sync

.openpublishing.redirection.json

@@ -6741,6 +6741,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/configuration/multi-app-kiosk-troubleshoot.md",
+"redirect_url": "/windows/configuration/kiosk-troubleshoot",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/configure/lock-down-windows-10-to-specific-apps.md",
 "redirect_url": "/windows/configuration/lock-down-windows-10-to-specific-apps",
 "redirect_document_id": true

devices/surface/microsoft-surface-data-eraser.md

@@ -57,6 +57,9 @@ Some scenarios where Microsoft Surface Data Eraser can be helpful include:
 >[!NOTE]
 >Because the ability to boot to USB is required to run Microsoft Surface Data Eraser, if the device is not configured to boot from USB or if the device is unable to boot or POST successfully, the Microsoft Surface Data Eraser tool will not function.
 
+>[!NOTE]
+>Surface Data Eraser on Surface Studio and Surface Studio 2 can take up to 6 minutes to boot into WinPE before disk erasure can occur.
+
 
 ## How to create a Microsoft Surface Data Eraser USB stick
 

devices/surface/surface-enterprise-management-mode.md

@@ -17,7 +17,7 @@ ms.date: 01/06/2017
 Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal.
 
 >[!NOTE]
->SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
+>SEMM is only available on devices with Surface UEFI firmware such as Surface Pro 4 and later, Surface Go, Surface Laptop, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
 
 When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM.
 
@@ -25,7 +25,7 @@ There are two administrative options you can use to manage SEMM and enrolled Sur
 
 ## Microsoft Surface UEFI Configurator
 
-The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied.
+The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied.
 
 ![Microsoft Surface UEFI Configurator](images\surface-ent-mgmt-fig1-uefi-configurator.png "Microsoft Surface UEFI Configurator")
 
@@ -74,14 +74,15 @@ You can enable or disable the following devices with SEMM:
 
 * Docking USB Port
 * On-board Audio
+* DGPU
 * Type Cover
-* Micro SD or SD Card Slots
+* Micro SD Card
 * Front Camera
 * Rear Camera
 * Infrared Camera, for Windows Hello
 * Bluetooth Only
 * Wi-Fi and Bluetooth
-* Trusted Platform Module (TPM)
+* LTE
 
 You can configure the following advanced settings with SEMM:
 
@@ -89,9 +90,12 @@ You can configure the following advanced settings with SEMM:
 * Alternate boot order, where the Volume Down button and Power button can be pressed together during boot, to boot directly to a USB or Ethernet device
 * Lock the boot order to prevent changes
 * Support for booting to USB devices
+* Enable Network Stack boot settings
+* Enable Auto Power On boot settings
 * Display of the Surface UEFI **Security** page
 * Display of the Surface UEFI **Devices** page
 * Display of the Surface UEFI **Boot** page
+* Display of the Surface UEFI **DateTime** page
 
 >[!NOTE]
 >When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5.
@@ -116,7 +120,7 @@ These characters are the last two characters of the certificate thumbprint and s
 >6. **All** or **Properties Only** must be selected in the **Show** drop-down menu.
 >7. Select the field **Thumbprint**.
 
-To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need to do is run the .msi file on the intended Surface device. You can use application deployment or operating system deployment technologies such as [System Center Configuration Manager](https://technet.microsoft.com/library/mt346023) or the [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741). When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction is not required when you apply a configuration to devices that are already enrolled in SEMM.
+To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need to do is run the .msi file with administrative privileges on the intended Surface device. You can use application deployment or operating system deployment technologies such as [System Center Configuration Manager](https://technet.microsoft.com/library/mt346023) or the [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741). When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction is not required when you apply a configuration to devices that are already enrolled in SEMM.
 
 For a step-by-step walkthrough of how to enroll a Surface device in SEMM or apply a Surface UEFI configuration with SEMM, see [Enroll and configure Surface devices with SEMM](https://technet.microsoft.com/itpro/surface/enroll-and-configure-surface-devices-with-semm).
 
@@ -189,6 +193,37 @@ For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must
 >[!NOTE]
 >For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick.
 
+### Managing certificates FAQ
+
+The recommended *minimum* length is 15 months. You can use a
+certificate that expires in less than 15 months or use a certificate
+that expires in longer than 15 months.
+
+>[!NOTE] 
+>When a certificate expires, it does not automatically renew. 
+
+**Will existing machines continue to apply the bios settings after 15
+months?**
+
+Yes, but only if the package itself was signed when the certificate was
+valid.
+
+**Will** **the SEMM package and certificate need to be updated on all
+machines that have it?**
+
+If you want SEMM reset or recovery to work, the certificate needs to be
+valid and not expired. You can use the current valid ownership
+certificate to sign a package that updates to a new certificate for
+ownership. You do not need to create a reset package. 
+
+**Can bulk reset packages be created for each surface that we order? Can
+one be built that resets all machines in our environment?**
+
+The PowerShell samples that create a config package for a specific
+device type can also be used to create a reset package that is
+serial-number independent. If the certificate is still valid, you can
+create a reset package using PowerShell to reset SEMM.
+
 ## Version History
 
 ### Version 2.26.136.0

windows/client-management/mdm/policy-csp-internetexplorer.md

@@ -2132,7 +2132,7 @@ If you disable or do not configure this policy, users may choose their own site-
 > [!Note]  
 > This policy is a list that contains the site and index value.
 
-The list is a set of pairs of strings. Each string is seperated by F000. Each pair of string are stored as a registry name and value.  The registry name is the site and the value is an index. The index has to be sequential. See an example below.
+The list is a set of pairs of strings. Each string is seperated by F000. Each pair of strings is stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below.
 
 <!--/Description-->
 > [!TIP]

windows/configuration/TOC.md

@@ -31,7 +31,7 @@
 #### [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md)
 #### [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md)
 #### [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md)
-#### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md)
+#### [Troubleshoot kiosk mode issues](kiosk-troubleshoot.md)
 ## [Configure Windows Spotlight on the lock screen](windows-spotlight.md)
 ## [Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions](manage-tips-and-suggestions.md)
 ## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)

windows/configuration/change-history-for-configure-windows-10.md

@@ -17,7 +17,13 @@ ms.date: 11/07/2018
 
 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
 
-## Novermber 2018
+## January 2019
+
+New or changed topic | Description
+--- | ---
+[Prepare a device for kiosk configuration](kiosk-prepare.md) | Added how to connect to a single-app kiosk in a virtual machine (VM) for testing.
+
+## November 2018
 
 New or changed topic | Description
 --- | ---

windows/configuration/kiosk-additional-reference.md

@@ -31,7 +31,7 @@ Topic | Description
 [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps.
 [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) |  Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface.
 [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
-[Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration.
+[Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration.
 
 
 

windows/configuration/kiosk-prepare.md

@@ -237,5 +237,17 @@ The following table describes some features that have interoperability issues we
 
 
 
+<span id="test-vm" />
+## Testing your kiosk in a virtual machine (VM)
 
+Customers sometimes use virtual machines (VMs) to test configurations before deploying those configurations to physical devices. If you use a VM to test your single-app kiosk configuration, you need to know how to connect to the VM properly.
 
+A single-app kiosk kiosk configuration runs an app above the lockscreen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V. 
+
+When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session.
+
+![VM windows, View menu, Extended session is not selected](images/vm-kiosk.png)
+
+To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog. 
+
+![Do not select connect button, use close X in corner](images/vm-kiosk-connect.png)

windows/configuration/kiosk-troubleshoot.md

@@ -1,5 +1,5 @@
 ---
-title: Troubleshoot multi-app kiosk (Windows 10)
+title: Troubleshoot kiosk mode issues (Windows 10)
 description: Tips for troubleshooting multi-app kiosk configuration.
 ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
 keywords: ["lockdown", "app restrictions"]
@@ -13,19 +13,30 @@ ms.author: jdecker
 ms.topic: article
 ---
 
-# Troubleshoot multi-app kiosk
+# Troubleshoot kiosk mode issues
 
 
 **Applies to**
 
 -   Windows 10
 
-## Sign-in issues
+## Single-app kiosk issues
+
+>[!TIP]
+>We recommend that you [enable logging for kiosk issues](kiosk-prepare.md#enable-logging). For some failures, events are only captured once. If you enable logging after an issue occurs with your kiosk, the logs may not capture those one-time events. In that case, prepare a new kiosk environment (such as a [virtual machine (VM)](kiosk-prepare.md#test-vm)), set up your kiosk account and configuration, and try to reproduce the problem.
+
+### Sign-in issues 
 
 1. Verify that User Account Control (UAC) is turned on. 
 2. Check the Event Viewer logs for sign-in issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.
 
-## Unexpected results
+### Automatic logon issues 
+
+Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.
+
+## Multi-app kiosk issues
+
+### Unexpected results 
 
 For example:
 - Start is not launched in full-screen
@@ -43,17 +54,17 @@ For example:
 ![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png)
 
 
-## Automatic logon issues 
+### Automatic logon issues 
 
 Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.
 
-## Apps configured in AllowedList are blocked
+### Apps configured in AllowedList are blocked 
 
 1. Ensure the account is mapped to the correct profile and that the apps are specific for that profile. 
 2. Check the EventViewer logs for Applocker and AppxDeployment (under **Application and Services Logs\Microsoft\Windows**).
 
 
-## Start layout not as expected
+### Start layout not as expected 
 
 - Make sure the Start layout is authored correctly. Ensure that the attributes **Size**, **Row**, and **Column** are specified for each application and are valid.
 - Check if the apps included in the Start layout are installed for the assigned access user.

windows/deployment/deploy-m365.md

@@ -7,7 +7,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 keywords: deployment, automate, tools, configure, mdt, sccm, M365
 ms.localizationpriority: medium
-ms.date: 11/06/2018
 author: greg-lindsay
 ---
 
@@ -19,7 +18,7 @@ author: greg-lindsay
 
 This topic provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
 
-[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS).
+[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [M365 Enterprise poster](#m365-enterprise-poster) for an overview.
 
 For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including:
 
@@ -53,6 +52,10 @@ Examples of these two deployment advisors are shown below.
 ## Windows Analytics deployment advisor example
 ![Windows Analytics deployment advisor](images/wada.png)
 
+## M365 Enterprise poster
+
+[![M365 Enterprise poster](images/m365e.png)](http://aka.ms/m365eposter)
+
 ## Related Topics
 
 [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)<br>

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md

@@ -517,8 +517,8 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 #### Configure Parameters for HTTP.SYS
 1. Open an elevated command prompt.
 2. Run the following commands <br>
-```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534``` <br>
+```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534``` <br>
-```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```<br>
+```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```<br>
 3. Restart the NDES server.
 
 ## Download, Install and Configure the Intune Certificate Connector

windows/security/identity-protection/hello-for-business/passwordless-strategy.md

@@ -25,7 +25,7 @@ Before you move away from passwords, you need something to replace them.  With W
 Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely.  Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics.  However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
 
 ### 2. Reduce user-visible password surface area
-With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface.  The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it.  This state helps decondition users from providing a password any time a password prompt shows on their computer.  This is a how passwords are phished.  Users who rarely, it at all, use their password are unlikely to provide it.  Password prompts are no longer the norm.
+With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished.  Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm.
 
 ### 3. Transition into a password-less deployment
 Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world.  A world where:

windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md

@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: Justinha
-ms.date: 11/06/2018
+ms.date: 01/12/2019
 ---
 
 # Overview of BitLocker Device Encryption in Windows 10
@@ -27,7 +27,6 @@ Table 2 lists specific data-protection concerns and how they are addressed in Wi
 | Windows 7 | Windows 10 |
 |---|---|
 | When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.<br><br>Network Unlock allows PCs to start automatically when connected to the internal network. |
- | Users must contact the IT department to change their BitLocker PIN or password. | Modern Windows devices no longer require a PIN in the pre-boot environment to protect BitLocker encryption keys from cold boot attacks.<br><br>Users who have standard privileges can change their BitLocker PIN or password on legacy devices that require a PIN. |
 | When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
 | There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
 | Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. |
@@ -58,7 +57,9 @@ With earlier versions of Windows, administrators had to enable BitLocker after W
 
 ## BitLocker Device Encryption 
 
-Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby. Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.
+Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition. 
+
+Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.
 
 Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
 

windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md

@@ -22,8 +22,8 @@ Microsoft Intune helps you create and deploy your enterprise data protection (WI
 ## In this section
 |Topic |Description |
 |------|------------|
-|[Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
+|[Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
-|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create your WIP policy with MDM, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.|
+|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create your WIP policy with MAM (Mobile Application Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.|
 |[Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](create-wip-policy-using-intune.md) |Details about how to use the classic console for Microsoft Intune to create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
 |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
 |[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |

windows/whats-new/ltsc/index.md

@@ -36,12 +36,10 @@ The following table summarizes equivalent feature update versions of Windows 10
 >[!NOTE]
 >The Long Term Servicing Channel was previously called the Long Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
 
-The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. 
+With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. 
-
-With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
 
 >[!IMPORTANT]
->The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices.
+>The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).
  
 For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview.md).
 

windows/whats-new/ltsc/whats-new-windows-10-2016.md

@@ -6,7 +6,6 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: greg-lindsay
-ms.date: 01/08/2019
 ms.localizationpriority: low
 ---
 
@@ -36,6 +35,9 @@ Windows ICD now includes simplified workflows for creating provisioning packages
 
 ### Windows Upgrade Readiness
 
+>[!IMPORTANT]
+>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release.
+
 Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. 
 
 With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.

windows/whats-new/ltsc/whats-new-windows-10-2019.md

@@ -14,7 +14,7 @@ ms.localizationpriority: low
 **Applies to**
 -   Windows 10 Enterprise 2019 LTSC
 
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
 
 >[!NOTE]
 >Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809. 
@@ -27,6 +27,9 @@ Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding pr
 
 The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. 
 
+>[!IMPORTANT]
+>The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
+
 ## Security
 
 This version of Window 10 includes security improvements for threat protection, information protection, and identity protection.
@@ -295,28 +298,7 @@ For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
 
 ### Windows Autopilot
 
-[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. 
+Information about Windows Autopilot support for LTSC 2019 is pending.
-
-Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information.
-
-Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. 
-
-You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices).
-
-#### Windows Autopilot self-deploying mode
-
-Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. 
-
-This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. 
-
-You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. 
-
-To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying). 
-
-
-#### Autopilot Reset	
-
-IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
 
 ### DISM
 
@@ -374,6 +356,9 @@ SetupDiag works by searching Windows Setup log files. When searching log files,
 
 ### Upgrade Readiness
 
+>[!IMPORTANT]
+>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release.
+
 Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
 
 The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
@@ -411,6 +396,55 @@ In the Feedback and Settings page under Privacy Settings you can now delete the
 
 ## Configuration
 
+### Kiosk Configuration
+
+We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts.
+
+To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. 
+
+![set up a kiosk](../images/kiosk-mode.png "set up a kiosk")
+
+Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types.
+
+1. **Digital / Interactive signage** that displays a specific website full-screen and runs InPrivate mode.
+2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity.
+
+![single app assigned access](../images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access")
+
+Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. 
+
+>[!NOTE]
+>The following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings.
+
+1. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows.
+
+![multi-app assigned access](../images/Multi-app_kiosk_inFrame.png "multi-app assigned access")
+
+2. **Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books.
+
+![normal mode](../images/Normal_inFrame.png "normal mode")
+
+Learn more about [Microsoft Edge kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
+
+The AssignedAccess CSP has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For more information, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps).
+
+### Windows 10 kiosk and Kiosk Browser
+
+With this release you can easily deploy and manage kiosk devices with Microsoft Intune in single and multiple app scenarios. This includes the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below.
+
+- Using Intune, you can deploy the Kiosk Browser from the Microsoft Store, configure start URL, allowed URLs, and enable/disable navigation buttons.
+- Using Intune, you can deploy and configure shared devices and kiosks using assigned access to create a curated experience with the correct apps and configuration policies
+- Support for multiple screens for digital signage use cases.
+- The ability to ensure all MDM configurations are enforced on the device prior to entering assigned access using the Enrollment Status page.
+- The ability to configure and run Shell Launcher in addition to existing UWP Store apps.
+- A simplified process for creating and configuring an auto-logon kiosk account so that a public kiosk automatically enters a desired state after a reboot, a critical security requirement for public-facing use cases.
+- For multi-user Firstline Worker kiosk devices, instead of specifying every user, it’s now possible to assign different assigned access configurations to Azure AD groups or Active Directory groups.
+- To help with troubleshooting, you can now view error reports generated if an assigned access-configured app has issues.
+
+For more information, see: 
+- [Making IT simpler with a modern workplace](https://www.microsoft.com/en-us/microsoft-365/blog/2018/04/27/making-it-simpler-with-a-modern-workplace/)
+- [Simplifying kiosk management for IT with Windows 10](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Simplifying-kiosk-management-for-IT-with-Windows-10/ba-p/187691)
+
 ### Co-management
 
 Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
@@ -598,58 +632,6 @@ Learn about the new Group Policies that were added in Windows 10 Enterprise 2019
 
 This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality).
 
-
-## Configuration
-
-### Kiosk Configuration
-
-We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts.
-
-To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. 
-
-![set up a kiosk](../images/kiosk-mode.png "set up a kiosk")
-
-Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types.
-
-1. **Digital / Interactive signage** that displays a specific website full-screen and runs InPrivate mode.
-2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity.
-
-![single app assigned access](../images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access")
-
-Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. 
-
->[!NOTE]
->The following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings.
-
-1. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows.
-
-![multi-app assigned access](../images/Multi-app_kiosk_inFrame.png "multi-app assigned access")
-
-2. **Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books.
-
-![normal mode](../images/Normal_inFrame.png "normal mode")
-
-Learn more about [Microsoft Edge kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
-
-The AssignedAccess CSP has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For more information, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps).
-
-### Windows 10 kiosk and Kiosk Browser
-
-With this release you can easily deploy and manage kiosk devices with Microsoft Intune in single and multiple app scenarios. This includes the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below.
-
-- Using Intune, you can deploy the Kiosk Browser from the Microsoft Store, configure start URL, allowed URLs, and enable/disable navigation buttons.
-- Using Intune, you can deploy and configure shared devices and kiosks using assigned access to create a curated experience with the correct apps and configuration policies
-- Support for multiple screens for digital signage use cases.
-- The ability to ensure all MDM configurations are enforced on the device prior to entering assigned access using the Enrollment Status page.
-- The ability to configure and run Shell Launcher in addition to existing UWP Store apps.
-- A simplified process for creating and configuring an auto-logon kiosk account so that a public kiosk automatically enters a desired state after a reboot, a critical security requirement for public-facing use cases.
-- For multi-user Firstline Worker kiosk devices, instead of specifying every user, it’s now possible to assign different assigned access configurations to Azure AD groups or Active Directory groups.
-- To help with troubleshooting, you can now view error reports generated if an assigned access-configured app has issues.
-
-For more information, see: 
-- [Making IT simpler with a modern workplace](https://www.microsoft.com/en-us/microsoft-365/blog/2018/04/27/making-it-simpler-with-a-modern-workplace/)
-- [Simplifying kiosk management for IT with Windows 10](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Simplifying-kiosk-management-for-IT-with-Windows-10/ba-p/187691)
-
 ## Networking
 
 ### Network stack