
-
-### <a href="" id="device-comp"></a>Device compliance monitoring
-
-You can use your MDM system to monitor compliance. Windows 10 Mobile provides audit information to track issues or perform remedial actions. This information helps you ensure that devices are configured to comply with organizational standards.
-
-You can also assess the health of devices that run Windows 10 Mobile and take enterprise policy actions. The process that the health attestation feature in Windows 10 Mobile uses is as follows:
-
-1.  The health attestation client collects data used to verify device health.
-2.  The client forwards the data to the Health Attestation Service (HAS).
-3.  The HAS generates a Health Attestation Certificate.
-4.  The client forwards the Health Attestation Certificate and related information to the MDM system for verification.
-
-For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md).
-
-Depending on the results of the health state validation, an MDM system can take one of the following actions:
-
--   Allow the device to access resources.
--   Allow the device to access resources but identify the device for further investigation.
--   Prevent the device from accessing resources.
-
-Table 21 lists data points that the HAS collects and evaluates from devices that run Windows 10 Mobile to determine the action to perform. For most of these data points, the MDM system can take one of the following actions:
-
--   Disallow all access.
--   Disallow access to high-business-impact assets.
--   Allow conditional access based on other data points that are present at evaluation time—for example, other attributes on the health certificate or a device’s past activities and trust history.
--   Take one of the previous actions, and also place the device on a watch list to monitor it more closely for potential risks.
--   Take corrective action, such as informing IT administrators to contact the owner and investigate the issue.
-
-Table 21. Windows 10 Mobile HAS data points
-
-| Data point                                               | Description                                                                                                                                                                                                                    |
-|----------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Attestation Identity Key (AIK) present                   | Indicates that an AIK is present (in other words, the device can be trusted more than a device without an AIK).                                                                                                                |
-| Data Execution Prevention (DEP) enabled                  | Whether a DEP policy is enabled for the device, indicating that the device can be trusted more than a device without a DEP policy.                                                                                             |
-| BitLocker status                                         | BitLocker helps protect the storage on the device. A device with BitLocker can be trusted more than a device without BitLocker.                                                                                                |
-| Secure Boot enabled                                      | Whether Secure Boot is enabled on the device. A device with Secure Boot enabled can be trusted more than a device without Secure Boot. Secure Boot is always enabled on Windows 10 Mobile devices.                             |
-| Code integrity enabled                                   | Whether the code integrity of a drive or system file is validated each time it’s loaded into memory. A device with code integrity enabled can be trusted more than a device without code integrity.                            |
-| Safe mode                                                | Whether Windows is running in safe mode. A device that is running Windows in safe mode isn’t as trustworthy as a device running in standard mode.                                                                              |
-| Running Windows Preinstallation Environment (Windows PE) | Whether the device is running Windows PE. A device running Windows PE isn’t as secure as a device running Windows 10 Mobile.                                                                                                   |
-| Boot debug enabled                                       | Whether the device has boot debug enabled. A device that has boot debug enabled is less secure (trusted) than a device without boot debug enabled.                                                                             |
-| OS kernel debugging enabled                              | Whether the device has operating system kernel debugging enabled. A device that has operating system kernel debugging enabled is less secure (trusted) than a device with operating system kernel debugging disabled.          |
-| Test signing enabled                                     | Whether test signing is disabled. A device that has test signing disabled is more trustworthy than a device that has test signing enabled.                                                                                     |
-| Boot Manager Version                                     | The version of the Boot Manager running on the device. The HAS can check this version to determine whether the most current Boot Manager is running, which is more secure (trusted).                                           |
-| Code integrity version                                   | Specifies the version of code that is performing integrity checks during the boot sequence. The HAS can check this version to determine whether the most current version of code is running, which is more secure (trusted).   |
-| Secure Boot Configuration Policy (SBCP) present          | Whether the hash of the custom SBCP is present. A device with an SBCP hash present is more trustworthy than a device without an SBCP hash.                                                                                     |
-| Boot cycle whitelist                                     | The view of the host platform between boot cycles as defined by the manufacturer compared to a published whitelist. A device that complies with the whitelist is more trustworthy (secure) than a device that is noncompliant. |
- 
-### <a href="" id="data-inv"></a>Device inventory
-
-Device inventory helps organizations better manage devices because it provides in-depth information about those devices. MDM systems collect inventory information remotely, and you can use the system’s reporting capabilities to analyze device resources and information. With this information, you can determine the current hardware and software resources of the device (for example, installed updates).
-
-Table 22 lists examples of the Windows 10 Mobile software and hardware information that a device inventory provides. In addition to this information, the MDM system can read any of the configuration settings described in this guide.
-
-Table 22. Windows 10 Mobile software and hardware inventory examples
-
-| Setting  | Description |
-| - | - |
-| Installed enterprise apps | List of the enterprise apps installed on the device |
-| Device name  | The device name configured for the device |
-| Firmware version | Version of firmware installed on the device |
-| Operating system version | Version of the operating system installed on the device |
-| Device local time | Local time on the device |
-| Processor type | Processor type for the device |
-| Device model | Model of the device as defined by the manufacturer |
-| Device manufacturer | Manufacturer of the device |
-| Device processor architecture | Processor architecture for the device |
-| Device language | Language in use on the device |
-| Phone number | Phone number assigned to the device |
-| Roaming status | Indicates whether the device has a roaming cellular connection |
-| International mobile equipment identity (IMEI) and international mobile subscriber identity (IMSI) | Unique identifiers for the cellular connection for the phone; Global System for Mobile Communications networks identify valid devices by using the IMEI, and all cellular networks use the IMSI to identify the device and user | | IPv4 and IPv6 addresses currently assigned to the Wi-Fi adapter in the device                                                                                                                                                   |
-| Wi-Fi media access control (MAC) address | MAC address assigned to the Wi-Fi adapter in the device |
-| Wi-Fi DNS suffix and subnet mask | DNS suffix and IP subnet mask assigned to the Wi-Fi adapter in the device |
-| Secure Boot state | Indicates whether Secure Boot is enabled |
-| Enterprise encryption policy compliance | Indicates whether the device is encrypted |
- 
-### <a href="" id="remote-assist"></a>Remote assistance
-
-The remote assistance features in Windows 10 Mobile help resolve issues that users might encounter even when the help desk does not have physical access to the device. These features include:
-
--   **Remote lock.** Support personnel can remotely lock a device. This ability can help when a user loses his or her mobile device and can retrieve it but not immediately (for example, leaving the device at a customer site).
--   **Remote PIN reset.** Support personnel can remotely reset the PIN, which helps when users forget their PIN and are unable to access their device. No corporate or user data is lost, and users are able to gain access to their devices quickly.
--   **Remote ring.** Support personnel can remotely make devices ring. This ability can help users locate misplaced devices and, in conjunction with the Remote Lock feature, help ensure that unauthorized users are unable to access the device if they find it.
--   **Remote find.** Support personnel can remotely locate a device on a map, which helps identify the geographic location of the device. To configure Windows 10 Mobile remote find, use the settings in Table 23. The remote find feature returns the most current latitude, longitude, and altitude of the device.
+
+**Managing the Update Experience**
+
+*Applies to: Corporate devices with Enterprise edition*
+
+Set update client experience with [Allowautomaticupdate](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_AllowAutoUpdate) policy for your employees. This allows the IT Pro to influence the way the update client on the devices behaves when scanning, downloading, and installing updates. 
+
+This can include: 
+-   Notifying users prior to downloading updates.
+-   Automatically downloading updates, and then notifying users to schedule a restart (this is the default behavior if this policy is not configured).
+-   Automatically downloading and restarting devices with user notification.
+-   Automatically downloading and restarting devices at a specified time.
+-   Automatically downloading and restarting devices without user interaction.
+-   Turning off automatic updates. This option should be used only for systems under regulatory compliance. The device will not receive any updates. 
+
+In addition, in version 1607, you can configure when the update is applied to the employee device to ensure updates installs or reboots don’t interrupt business or worker productivity. Update installs and reboots can be scheduled [outside of active hours](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ActiveHoursEnd) (supported values are 0-23, where 0 is 12am, 1 is 1am, etc.) or on a specific what [day of the week](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ScheduledInstallDay) (supported values are 0-7,  where 0 is every day, 1  is Sunday, 2 is Monday, etc.). 
+
+**Managing the source of updates with MDM**
+
+*Applies to: Corporate devices with Enterprise edition*
+
+Although Windows 10 Enterprise enables IT administrators to defer installation of new updates from Windows Update, enterprises may also want additional control over update processes. With this in mind, Microsoft created Windows Update for Business. Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing updates. If you are using a MDM system, the use of Windows Update for Business is not a requirement, as you can manage these features from your MDM system. 
+
+Learn more about [Windows Update for Business](../plan/windows-update-for-business.md). 
+
+IT administrators can specify where the device gets updates from with AllowUpdateService. This could be Microsoft Update, Windows Update for Business, or Windows Server Update Services (WSUS. 
+
+**Managing Updates with Windows Update Server**
+
+*Applies to: Corporate devices with Enterprise edition*
+
+When using WSUS, set **UpdateServiceUrl** to allow the device to check for updates from a WSUS server instead of Windows Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet, usually handheld devices used for task completion, or other Windows IoT devices. 
+
+Learn more about [managing updates with Windows Server Update Services (WSUS)](https://technet.microsoft.com/en-us/windowsserver/bb332157.aspx)
+
+**Querying the device update status**
+
+*Applies to: Personal and corporate devices*
+
+In addition to configuring how Windows 10 Mobile Enterprise obtains updates, the MDM administrator can query devices for Windows 10 Mobile update information so that update status can be checked against a list of approved updates. 
+
+The device update status query provides an overview of:
+-   Installed updates: A list of updates that are installed on the device. 
+-   Installable updates: A list of updates that are available for installation. 
+-   Failed updates: A list of updates that failed during installation, including indication of why the update failed.
+-   Pending reboot: A list of updates that require a restart to complete update installation. 
+-   Last successful scan time: The last time a successful update scan was completed. 
+-   Defer upgrade: Whether the upgrade is deferred until the next update cycle.		
+
+### <a href="" id="device-health"></a>Device health 
+
+*Applies to: Personal and corporate devices*
+
+Device Health Attestation (DHA) is another line of defense that is new to Windows 10 Mobile. It can be used to remotely detect devices that lack a secure configuration or have vulnerabilities that could allow them to be easily exploited by sophisticated attacks. 
+
+Windows 10 Mobile makes it easy to integrate with Microsoft Intune or third-party MDM solutions for an overall view of device health and compliance. Using these solutions together, you can detect jailbroken devices, monitor device compliance, generate compliance reports, alert users or administrators to issues, initiate corrective action, and manage conditional access to resources like Office 365 or VPN.  
+
+The first version of Device Health Attestation (DHA) was released in June 2015 for Windows 10 devices that supported TPM 2.0 and operated in an enterprise cloud-based topology. In the Windows 10 anniversary release, Device Health Attestation (DHA) capabilities are extended to legacy devices that support TPM 1.2, hybrid, and on-premises environments that have access to the Internet or operate in an air-gapped network. 
+
+The health attestation feature is based on Open Mobile Alliance (OMA) standards. IT managers can use DHA to validate devices that: 
+-   Run Windows 10 operating system (mobile phone or PC)
+-   Support Trusted Module Platform (TPM 1.2 or 2.0) in discrete of firmware format 
+-   Are managed by a DHA-enabled device management solution (Intune or third-party MDM)
+-   Operate in cloud, hybrid, on-premises, and BYOD scenarios 
+
+DHA-enabled device management solutions help IT managers create a unified security bar across all managed Windows 10 Mobile devices. This allows IT managers to:
+-   Collect hardware attested data (highly assured) data remotely
+-   Monitor device health compliance and detect devices that are vulnerable or could be exploited by sophisticated attacks
+-   Take actions against potentially compromised devices, such as: 
+-   Trigger corrective actions remotely so offending device is inaccessible (lock, wipe, or brick the device)
+-   Prevent the device from getting access to high-value assets (conditional access)
+-   Trigger further investigation and monitoring (route the device to a honeypot for further monitoring)
+-   Simply alert the user or the admin to fix the issue 
+
+>**Note:** Windows Device Health Attestation Service can be used for conditional access scenarios which may be enabled by Mobile Device Management solutions (e.g.: Microsoft Intune) and other types of management systems (e.g.: SCCM) purchased separately.
+
+For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md).
+
+Thisis a lists of attributes that are supported by DHA and can trigger the corrective actions mentioned above.  
+-   **Attestation Identity Key (AIK) present** Indicates that an AIK is present (i.e., the device can be trusted more than a device without an AIK).
+-   **Data Execution Prevention (DEP) enabled** Whether a DEP policy is enabled for the device, indicating that the device can be trusted more than a device without a DEP policy.
+-   **BitLocker status** BitLocker helps protect the storage on the device. A device with BitLocker can be trusted more than a device without BitLocker.
+-   **Secure Boot enabled** Whether Secure Boot is enabled on the device. A device with Secure Boot enabled can be trusted more than a device without Secure Boot. Secure Boot is always enabled on Windows 10 Mobile devices.
+-   **Code integrity enabled** Whether the code integrity of a drive or system file is validated each time it’s loaded into memory. A device with code integrity enabled can be trusted more than a device without code integrity.
+-   **Safe mode** Whether Windows is running in safe mode. A device that is running Windows in safe mode isn’t as trustworthy as a device running in standard mode.
+-   **Boot debug enabled** Whether the device has boot debug enabled. A device that has boot debug enabled is less secure (trusted) than a device without boot debug enabled.
+-   **OS kernel debugging enabled** Whether the device has operating system kernel debugging enabled. A device that has operating system kernel debugging enabled is less secure (trusted) than a device with operating system kernel debugging disabled.
+-   **Test signing enabled** Whether test signing is disabled. A device that has test signing disabled is more trustworthy than a device that has test signing enabled.
+-   **Boot Manager Version** The version of the Boot Manager running on the device. The HAS can check this version to determine whether the most current Boot Manager is running, which is more secure (trusted).
+-   **Code integrity version** Specifies the version of code that is performing integrity checks during the boot sequence. The HAS can check this version to determine whether the most current version of code is running, which is more secure (trusted).
+-   **Secure Boot Configuration Policy (SBCP) present** Whether the hash of the custom SBCP is present. A device with an SBCP hash present is more trustworthy than a device without an SBCP hash.
+-   **Boot cycle whitelist** The view of the host platform between boot cycles as defined by the manufacturer compared to a published whitelist. A device that complies with the whitelist is more trustworthy (secure) than a device that is noncompliant.
+
+**Example scenario** 
+
+Windows 10 mobile has protective measures that work together and integrate with Microsoft Intune or third-party Mobile Device Management (MDM) solutions. IT administrators can monitor and verify compliance to ensure corporate resources are protected end-to–end with the security and trust rooted in the physical hardware of the device. 
+
+Here is what occurs when a smartphone is turned on:
+1.	Windows 10 Secure Boot protects the boot sequence, enables the device to boot into a defined and trusted configuration, and loads a factory trusted boot loader.
+2.	Windows 10 Trusted Boot takes control, verifies the digital signature of the Windows kernel, and the components are loaded and executed during the Windows startup process.
+3.	In parallel to Steps 1 and 2, Windows 10 Mobile TPM (Trusted Platform Modules – measured boot) runs independently in a hardware-protected security zone (isolated from boot execution path monitors boot activities) to create an integrity protected and tamper evident audit trail - signed with a secret that is only accessible by TPM.   
+4.	Devices managed by a DHA-enabled MDM solution send a copy of this audit trail to Microsoft Health Attestation Service (HAS) in a protected, tamper-resistant, and tamper-evident communication channel.  
+5.	Microsoft HAS reviews the audit trails, issues an encrypted/signed report, and forwards it to the device. 
+6.	IT managers can use a DHA-enabled MDM solution to review the report in a protected, tamper-resistant and tamper-evident communication channel. They can assess if a device is running in a compliant (healthy) state, allow access, or trigger corrective action aligned with security needs and enterprise policies.  
+
+### <a href="" id="asset-reporting"></a>Asset reporting
+
+*Applies to: Corporate devices with Enterprise edition*
+
+Device inventory helps organizations better manage devices because it provides in-depth information about those devices. MDM systems collect inventory information remotely and provide reporting capabilities to analyze device resources and information. This data informs IT about the current hardware and software resources of the device (e.g., installed updates).
+
+The following list shows examples of the Windows 10 Mobile software and hardware information that a device inventory provides. In addition to this information, the MDM system can read any of the configuration settings described in this guide.
+
+-   **Installed enterprise apps** List of the enterprise apps installed on the device
+-   **Device name** The device name configured for the device
+-   **Firmware version** Version of firmware installed on the device
+-   **Operating system version** Version of the operating system installed on the device
+-   **Device local time** Local time on the device
+-   **Processor type** Processor type for the device
+-   **Device model** Model of the device as defined by the manufacturer
+-   **Device manufacturer** Manufacturer of the device
+-   **Device processor architecture** Processor architecture for the device
+-   **Device language** Language in use on the device
+-   **Phone number** Phone number assigned to the device
+-   **Roaming status** Indicates whether the device has a roaming cellular connection
+-   **International mobile equipment identity (IMEI) and international mobile subscriber identity (IMSI)	Unique identifiers for the cellular connection for the phone; Global System for Mobile Communications networks identify valid devices by using the IMEI, and all cellular networks use the IMSI to identify the device and user
+-   **Wi-Fi IP address** IPv4 and IPv6 addresses currently assigned to the Wi-Fi adapter in the device
+-   **Wi-Fi media access control (MAC) address** MAC address assigned to the Wi-Fi adapter in the device
+-   **Wi-Fi DNS suffix and subnet mask** DNS suffix and IP subnet mask assigned to the Wi-Fi adapter in the device
+-   **Secure Boot state** Indicates whether Secure Boot is enabled
+-   **Enterprise encryption policy compliance** Indicates whether the device is encrypted
+
+### <a href="" id="manage-telemetry"></a>Manage telemetry
+
+*Applies to: Corporate devices with Windows 10 Mobile Enterprise edition*
+
+Microsoft uses telemetry (diagnostics, performance, and usage data) from Windows devices to help inform decisions and focus efforts to provide the most robust and valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry helps keep Windows devices healthy, improve the operating system, and personalize features and services. 
+
+You can control the level of data that telemetry systems collect. To configure devices, specify one of these levels in the Allow Telemetry setting with your MDM system.
+
+For more information, see [Configure Windows telemetry in Your organization](configure-windows-telemetry-in-your-organization.md).
+
+>**Note:** Telemetry can only be managed when the device is upgraded to Windows 10 Mobile Enterprise edition.
+
+### <a href="" id="mremote-assistance"></a>Remote assistance
+
+*Applies to: Personal and corporate devices*
+
+The remote assistance features in Windows 10 Mobile help resolve issues that users might encounter even when the help desk does not have physical access to the device. These features include:
+-   **Remote lock** Support personnel can remotely lock a device. This ability can help when a user loses his or her mobile device and can retrieve it, but not immediately (e.g., leaving the device at a customer site).
+-   **Remote PIN reset** Support personnel can remotely reset the PIN, which helps when users forget their PIN and are unable to access their device. No corporate or user data is lost and users are able to quickly gain access to their devices.
+-   **Remote ring** Support personnel can remotely make devices ring. This ability can help users locate misplaced devices and, in conjunction with the Remote Lock feature, help ensure that unauthorized users are unable to access the device if they find it.
+-   **Remote find** Support personnel can remotely locate a device on a map, which helps identify the geographic location of the device. Remote find parameters can be configured via phone settings (see table below). The remote find feature returns the most current latitude, longitude, and altitude of the device.
+
+**Remote assistance policies** 
+-   **Desired location accuracy** The desired accuracy as a radius value in meters; has a value between 1 and 1,000 meters
+-   **Maximum remote find** Maximum length of time in minutes that the server will accept a successful remote find; has a value between 0 and 1,000 minutes
+-   **Remote find timeout** The number of seconds devices should wait for a remote find to finish; has a value between 0 and 1,800 seconds
 
 These remote management features help organizations reduce the IT effort required to manage devices. They also help users quickly regain use of their device should they misplace it or forget the device password.
 
-Table 23. Windows 10 Mobile remote find settings
+>**Remote control software** Microsoft does not provide build-in remote control software, but works with partners to deliver these capabilities and services. With version 1607, remote assistant and control applications are available in the Windows Store.
 
-| Setting                   | Description                                                                                                                     |
-|---------------------------|---------------------------------------------------------------------------------------------------------------------------------|
-| Desired location accuracy | The desired accuracy as a radius value in meters; has a value between 1 and 1,000 meters                                        |
-| Maximum remote find       | Maximum length of time in minutes that the server will accept a successful remote find; has a value between 0 and 1,000 minutes |
-| Remote find timeout       | The number of seconds devices should wait for a remote find to finish; has a value between 0 and 1,800 seconds                  |
- 
-### <a href="" id="cloud-serv"></a>Cloud services
+## Retire
 
-On mobile devices that run Windows 10 Mobile, users can easily connect to apps and data. As a result, they frequently connect to cloud services that provide user notifications and collect telemetry (usage data). Windows 10 Mobile enables organizations to manage how devices consume these cloud services.
+*Applies to: Corporate and Personal devices*
 
-**Manage push notifications**
+Device retirement is the last phase of the device lifecycle, which in today’s business environment averages about 18 months. After that time period, employees want the productivity and performance improvements that come with the latest hardware. It’s important that devices being replaced with newer models are securely retired since you don’t want any company data to remain on discarded devices that could compromise the confidentiality of your data. This is typically not a problem with corporate devices, but it can be more challenging in a personal device scenario. You need to be able to selectively wipe all corporate data without impacting personal apps and data on the device. IT also needs a way to adequately support users who need to wipe devices that are lost or stolen.
 
-The Windows Push Notification Services enable software developers to send toast, tile, badge, and raw updates from their cloud services. It provides a mechanism to deliver updates to users in a power-efficient and dependable way.
-Push notifications can affect battery life, however, so the battery saver in Windows 10 Mobile limits background activity on the devices to extend battery life. Users can configure battery saver to turn on automatically when the battery drops below a set threshold. When battery saver is on, Windows 10 Mobile disables the receipt of push notifications to save energy.
+Windows 10 Mobile IT supports device retirement in both personal and corporate scenarios, allowing IT to be confident that corporate data remains confidential and user privacy is protected. 
 
-There is an exception to this behavior, however. In Windows 10 Mobile, the **Always allowed** battery saver settings (found in the Settings app) allow apps to receive push notifications even when battery saver is on. Users can manually configure this list, or you can use the MDM system to configure it—that is, you can use the battery saver settings URI scheme in Windows 10 Mobile (**ms-settings:batterysaver-settings**) to configure these settings.
-For more information about push notifications, see [Windows Push Notification Services (WNS) overview](http://go.microsoft.com/fwlink/p/?LinkId=734060).
+>**Note:** All these MDM capabilities are in addition to the device’s software and hardware factory reset features, which employees can use to restore devices to their factory configuration.
 
-**Manage telemetry**
+**Personal devices:** Windows 10 mobile supports the USA regulatory requirements for a “kill switch” in case your phone is lost or stolen. Reset protection is a free service on account.microsoft.com that helps ensure that the phone cannot be easily reset and reused. All you need to do to turn on **Reset Protection** is sign in with your Microsoft account and accept the recommended settings. To manually turn it on, you can find it under Settings > Updates & security > Find my phone. At this point, Reset Protection is only available with an MSA, not with Azure AD account. It is also only available in the USA and not in other regions of the world. 
 
-As people use Windows 10 Mobile, it can collect performance and usage telemetry that helps Microsoft identify and troubleshoot problems as well as improve its products and services. Microsoft recommends that you select **Full** for this setting.
-Microsoft employees, contractors, vendors, and partners might have access to relevant portions of the information that Windows 10 Mobile collects, but they are permitted to use the information only to repair or improve Microsoft products and services or third-party software and hardware designed for use with Microsoft products and services.
+If you choose to completely wipe a device when lost or when an employee leaves the company, make sure you obtain consent from the user and follow any local legislation that protects the user’s personal data. 
 
-You can control the level of data that MDM systems collect. Table 24 lists the data levels that Windows 10 Mobile collects and provides a brief description of each. To configure devices, specify one of these levels in the **Allow Telemetry** setting.
-Table 24. Windows 10 Mobile data collection levels
-| Level of data | Description |
-|- | - | 
-| Security      | Collects only the information required to keep Windows 10 Mobile enterprise-grade secure, including information about telemetry client settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core. For Windows 10 Mobile, this setting disables Windows 10 Mobile telemetry. |
-| Basic         | Provides only the data vital to the operation of Windows 10 Mobile. This data level helps keep Windows 10 Mobile and apps running properly by letting Microsoft know the device’s capabilities, what’s installed, and whether Windows is operating correctly. This option also turns on basic error reporting back to Microsoft. By selecting this option, you allow Microsoft to provide updates through Windows Update, including malicious software protection through the Malicious Software Removal Tool. |
-| Enhanced      | Includes all Basic data plus data about how users use Windows 10 Mobile, such as how frequently or how long they use certain features or apps and which apps they use most often. This option also lets operating system collect enhanced diagnostic information, such as the memory state of a device when a system or app crash occurs, and measure reliability of devices, the operating system, and apps.                                                                                                  |
-| Full          | Includes all Basic and Enhanced data and also turns on advanced diagnostic features that collect additional data from devices, such as system files or memory snapshots, which may unintentionally include parts of documents user are working on when a problem occurred. This information helps Microsoft further troubleshoot and fix problems. If an error report contains personal data, Microsoft does not use that information to identify, contact, or target advertising to users.                    |
- 
-## Device retirement
+A better option than wiping the entire device is to use Windows Information Protection to clean corporate-only data from a personal device. As explained in the Apps chapter, all corporate data will be tagged and when the device is unenrolled from your MDM system of your choice, all enterprise encrypted data, apps, settings and profiles will immediately be removed from the device without affecting the employee’s existing personal data. A user can initiate unenrollment via the settings screen or unenrollment action can be taken by IT from within the MDM management console. Unenrollment is a management event and will be reported to the MDM system. 
 
-Device retirement (unenrollment) is the last phase of the device life cycle. Historically, mobile device retirement has been a complex and difficult process for organizations. When the organization no longer needs devices, it must remove (wipe) corporate data from them. BYOD scenarios make retirement even more complex because users expect their personal apps and data to remain untouched. Therefore, organizations must remove their data without affecting users’ data.
+**Corporate device:** You can certainly remotely expire the user’s encryption key in case of device theft, but please remember that that will also make the encrypted data on other Windows devices unreadable for the user. A better approach for retiring a discarded or lost device is to execute a full device wipe. The help desk or device users can initiate a full device wipe. When the wipe is complete, Windows 10 Mobile returns the device to a clean state and restarts the OOBE process. 
 
-You can remotely remove all corporate data from devices that run Windows 10 Mobile without affecting existing user data (partial or enterprise wipe). The help desk or the devices’ users can initiate device retirement. When retirement is complete, Windows 10 Mobile returns the devices to a consumer state, as they were before enrollment. The following list summarizes the corporate data removed from a device when it’s retired:
+**Settings for personal or corporate device retirement**
+-   **Allow manual MDM unenrollment** Whether users are allowed to delete the workplace account (i.e., unenroll the device from the MDM system)
+-   **Allow user to reset phone** Whether users are allowed to use Settings or hardware key combinations to return the device to factory defaults
 
--   Email accounts
--   Enterprise-issued certificates
--   Network profiles
--   Enterprise-deployed apps
--   Any data associated with the enterprise-deployed apps
 
->**Note:**  All these features are in addition to the device’s software and hardware factory reset features, which users can use to restore devices to their factory configuration.
- 
-To specify whether users can delete the workplace account in Control Panel and unenroll from the MDM system, enable the **Allow Manual MDM Unenrollment** setting. Table 25 lists additional Windows 10 remote wipe settings that you can use the MDM system to configure.
-
-Table 25. Windows 10 Mobile remote wipe settings
-
-| Setting                       | Description                                                                                                          |
-|-------------------------------|----------------------------------------------------------------------------------------------------------------------|
-| Wipe                          | Specifies that a remote wipe of the device should be performed                                                       |
-| Allow manual MDM unenrollment | Whether users are allowed to delete the workplace account (in other words, unenroll the device from the MDM system)  |
-| Allow user to reset phone     | Whether users are allowed to use Control Panel or hardware key combinations to return the device to factory defaults |
- 
 ## Related topics
 
 - [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050)
-- [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984)
+- [Enterprise Mobility + Security](http://go.microsoft.com/fwlink/p/?LinkId=723984)
 - [Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052)
 - [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910)
+
+
+## Revision History
+
+-   November 2015   Updated for Windows 10 Mobile (version 1511)
+-   August 2016     Updated for Windows 10 Mobile Anniversary Update (version 1607)
+
diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md
index c41206fb4c..5ad066ab3d 100644
--- a/windows/manage/windows-10-start-layout-options-and-policies.md
+++ b/windows/manage/windows-10-start-layout-options-and-policies.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # Manage Windows 10 Start and taskbar layout
diff --git a/windows/manage/windows-spotlight.md b/windows/manage/windows-spotlight.md
index 2af7597418..f6182e086b 100644
--- a/windows/manage/windows-spotlight.md
+++ b/windows/manage/windows-spotlight.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
 ---
 
 # Windows Spotlight on the lock screen
diff --git a/windows/plan/windows-update-for-business.md b/windows/plan/windows-update-for-business.md
index 67c4200203..f21911e790 100644
--- a/windows/plan/windows-update-for-business.md
+++ b/windows/plan/windows-update-for-business.md
@@ -7,7 +7,8 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: servicing; devices
-author: TrudyHa
+author: jdeckerMS
+localizationpriority: high
 ---
 
 # Windows Update for Business
diff --git a/windows/whats-new/device-guard-overview.md b/windows/whats-new/device-guard-overview.md
index 28e92f028b..4009a8845d 100644
--- a/windows/whats-new/device-guard-overview.md
+++ b/windows/whats-new/device-guard-overview.md
@@ -8,6 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: brianlic-msft
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/whats-new-windows-10-version-1507-and-1511
 ---
 
 # Device Guard overview