| Topic | +Description | +
|---|---|
[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) |
+Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. |
+
[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |
+The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. |
| [Update Windows 10 in the enterprise](waas-update-windows-10.md) | Learn how to manage updates to Windows 10 in your organization, including Update Compliance, and Windows Update for Business. |
[Manage corporate devices](manage-corporate-devices.md) |
+You can use the same management tools to manage all device types running Windows 10: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions. |
+
[Windows Spotlight on the lock screen](windows-spotlight.md) |
+Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. |
+
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) |
+Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. |
+
[Create mandatory user profiles](mandatory-user-profile.md) | Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. |
[Lock down Windows 10](lock-down-windows-10.md) |
+Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. |
+
[Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) |
+Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). |
+
[Configure devices without MDM](configure-devices-without-mdm.md) |
+Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise. |
+
[Application Virtualization for Windows (App-V)](appv-for-windows.md) |
+When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally. |
+
[User Experience Virtualization for Windows (UE-V)](uev-for-windows.md) |
+When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. |
+
[Windows Store for Business](windows-store-for-business.md) |
+Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. |
+
[Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) |
+This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
+
| Policy | +Notes | +
|---|---|
| Clear history of recently opened documents on exit | +Documents that the user opens are tracked during the session. When the user signs off, the history of opened documents is deleted. | +
| Do not allow pinning items in Jump Lists | +Jump Lists are lists of recently opened items, such as files, folders, or websites, organized by the program that you use to open them. This policy prevents users from pinning items to any Jump List. | +
| Do not display or track items in Jump Lists from remote locations | +When this policy is applied, only items local on the computer are shown in Jump Lists. | +
| Do not keep history of recently opened documents | +Documents that the user opens are not tracked during the session. | +
| Prevent changes to Taskbar and Start Menu Settings | +In Windows 10, this disables all of the settings in Settings > Personalization > Start as well as the options in dialog available via right-click Taskbar > Properties | +
| Prevent users from customizing their Start Screen | +Use this policy in conjunction with [CopyProfile](https://go.microsoft.com/fwlink/p/?LinkId=623229) or other methods for configuring the layout of Start to prevent users from changing it |
+
| Prevent users from uninstalling applications from Start | +In Windows 10, this removes the uninstall button in the context menu. It does not prevent users from uninstalling the app through other entry points (e.g. PowerShell) | +
| Remove All Programs list from the Start menu | +In Windows 10, this removes the All apps button. | +
| Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands | +This removes the Shut Down, Restart, Sleep, and Hibernate commands from the Start Menu, Start Menu power button, CTRL+ALT+DEL screen, and Alt+F4 Shut Down Windows menu. | +
| Remove common program groups from Start Menu | +As in earlier versions of Windows, this removes apps specified in the All Users profile from Start | +
| Remove frequent programs list from the Start Menu | +In Windows 10, this removes the top left Most used group of apps. | +
| Remove Logoff on the Start Menu | +Logoff has been changed to Sign Out in the user interface, however the functionality is the same. | +
| Remove pinned programs list from the Start Menu | +In Windows 10, this removes the bottom left group of apps (by default, only File Explorer and Settings are pinned). | +
| Show "Run as different user" command on Start | +This enables the Run as different user option in the right-click menu for apps. | +
| Start Layout | +This applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in User Configuration or Computer Configuration. +
+Note
+
+Start Layout policy setting applies only to Windows 10 Enterprise and Windows 10 Education. +
+
+ |
+
| Force Start to be either full screen size or menu size | +This applies a specific size for Start. | +
| Topic | +Description | +
|---|---|
[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) |
+Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. |
+
[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |
+The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. |
| [Update Windows 10 in the enterprise](waas-update-windows-10.md) | Learn how to manage updates to Windows 10 in your organization, including Update Compliance, and Windows Update for Business. |
[Manage corporate devices](manage-corporate-devices.md) |
+You can use the same management tools to manage all device types running Windows 10: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions. |
+
[Windows Spotlight on the lock screen](windows-spotlight.md) |
+Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. |
+
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) |
+Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. |
+
[Create mandatory user profiles](mandatory-user-profile.md) | Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. |
[Lock down Windows 10](lock-down-windows-10.md) |
+Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. |
+
[Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) |
+Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). |
+
[Configure devices without MDM](configure-devices-without-mdm.md) |
+Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise. |
+
[Application Virtualization for Windows (App-V)](appv-for-windows.md) |
+When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally. |
+
[User Experience Virtualization for Windows (UE-V)](uev-for-windows.md) |
+When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. |
+
[Windows Store for Business](windows-store-for-business.md) |
+Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. |
+
[Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) |
+This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
+
For example:
If you turn **Location** off, Cortana won't be able to provide location-based reminders, such as reminding you to visit the mail room when you get to work.
If you turn **Speech** off, your employees won't be able to use “Hello Cortana” for hands free usage or voice commands to easily ask for help. | +|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md)
If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft System Center Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.| + +## Signing in using Azure AD +Your organization must have an Azure AD tenant and your employees’ devices must all be Azure AD-joined for Cortana to work properly. For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [What is an Azure AD directory?](https://msdn.microsoft.com/library/azure/jj573650.aspx) + +## Cortana and privacy +We understand that there are some questions about Cortana and your organization’s privacy, including concerns about what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services. For more details about these concerns, see the [Cortana, Search, and privacy: FAQ](http://windows.microsoft.com/windows-10/cortana-privacy-faq) topic. + +Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement). + +## See also +- [What is Cortana?](http://go.microsoft.com/fwlink/p/?LinkId=746818) + +- [Cortana and Windows](http://go.microsoft.com/fwlink/?LinkId=717384) + +- [Known issues for Windows Desktop Search and Cortana in Windows 10](http://support.microsoft.com/kb/3206883/EN-US) + +- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385) diff --git a/windows/configure/cortana-at-work-policy-settings.md b/windows/configure/cortana-at-work-policy-settings.md new file mode 100644 index 0000000000..83f10f7d3e --- /dev/null +++ b/windows/configure/cortana-at-work-policy-settings.md @@ -0,0 +1,44 @@ +--- +title: Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization (Windows 10) +description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +localizationpriority: high +--- + +# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization +**Applies to:** + +- Windows 10, Windows Insider Program +- Windows 10 Mobile, Windows Insider Program + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +>[!NOTE] +>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381). + +|Group policy |MDM policy |Description | +|-------------|-----------|------------| +|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
**NOTE**
This setting only applies to Windows 10 for desktop devices. |
+|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization|Privacy/AllowInputPersonalization|Specifies whether an employee can use voice commands with Cortana in your organization.
**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).
**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled).|
+|None|System/AllowLocation|Specifies whether to allow app access to the Location service.
**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).
**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled).|
+|None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
Use this setting if you only want to support Azure AD in your organization.| +|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.| +|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.
**NOTE**
This setting only applies to Windows 10 Mobile.|
+|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.
**In Windows 10 Pro edition**
This setting can’t be managed.
**In Windows 10 Enterprise edition**
Cortana won't work if this setting is turned off (disabled).|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.
**IMPORTANT**
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.|
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/configure/cortana-at-work-powerbi.md b/windows/configure/cortana-at-work-powerbi.md
new file mode 100644
index 0000000000..98b90f572f
--- /dev/null
+++ b/windows/configure/cortana-at-work-powerbi.md
@@ -0,0 +1,138 @@
+---
+title: Set up and test Cortana for Power BI in your organization (Windows 10)
+description: How to integrate Cortana with Power BI to help your employees get answers directly from your key business data.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Set up and test Cortana for Power BI in your organization
+**Applies to:**
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop.
+
+>[!Note]
+>Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/).
+
+## Before you begin
+To use this walkthrough, you’ll need:
+
+- **Windows 10**. You’ll need to be running at least Windows 10 with the latest version from the Windows Insider Program.
+
+- **Cortana**. You need to have Cortana turned on and be logged into your account.
+
+- **Power BI account with data**. You can use an existing Power BI account, or else you can get a trial account by signing up at http://powerbi.com. Just make sure that either way, you enter some data that you can use.
+
+- **Azure Active Directory (Azure AD)/Work or School account**. You can use the account that you created for Office 365, or you can create a new one while you’re establishing your Power BI account. If you choose to use Azure AD, you must connect your Azure AD account to your Windows account.
+
+ **To connect your account to Windows**
+ a. Open **Windows Settings**, click **Accounts**, click **Access work or school**, and then in the **Connect to work or school** section, click **Connect**.
+
+ b. Follow the instructions to add your Azure Active Directory (Azure AD) account to Windows.
+
+## Set up your test environment for Cortana for Power BI
+Before you can start this testing scenario, you must first set up your test environment and data, and then you must turn on and set up Cortana to connect and work with Power BI.
+
+**To set up your test environment with Cortana and Power BI**
+
+1. Go to http://powerbi.com and sign-in with the same O365 credentials you used in the Set up and use Cortana with Office 365 topic.
+
+2. Expand the left rail by clicking the **Show the navigation pane** icon.
+
+ 
+
+3. Click **Get Data** from the left-hand navigation in Power BI.
+
+ 
+
+4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen.
+
+ 
+
+5. Click **Retail Analysis Sample**, and then click **Connect**.
+
+ 
+
+ The sample data is imported and you’re returned to the **Power BI** screen.
+
+6. Click **Dashboards** from the left pane of the **Power BI** screen, and then click **Retail Analysis Sample**.
+
+ 
+
+7. In the upper right-hand menu, click the **Settings** icon, and then click **Settings**.
+
+ 
+
+8. Click the **Datasets** tab, and then pick the **Retail Analysis Sample** dataset from the list.
+
+9. Click **Q&A and Cortana**, check the **Allow Cortana to access this dataset** box, and then click **Apply**.
+
+ 
+
+ >[!NOTE]
+ >It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.
If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana. + +## Create a custom Answer Page for Cortana +You must create special reports, known as _Answer Pages_, to display the most commonly asked answers in Cortana. For example, if you want Cortana to quickly show sales data to your employees, you can create a 2016 sales data Answer Page that shows sales data, with various pivots, in Cortana. + +After you’ve finished creating your Answer Page, you can continue to the included testing scenarios. + + >[!NOTE] + >It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately. + +**To create a custom sales data Answer Page for Cortana** +1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**. + +  + +2. In the **Create Report** screen, click the **Retail Analysis Sample**, and then click **Create**. + + A blank report page appears. + +3. In the **Visualizations** pane, click the paint roller icon, expand **Page Size**, and then pick **Cortana** from the **Type** drop-down list. + +  + +4. In the **Fields** pane, click to expand **Sales**, expand **This year sales**, and then add both **Value** and **Goal**. + +  + + The automatically generated graph is added to your blank report. You have the option to change colors, add borders, add additional visualizations, and modify this page so that it answers the question about sales data as precisely, and in as custom a way, as you want. You just need to make sure that it all stays within the page borders. + +5. In the **Visualizations** pane, click the paint roller icon again, expand **Page Information**, type _Sales data 2016_ into the **Name** box, turn on **Q&A**, and then add alternate report names (separated by commas) into the text box. + + The alternate names help Cortana to know what questions to look for and when to show this report. To also improve your results, you should avoid using the names of your report columns. + +  + +6. Click **File**, click **Save as**, and save the report as _Sales data 2016_. + + Because this is part of the Retail Analysis Sample, it will automatically be included as part of the dataset you included for Cortana. However, you will still need to log in and out of Windows 10, or otherwise restart Cortana, before the new content appears. + +## Test Scenario: Use Cortana to show info from Power BI in your organization +Now that you’ve set up your device, you can use Cortana to show your info from within Power BI. + +**To use Cortana with Power BI** +1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. + +2. Type _This year in sales_. + + Cortana shows you the available results. + +  + +3. In the **Power BI** area, click **This year in sales – in Retail Analysis Sample**. + + Cortana returns your custom report. + +  + +>[!NOTE] +>For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/). diff --git a/windows/configure/cortana-at-work-scenario-1.md b/windows/configure/cortana-at-work-scenario-1.md new file mode 100644 index 0000000000..4a9714a455 --- /dev/null +++ b/windows/configure/cortana-at-work-scenario-1.md @@ -0,0 +1,58 @@ +--- +title: Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook (Windows 10) +description: A test scenario walking you through signing in and managing the notebook. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +localizationpriority: high +--- + +# Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook + +- Windows 10, Windows Insider Program +- Windows 10 Mobile, Windows Insider Program + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +>[!IMPORTANT] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. + +This scenario turns on Azure AD and let's your employee use Cortana to manage an entry in the notebook. + +## Turn on Azure AD +This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account. + +1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, and then click **About Me**. + +2. Click your email address. + + A dialog box appears, showing the associated account info. + +3. Click your email address again, and then click **Sign out**. + + This signs out the Microsoft account, letting you continue to add and use the Azure AD account. + +4. Click the **Search** box and then the **Notebook** icon in the left rail. This will start the sign-in request. + +5. Click **Sign-In** and follow the instructions. + +6. When you’re asked to sign in, you’ll need to choose an Azure AD account, which will look like kelliecarlson@contoso.com. + + >[!IMPORTANT] + >If there’s no Azure AD account listed, you’ll need to go to **Windows Settings > Accounts > Email & app accounts**, and then click **Add a work or school account** to add it. + +## Use Cortana to manage the notebook content +This process helps you to manage the content Cortana shows in your Notebook. + +1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, scroll down and click **Weather**. + +2. In the **Weather** settings, scroll down to the **Cities your tracking** area, and then click **Add a city**. + +3. Add *Redmond, Washington*, double-click the search result, click **Add**, and then click **Save**. + +  + +4. Click on the **Home** icon and scroll to the weather forecast for Redmond, Washington. + +  \ No newline at end of file diff --git a/windows/configure/cortana-at-work-scenario-2.md b/windows/configure/cortana-at-work-scenario-2.md new file mode 100644 index 0000000000..fb7b00d578 --- /dev/null +++ b/windows/configure/cortana-at-work-scenario-2.md @@ -0,0 +1,41 @@ +--- +title: Test scenario 2 - Perform a quick search with Cortana at work (Windows 10) +description: A test scenario about how to perform a quick search with Cortana at work. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +localizationpriority: high +--- + +# Test scenario 2 - Perform a quick search with Cortana at work + +- Windows 10, Windows Insider Program +- Windows 10 Mobile, Windows Insider Program + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +>[!IMPORTANT] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. + +This scenario helps you perform a quick search using Cortana, both by typing and through voice commands. + +## Search using Cortana +This process helps you use Cortana at work to perform a quick search. + +1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. + +2. Type *Weather in New York*. + + You should see the weather in New York, New York at the top of the search results. + +  + +## Search with Cortana, by using voice commands +This process helps you to use Cortana at work and voice commands to perform a quick search. + +1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box). + +2. Say *What's the weather in Chicago?* Cortana tells you and shows you the current weather in Chicago. + +  \ No newline at end of file diff --git a/windows/configure/cortana-at-work-scenario-3.md b/windows/configure/cortana-at-work-scenario-3.md new file mode 100644 index 0000000000..89610c7093 --- /dev/null +++ b/windows/configure/cortana-at-work-scenario-3.md @@ -0,0 +1,86 @@ +--- +title: Test scenario 3 - Set a reminder for a specific location using Cortana at work (Windows 10) +description: A test scenario about how to set a location-based reminder using Cortana at work. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +localizationpriority: high +--- + +# Test scenario 3 - Set a reminder for a specific location using Cortana at work + +- Windows 10, Windows Insider Program +- Windows 10 Mobile, Windows Insider Program + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +>[!IMPORTANT] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. + +This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house. + +>[!NOTE] +>You can set each reminder location individually as you create the reminders, or you can go into the **About me** screen and add both **Work** and **Home** addresses as favorites. Make sure that you use real addresses since you’ll need to go to these locations to complete your testing scenario.
Additionally, if you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page.
+
+## Create a reminder for a specific location
+This process helps you to create a reminder based on a specific location.
+
+1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
+
+2. Click the **+** sign, add a subject for your reminder, such as _Remember to file expense report receipts_, and then click **Place**.
+
+ 
+
+3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder.
+
+ 
+
+4. Click **Done**.
+
+ >[!NOTE]
+ >If you’ve never used this location before, you’ll be asked to add a name for it so it can be added to the **Favorites list** in Windows Maps.
+
+5. Choose to be reminded the **Next time you arrive at the location** or on a specific day of the week from the drop-down box.
+
+6. Take a picture of your receipts and store them locally on your device.
+
+7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**.
+
+ The photo is stored with the reminder.
+
+ 
+
+8. Review the reminder info, and then click **Remind**.
+
+ The reminder is saved and ready to be triggered.
+
+ 
+
+## Create a reminder for a specific location by using voice commands
+This process helps you to use Cortana at work and voice commands to create a reminder for a specific location.
+
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
+
+2. Say _Remind me to grab my expense report receipts before I leave home_.
+
+ Cortana opens a new reminder task and asks if it sounds good.
+
+ 
+
+3. Say _Yes_ so Cortana can save the reminder.
+
+ 
+
+## Edit or archive an existing reminder
+This process helps you to edit or archive and existing or completed reminder.
+
+1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
+
+ 
+
+2. Click the pending reminder you want to edit.
+
+ 
+
+3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click **Save** to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**.
\ No newline at end of file
diff --git a/windows/configure/cortana-at-work-scenario-4.md b/windows/configure/cortana-at-work-scenario-4.md
new file mode 100644
index 0000000000..56f1f6af66
--- /dev/null
+++ b/windows/configure/cortana-at-work-scenario-4.md
@@ -0,0 +1,51 @@
+---
+title: Test scenario 4 - Use Cortana at work to find your upcoming meetings (Windows 10)
+description: A test scenario about how to use Cortana at work to find your upcoming meetings.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Test scenario 4 - Use Cortana at work to find your upcoming meetings
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally.
+
+>[!NOTE]
+>If you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page.
+
+## Find out about upcoming meetings
+This process helps you find your upcoming meetings.
+
+1. Check to make sure your work calendar is connected and synchronized with your Azure AD account.
+
+2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+3. Type _Show me my meetings for tomorrow_.
+
+ You’ll see all your meetings scheduled for the next day.
+
+ 
+
+## Find out about upcoming meetings by using voice commands
+This process helps you to use Cortana at work and voice commands to find your upcoming meetings.
+
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box.
+
+2. Say _Show me what meeting I have at 3pm tomorrow_.
+
+ >[!IMPORTANT]
+ >Make sure that you have a meeting scheduled for the time you specify here.
+
+ 
+
+
diff --git a/windows/configure/cortana-at-work-scenario-5.md b/windows/configure/cortana-at-work-scenario-5.md
new file mode 100644
index 0000000000..8373a4f4c2
--- /dev/null
+++ b/windows/configure/cortana-at-work-scenario-5.md
@@ -0,0 +1,57 @@
+---
+title: Test scenario 5 - Use Cortana to send email to a co-worker (Windows 10)
+description: A test scenario about how to use Cortana at work to send email to a co-worker.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Test scenario 5 - Use Cortana to send email to a co-worker
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally.
+
+## Send an email to a co-worker
+This process helps you to send a quick message to a co-worker from the work address book.
+
+1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account.
+
+2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+3. Type _Send an email to <contact_name>_.
+
+ Where _<contact_name>_ is the name of someone in your work address book.
+
+4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**.
+
+ 
+
+## Send an email to a co-worker by using voice commands
+This process helps you to use Cortana at work and voice commands to send a quick message to a co-worker from the work address book.
+
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box.
+
+2. Say _Send an email to <contact_name>_.
+
+ Where _<contact_name>_ is the name of someone in your work address book.
+
+3. Add your email message by saying, _Hello this is a test email using Cortana at work._
+
+ The message is added and you’re asked if you want to **Send it**, **Add more**, or **Make changes**.
+
+ 
+
+4. Say _Send it_.
+
+ The email is sent.
+
+ 
\ No newline at end of file
diff --git a/windows/configure/cortana-at-work-scenario-6.md b/windows/configure/cortana-at-work-scenario-6.md
new file mode 100644
index 0000000000..ac15463824
--- /dev/null
+++ b/windows/configure/cortana-at-work-scenario-6.md
@@ -0,0 +1,37 @@
+---
+title: Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device (Windows 10)
+description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This optional scenario helps you to protect your organization’s data on a device, based on an inspection by Cortana.
+
+## Use Cortana and WIP to protect your organization’s data
+
+1. Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md).
+
+2. Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_.
+
+3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+ Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you.
+
+4. Create a new email from a protected mailbox, including the same text as above, _I’ll send you that presentation tomorrow_.
+
+5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+ Because it was in an WIP-protected email, the presentation info isn’t pulled out and it isn’t shown to you.
diff --git a/windows/configure/cortana-at-work-testing-scenarios.md b/windows/configure/cortana-at-work-testing-scenarios.md
new file mode 100644
index 0000000000..41f734e006
--- /dev/null
+++ b/windows/configure/cortana-at-work-testing-scenarios.md
@@ -0,0 +1,32 @@
+---
+title: Testing scenarios using Cortana in your business or organization (Windows 10)
+description: A list of suggested testing scenarios that you can use to test Cortana in your organization.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Testing scenarios using Cortana in your business or organization
+**Applies to:**
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
+
+- Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana.
+
+- Set a reminder and have it remind you when you’ve reached a specific location.
+
+- Search for your upcoming meetings on your work calendar.
+
+- Send an email to a co-worker from your work email app.
+
+- Use WIP to secure content on a device and then try to manage your organization’s entries in the notebook.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
\ No newline at end of file
diff --git a/windows/configure/cortana-at-work-voice-commands.md b/windows/configure/cortana-at-work-voice-commands.md
new file mode 100644
index 0000000000..766a5914ad
--- /dev/null
+++ b/windows/configure/cortana-at-work-voice-commands.md
@@ -0,0 +1,64 @@
+---
+title: Set up and test custom voice commands in Cortana for your organization (Windows 10)
+description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Set up and test custom voice commands in Cortana for your organization
+**Applies to:**
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions.
+
+>[!NOTE]
+>For more info about how your developer can extend your current apps to work directly with Cortana, see [Cortana interactions in UWP apps](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/cortana-interactions).
+
+## High-level process
+Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent.
+
+To enable voice commands in Cortana
+
+1. **Extend your LOB app.** Add a custom VCD file to your app package. This file defines what capabilities are available to Cortana from the app, letting you tell Cortana what vocal commands should be understood and handled by your app and how the app should start when the command is vocalized.
+
+ Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background.
+
+ - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-foreground-app-with-voice-commands-in-cortana).
+
+ - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-background-app-with-voice-commands-in-cortana).
+
+2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
+
+## Test Scenario: Use voice commands in a Windows Store app
+While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization.
+
+**To get a Windows Store app**
+1. Go to the Windows Store, scroll down to the **Collections** area, click **Show All**, and then click **Better with Cortana**.
+
+2. Click **Uber**, and then click **Install**.
+
+3. Open Uber, create an account or sign in, and then close the app.
+
+**To set up the app with Cortana**
+1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon.
+
+2. Click on **Connected Services**, click **Uber**, and then click **Connect**.
+
+ 
+
+**To use the voice-enabled commands with Cortana**
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
+
+2. Say _Uber get me a taxi_.
+
+ Cortana changes, letting you provide your trip details for Uber.
+
+## See also
+- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385)
\ No newline at end of file
diff --git a/windows/configure/customize-and-export-start-layout.md b/windows/configure/customize-and-export-start-layout.md
new file mode 100644
index 0000000000..102272ce54
--- /dev/null
+++ b/windows/configure/customize-and-export-start-layout.md
@@ -0,0 +1,169 @@
+---
+title: Customize and export Start layout (Windows 10)
+description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout.
+ms.assetid: CA8DF327-5DD4-452F-9FE5-F17C514B6236
+keywords: ["start screen"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Customize and export Start layout
+
+
+**Applies to**
+
+- Windows 10
+
+>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
+
+The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout.
+
+After you export the layout, decide whether you want to apply a *full* Start layout or a *partial* Start layout.
+
+When a full Start layout is applied, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start.
+
+When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
+
+>[!NOTE]
+>Partial Start layout is only supported on Windows 10, version 1511 and later.
+
+
+
+You can deploy the resulting .xml file to devices using one of the following methods:
+
+- [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+
+- [Windows Imaging and Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+
+- [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+
+## Customize the Start screen on your test computer
+
+
+To prepare a Start layout for export, you simply customize the Start layout on a test computer.
+
+**To prepare a test computer**
+
+1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Enterprise or Windows 10 Education). Install all apps and services that the Start layout should display.
+
+2. Create a new user account that you will use to customize the Start layout.
+
+
+**To customize Start**
+
+1. Sign in to your test computer with the user account that you created.
+
+2. Customize the Start layout as you want users to see it by using the following techniques:
+
+ - **Pin apps to Start**. From Start, type the name of the app. When the app appears in the search results, right-click the app, and then click **Pin to Start**.
+
+ To view all apps, click **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start.
+
+ - **Unpin apps** that you don’t want to display. To unpin an app, right-click the app, and then click **Unpin from Start**.
+
+ - **Drag tiles** on Start to reorder or group apps.
+
+ - **Resize tiles**. To resize tiles, right-click the tile and then click **Resize.**
+
+ - **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group.
+
+## Export the Start layout
+
+
+When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet in Windows PowerShell to export the Start layout to an .xml file.
+
+**To export the Start layout to an .xml file**
+
+1. From Start, open **Windows PowerShell**.
+
+2. At the Windows PowerShell command prompt, enter the following command:
+
+ `export-startlayout –path [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. [Manage corporate devices](manage-corporate-devices.md) You can use the same management tools to manage all device types running Windows 10: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions. [Windows Spotlight on the lock screen](windows-spotlight.md) Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. [Create mandatory user profiles](mandatory-user-profile.md) Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. [Lock down Windows 10](lock-down-windows-10.md) Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). [Configure devices without MDM](configure-devices-without-mdm.md) Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise. [Application Virtualization for Windows (App-V)](appv-for-windows.md) When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally. [User Experience Virtualization for Windows (UE-V)](uev-for-windows.md) When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. [Windows Store for Business](windows-store-for-business.md) Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. [Manage corporate devices](manage-corporate-devices.md) You can use the same management tools to manage all device types running Windows 10: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions. [Windows Spotlight on the lock screen](windows-spotlight.md) Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. [Create mandatory user profiles](mandatory-user-profile.md) Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. [Lock down Windows 10](lock-down-windows-10.md) Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). [Configure devices without MDM](configure-devices-without-mdm.md) Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise. [Application Virtualization for Windows (App-V)](appv-for-windows.md) When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally. [User Experience Virtualization for Windows (UE-V)](uev-for-windows.md) When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. [Windows Store for Business](windows-store-for-business.md) Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) Windows 10, Version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md) You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select. [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) Use this article to make informed decisions about how you can configure Windows telemetry in your organization. [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset. [Hibernate Once/Resume Many (HORM)](https://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device HORM is supported in Windows 10, version 1607. [Unified Write Filter](https://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated. [Keyboard Filter]( https://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path. [Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category. Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application. [Application Launcher]( https://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus. [Dialog Filter](https://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing. Control over which processes are able to run will now be provided by AppLocker. System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below. [Toast Notification Filter]( https://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps. Group Policy: User Configuration > Administrative Templates > Start Menu and Taskbar > Notifications MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow action center notifications and a [custom OMA-URI setting](https://go.microsoft.com/fwlink/p/?LinkID=616317) for AboveLock/AllowActionCenterNotifications. [Embedded Lockdown Manager](https://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager. [USB Filter](https://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices. Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow removable storage or Allow USB connection (Windows 10 Mobile only). [Assigned Access](https://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device. In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed. Learn [how to use Assigned Access to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app. [Gesture Filter](https://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the [Allow edge swipe](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#LockDown_AllowEdgeSwipe) policy. [Custom Logon]( https://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown No changes. Applies only to Windows 10 Enterprise and Windows 10 Education. [Unbranded Boot](https://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements No changes. Applies only to Windows 10 Enterprise and Windows 10 Education. None. Turns off Delivery Optimization. Group. Gets or sends updates and apps to PCs on the same local network domain. Internet. Gets or sends updates and apps to PCs on the Internet. LAN. Gets or sends updates and apps to PCs on the same NAT only. Simple. Simple download mode with no peering. Bypass. Use BITS instead of Windows Update Delivery Optimization. 0. Turns off Delivery Optimization. 1. Gets or sends updates and apps to PCs on the same NAT only. 2. Gets or sends updates and apps to PCs on the same local network domain. 3. Gets or sends updates and apps to PCs on the Internet. 99. Simple download mode with no peering. 100. Use BITS instead of Windows Update Delivery Optimization. [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. [Manage corporate devices](manage-corporate-devices.md) You can use the same management tools to manage all device types running Windows 10: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions. [Windows Spotlight on the lock screen](windows-spotlight.md) Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. [Create mandatory user profiles](mandatory-user-profile.md) Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. [Lock down Windows 10](lock-down-windows-10.md) Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). [Configure devices without MDM](configure-devices-without-mdm.md) Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise. [Application Virtualization for Windows (App-V)](appv-for-windows.md) When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally. [User Experience Virtualization for Windows (UE-V)](uev-for-windows.md) When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. [Windows Store for Business](windows-store-for-business.md) Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). A558FEBA-85D7-4665-B5D8-A2FF9C19799B Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Calendar A558FEBA-85D7-4665-B5D8-A2FF9C19799B Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail
+Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+ - Shared network folder
+
+ - SharePoint site
+
+ - Removable media (USB/SD)
+
+ - Email
+
+ - USB tether (mobile only)
+
+ - NFC (mobile only)
+
+
+
+**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
+
+## Learn more
+
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+
+## Related topics
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+
+
diff --git a/windows/configure/provisioning-apply-package.md b/windows/configure/provisioning-apply-package.md
new file mode 100644
index 0000000000..1125dd6985
--- /dev/null
+++ b/windows/configure/provisioning-apply-package.md
@@ -0,0 +1,119 @@
+---
+title: Apply a provisioning package (Windows 10)
+description: Provisioning packages can be applied to a device during the first-run experience (OOBE) and after ("runtime").
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Apply a provisioning package
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
+
+## Desktop editions
+
+### During initial setup, from a USB drive
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+ 
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+ 
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+ 
+
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+ 
+
+5. Select **Yes, add it**.
+
+ 
+
+6. Read and accept the Microsoft Software License Terms.
+
+ 
+
+7. Select **Use Express settings**.
+
+ 
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+ 
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+ 
+
+10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+ 
+
+### After setup, from a USB drive, network folder, or SharePoint site
+
+On a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
+
+
+
+## Mobile editions
+
+### Using removable media
+
+1. Insert an SD card containing the provisioning package into the device.
+2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
+
+ 
+
+3. Click **Add**.
+
+4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
+
+ 
+
+### Copying the provisioning package to the device
+
+1. Connect the device to your PC through USB.
+
+2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device.
+
+3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
+
+ 
+
+
+
+
+
+## Learn more
+
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+
+## Related topics
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
\ No newline at end of file
diff --git a/windows/configure/provisioning-command-line.md b/windows/configure/provisioning-command-line.md
new file mode 100644
index 0000000000..d5c52aabac
--- /dev/null
+++ b/windows/configure/provisioning-command-line.md
@@ -0,0 +1,68 @@
+---
+title: Windows ICD command-line interface (Windows 10)
+description:
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Windows ICD command-line interface (reference)
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+You can use the Windows Imaging and Configuration Designer (ICD) command-line interface (CLI) to automate the building of provisioning packages and Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 10 Mobile or Windows 10 IoT Core (IoT Core) images.
+
+- IT pros can use the Windows ICD CLI to require less re-tooling of existing processes. You must run the Windows ICD CLI from a command window with administrator privileges.
+
+- You must use the Windows ICD CLI and edit the customizations.xml sources to create an image and/or provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows ICD CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md).
+
+
+
+## Syntax
+
+```
+icd.exe /Build-ProvisioningPackage /CustomizationXML: [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. [Manage corporate devices](manage-corporate-devices.md) You can use the same management tools to manage all device types running Windows 10: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions. [Windows Spotlight on the lock screen](windows-spotlight.md) Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. [Create mandatory user profiles](mandatory-user-profile.md) Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. [Lock down Windows 10](lock-down-windows-10.md) Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). [Configure devices without MDM](configure-devices-without-mdm.md) Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise. [Application Virtualization for Windows (App-V)](appv-for-windows.md) When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally. [User Experience Virtualization for Windows (UE-V)](uev-for-windows.md) When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. [Windows Store for Business](windows-store-for-business.md) Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the assigned access feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use Shell Launcher to set a custom user interface as the shell. [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience. Policy name Value When set? Admin Templates > Control Panel > Personalization Prevent enabling lock screen slide show Enabled Always Prevent changing lock screen and logon image Enabled Always Admin Templates > System > Power Management > Button Settings Select the Power button action (plugged in) Sleep SetPowerPolicies=True Select the Power button action (on battery) Sleep SetPowerPolicies=True Select the Sleep button action (plugged in) Sleep SetPowerPolicies=True Select the lid switch action (plugged in) Sleep SetPowerPolicies=True Select the lid switch action (on battery) Sleep SetPowerPolicies=True Admin Templates > System > Power Management > Sleep Settings Require a password when a computer wakes (plugged in) Enabled SignInOnResume=True Require a password when a computer wakes (on battery) Enabled SignInOnResume=True Specify the system sleep timeout (plugged in) *SleepTimeout* SetPowerPolicies=True Specify the system sleep timeout (on battery) *SleepTimeout* SetPowerPolicies=True Turn off hybrid sleep (plugged in) Enabled SetPowerPolicies=True Turn off hybrid sleep (on battery) Enabled SetPowerPolicies=True Specify the unattended sleep timeout (plugged in) *SleepTimeout* SetPowerPolicies=True Specify the unattended sleep timeout (on battery) *SleepTimeout* SetPowerPolicies=True Allow standby states (S1-S3) when sleeping (plugged in) Enabled SetPowerPolicies=True Allow standby states (S1-S3) when sleeping (on battery) Enabled SetPowerPolicies=True Specify the system hibernate timeout (plugged in) Enabled, 0 SetPowerPolicies=True Specify the system hibernate timeout (on battery) Enabled, 0 SetPowerPolicies=True Admin Templates>System>Power Management>Video and Display Settings Turn off the display (plugged in) *SleepTimeout* SetPowerPolicies=True Turn off the display (on battery *SleepTimeout* SetPowerPolicies=True Admin Templates>System>Logon Show first sign-in animation Disabled Always Hide entry points for Fast User Switching Enabled Always Turn on convenience PIN sign-in Disabled Always Turn off picture password sign-in Enabled Always Turn off app notification on the lock screen Enabled Always Allow users to select when a password is required when resuming from connected standby Disabled SignInOnResume=True Block user from showing account details on sign-in Enabled Always Admin Templates>System>User Profiles Turn off the advertising ID Enabled SetEduPolicies=True Admin Templates>Windows Components Do not show Windows Tips Enabled SetEduPolicies=True Turn off Microsoft consumer experiences Enabled SetEduPolicies=True Microsoft Passport for Work Disabled Always Prevent the usage of OneDrive for file storage Enabled Always Admin Templates>Windows Components>Biometrics Allow the use of biometrics Disabled Always Allow users to log on using biometrics Disabled Always Allow domain users to log on using biometrics Disabled Always Admin Templates>Windows Components>Data Collection and Preview Builds Toggle user control over Insider builds Disabled Always Disable pre-release features or settings Disabled Always Do not show feedback notifications Enabled Always Admin Templates>Windows Components>File Explorer Show lock in the user tile menu Disabled Always Admin Templates>Windows Components>Maintenance Scheduler Automatic Maintenance Activation Boundary *MaintenanceStartTime* Always Automatic Maintenance Random Delay Enabled, 2 hours Always Automatic Maintenance WakeUp Policy Enabled Always Admin Templates>Windows Components>Microsoft Edge Open a new tab with an empty tab Disabled SetEduPolicies=True Configure corporate home pages Enabled, about:blank SetEduPolicies=True Admin Templates>Windows Components>Search Allow Cortana Disabled SetEduPolicies=True Windows Settings>Security Settings>Local Policies>Security Options Interactive logon: Do not display last user name Enabled, Disabled when account model is only guest Always Interactive logon: Sign-in last interactive user automatically after a system-initiated restart Disabled Always Shutdown: Allow system to be shut down without having to log on Disabled Always User Account Control: Behavior of the elevation prompt for standard users Auto deny Always Apps corner (disabled in Assigned Access) [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. [Manage corporate devices](manage-corporate-devices.md) You can use the same management tools to manage all device types running Windows 10: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions. [Windows Spotlight on the lock screen](windows-spotlight.md) Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. [Create mandatory user profiles](mandatory-user-profile.md) Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. [Lock down Windows 10](lock-down-windows-10.md) Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). [Configure devices without MDM](configure-devices-without-mdm.md) Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise. [Application Virtualization for Windows (App-V)](appv-for-windows.md) When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally. [User Experience Virtualization for Windows (UE-V)](uev-for-windows.md) When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. [Windows Store for Business](windows-store-for-business.md) Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). Suggestions -and- Dynamically inserted app tile MDM: Allow Windows Consumer Features Group Policy: Computer Configuration\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu. MDM: Start layout Group Policy: Start layout Group Policy: Prevent users from customizing their Start Screen When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the All Apps view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own. Start layout policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar.
+ MDM: Force Start size Group Policy: Force Start to be either full screen size or menu size [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. [Manage corporate devices](manage-corporate-devices.md) You can use the same management tools to manage all device types running Windows 10: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions. [Windows Spotlight on the lock screen](windows-spotlight.md) Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. [Create mandatory user profiles](mandatory-user-profile.md) Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. [Lock down Windows 10](lock-down-windows-10.md) Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). [Configure devices without MDM](configure-devices-without-mdm.md) Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise. [Application Virtualization for Windows (App-V)](appv-for-windows.md) When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally. [User Experience Virtualization for Windows (UE-V)](uev-for-windows.md) When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. [Windows Store for Business](windows-store-for-business.md) Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). Select Servicing Options: CB or CBB Not available. To defer updates, all systems must be on the Current Branch for Business (CBB) Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB). Quality Updates Able to defer receiving Quality Updates: Able to defer receiving Quality Updates: Feature Updates Able to defer receiving Feature Updates: Able to defer receiving Feature Updates: Pause updates Features and Quality Updates can be paused separately. Drivers No driver-specific controls Drivers can be selectively excluded from Windows Update for Business.
+
+
+## Configure a partial Start layout
+
+
+A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users cannot change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image.
+
+
+
+When a partial Start layout is applied for the first time, the new groups are added to the users' existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group.
+
+When a partial Start layout is applied to a device that already has a StartLayout.xml applied, groups that were added previously are removed and the groups in the new layout are added.
+
+If the Start layout is applied by Group Policy or MDM, and the policy is removed, the groups remain on the devices but become unlocked.
+
+**To configure a partial Start screen layout**
+
+1. [Customize the Start layout](#bmk-customize-start).
+
+2. [Export the Start layout](#bmk-exportstartscreenlayout).
+3. Open the layout .xml file. There is a `
+
+
+
+ XML
+
+
+
+ <LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
+ <DefaultLayoutOverride>
+ <StartLayoutCollection>
+ <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
+ <start:Group Name="Life at a glance" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
+ <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
+ <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI" />
+ <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+ </start:Group>
+ </defaultlayout:StartLayout>
+ </StartLayoutCollection>
+ </DefaultLayoutOverride>
+ </LayoutModificationTemplate>
+
+
+ Example of the same layout file with escape characters replacing the markup characters:
+
+```
+ <wdcml:p xmlns:wdcml="http://microsoft.com/wdcml">Example of a layout file produced by Export-StartLayout:</wdcml:p><wdcml:snippet xmlns:wdcml="http://microsoft.com/wdcml"><![CDATA[<LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
+ <DefaultLayoutOverride>
+ <StartLayoutCollection>
+ <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
+ <start:Group Name="Life at a glance" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
+ <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
+ <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI" />
+ <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+ </start:Group>
+ </defaultlayout:StartLayout>
+ </StartLayoutCollection>
+ </DefaultLayoutOverride>
+ </LayoutModificationTemplate>]]></wdcml:snippet>
+```
+
+2. In the Microsoft Intune administration console, click **Policy** > **Add Policy**.
+
+3. Under **Windows**, choose a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
+
+4. Enter a name (mandatory) and description (optional) for the policy.
+
+5. In the **OMA-URI Settings** section, click **Add.**
+
+6. In **Add or Edit OMA-URI Setting**, enter the following information.
+
+ | Item | Information |
+ |----|----|
+ | **Setting name** | Enter a unique name for the OMA-URI setting to help you identify it in the list of settings. |
+ | **Setting description** | Provide a description that gives an overview of the setting and other relevant information to help you locate it. |
+ | **Data type** | **String** |
+ | **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** |
+ | **Value** | Paste the contents of the Start layout .xml file that you created. |
+
+
+
+7. Click **OK** to save the setting and return to the **Create Policy** page.
+
+8. Click **Save Policy**.
+
+## Related topics
+
+
+[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
+
+[Customize and export Start layout](customize-and-export-start-layout.md)
+
+[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+
+[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+
+[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+
+[Use Windows 10 custom policies to manage device settings with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=616316)
+
+
+
+
+
+
+
+
+
diff --git a/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
new file mode 100644
index 0000000000..7cc8395f8b
--- /dev/null
+++ b/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -0,0 +1,122 @@
+---
+title: Customize Windows 10 Start with ICD and provisioning packages (Windows 10)
+description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users.
+ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC
+keywords: ["Start layout", "start menu"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Customize Windows 10 Start and taskbar with ICD and provisioning packages
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+**Looking for consumer information?**
+
+- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
+
+In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
+
+>[!IMPORTANT]
+>If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
+
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile.
+
+## How Start layout control works
+
+
+Three features enable Start and taskbar layout control:
+
+- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
+
+ **Note**
+ To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
+
+- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `
+
+
+
+ XML
+
+
+
+ <LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
+ <DefaultLayoutOverride>
+ <StartLayoutCollection>
+ <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
+ <start:Group Name="Life at a glance" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
+ <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
+ <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI" />
+ <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+ </start:Group>
+ </defaultlayout:StartLayout>
+ </StartLayoutCollection>
+ </DefaultLayoutOverride>
+ </LayoutModificationTemplate>
+
+
+
+## Related topics
+[Windows 10 and Windows 10 Mobile](../index.md)
+
+
+[Learn how Microsoft does IT at the IT Showcase](https://www.microsoft.com/itshowcase)
diff --git a/windows/configure/kiosk-shared-pc.md b/windows/configure/kiosk-shared-pc.md
new file mode 100644
index 0000000000..61fd0bf61e
--- /dev/null
+++ b/windows/configure/kiosk-shared-pc.md
@@ -0,0 +1,86 @@
+---
+title: Manage and update Windows 10 (Windows 10)
+description: Learn about managing and updating Windows 10.
+ms.assetid: E5716355-02AB-4B75-A962-14B1A7F7BDA0
+keywords: Windows 10, MDM, WSUS, Windows update
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: jdeckerMS
+---
+
+# Manage and update Windows 10
+
+Learn about managing and updating Windows 10.
+
+>[!NOTE]
+>Information for Windows 10 Enterprise also applies to Windows 10 IoT Enterprise, and information for Windows 10 Mobile Enterprise also applies to Windows 10 IoT Mobile. For information about managing devices running Windows 10 IoT Core, see [Windows 10 IoT Core Commercialization](https://www.windowsforiotdevices.com/).
+
+## In this section
+
+
+
+
+
+Topic
+Description
+
+
+
+
+[Update Windows 10 in the enterprise](waas-update-windows-10.md) Learn how to manage updates to Windows 10 in your organization, including Update Compliance, and Windows Update for Business.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related topics
+[Windows 10 and Windows 10 Mobile](../index.md)
+
+
+[Learn how Microsoft does IT at the IT Showcase](https://www.microsoft.com/itshowcase)
diff --git a/windows/configure/lock-down-windows-10-to-specific-apps.md b/windows/configure/lock-down-windows-10-to-specific-apps.md
new file mode 100644
index 0000000000..8ab992a6f0
--- /dev/null
+++ b/windows/configure/lock-down-windows-10-to-specific-apps.md
@@ -0,0 +1,131 @@
+---
+title: Lock down Windows 10 to specific apps (Windows 10)
+description: Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
+ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
+keywords: ["lockdown", "app restrictions", "applocker"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: edu, security
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Lock down Windows 10 to specific apps
+
+
+**Applies to**
+
+- Windows 10
+
+>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+
+Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
+
+You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](../keep-secure/applocker-overview.md). AppLocker rules specify which apps are allowed to run on the device.
+
+AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](../keep-secure/how-applocker-works-techref.md).
+
+This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
+
+
+
+## Install apps
+
+
+First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account.
+
+## Use AppLocker to set rules for apps
+
+
+After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
+
+1. Run Local Security Policy (secpol.msc) as an administrator.
+
+2. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**.
+
+ 
+
+3. Check **Configured** under **Executable rules**, and then click **OK**.
+
+4. Right-click **Executable Rules** and then click **Automatically generate rules**.
+
+ 
+
+5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
+
+6. Type a name to identify this set of rules, and then click **Next**.
+
+7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
+
+8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
+
+9. Read the message and click **Yes**.
+
+ 
+
+10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
+
+11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
+
+12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
+
+ ``` syntax
+ sc config appidsvc start=auto
+ ```
+
+13. Restart the device.
+
+## Other settings to lock down
+
+
+In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
+
+- Remove **All apps**.
+
+ Go to **Group Policy Editor** > **User Configuration** > **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**.
+
+- Hide **Ease of access** feature on the logon screen.
+
+ Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools.
+
+- Disable the hardware power button.
+
+ Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
+
+- Disable the camera.
+
+ Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**.
+
+- Turn off app notifications on the lock screen.
+
+ Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
+
+- Disable removable media.
+
+ Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
+
+ **Note**
+ To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
+
+
+
+To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442).
+
+## Customize Start screen layout for the device
+
+
+Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
+
+## Related topics
+
+- [Provisioning packages for Windows 10](../deploy/provisioning-packages.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/configure/lock-down-windows-10.md b/windows/configure/lock-down-windows-10.md
new file mode 100644
index 0000000000..a3374f6d0f
--- /dev/null
+++ b/windows/configure/lock-down-windows-10.md
@@ -0,0 +1,77 @@
+---
+title: Lock down Windows 10 (Windows 10)
+description: Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.
+ms.assetid: 955BCD92-0A1A-4C48-98A8-30D7FAF2067D
+keywords: lockdown
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Lock down Windows 10
+
+Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.
+
+## In this section
+
+
+
+
+
+
+Topic
+Description
+
+
+
+
+[Update Windows 10 in the enterprise](waas-update-windows-10.md) Learn how to manage updates to Windows 10 in your organization, including Update Compliance, and Windows Update for Business.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Learn more
+
+[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
+
+## Related topics
+
+[Lockdown features from Windows Embedded Industry 8.1](../whats-new/lockdown-features-windows-10.md)
diff --git a/windows/configure/lockdown-features-windows-10.md b/windows/configure/lockdown-features-windows-10.md
new file mode 100644
index 0000000000..c6eaa7e68d
--- /dev/null
+++ b/windows/configure/lockdown-features-windows-10.md
@@ -0,0 +1,116 @@
+---
+title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10)
+description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.
+ms.assetid: 3C006B00-535C-4BA4-9421-B8F952D47A14
+keywords: lockdown, embedded
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Lockdown features from Windows Embedded 8.1 Industry
+
+**Applies to**
+- Windows 10
+
+
+Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
+
+
+
+
+Topic
+Description
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/configure/lockdown-xml.md b/windows/configure/lockdown-xml.md
new file mode 100644
index 0000000000..936ed8c310
--- /dev/null
+++ b/windows/configure/lockdown-xml.md
@@ -0,0 +1,870 @@
+---
+title: Configure Windows 10 Mobile using Lockdown XML (Windows 10)
+description: Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.
+ms.assetid: 22C8F654-2EC3-4E6D-8666-1EA9FCF90F5F
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Configure Windows 10 Mobile using Lockdown XML
+
+
+**Applies to**
+
+- Windows 10 Mobile
+
+Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available.
+
+This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices.
+
+Lockdown XML is an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601).
+
+> [!NOTE]
+> On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](set-up-a-device-for-anyone-to-use.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601).
+
+If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) first.
+
+## Overview of the lockdown XML file
+
+Let's start by looking at the basic structure of the lockdown XML file. You can start your file by pasting the following XML (or any other examples in this topic) into a text or XML editor, and saving the file as *filename*.xml.
+
+```xml
+
+
+
+
+
+Windows Embedded 8.1 Industry lockdown feature
+Windows 10 feature
+Changes
+
+
+N/A
+
+
+[Unified Write Filter](https://msdn.microsoft.com/en-us/library/windows/hardware/mt572001.aspx)
+
+
+[Keyboard Filter](https://go.microsoft.com/fwlink/p/?LinkId=708391)
+
+
+[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=618603)
+
+
+[Assigned Access](https://go.microsoft.com/fwlink/p/?LinkId=626608)
+
+
+[AppLocker](../keep-secure/applocker-overview.md)
+
+
+
+Mobile device management (MDM) and Group Policy
+
+
+[Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkID=525483)
+
+
+MDM and Group Policy
+
+
+[Assigned Access](https://go.microsoft.com/fwlink/p/?LinkId=626608)
+
+
+MDM and Group Policy
+
+
+[Embedded Logon](https://go.microsoft.com/fwlink/p/?LinkId=626760)
+
+
+
+[Unbranded Boot](https://go.microsoft.com/fwlink/p/?LinkId=626873)
+
Disable this policy to turn off Cortana. |
+| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results.
Disable this policy to block access to location information for Cortana. |
+| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
Enable this policy to remove the option to search the Internet from Cortana. |
+| Don't search the web or display web results in Search| Choose whether to search the web from Cortana.
Enable this policy to stop web queries and results from showing in Search. |
+| Set what information is shared in Search | Control what information is shared with Bing in Search.
If you enable this policy and set it to **Anonymous info**, usage information will be shared but not search history, Microsoft Account information, or specific location. |
+
+In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
+
+>[!IMPORTANT]
+>These steps are not required for devices running Windows 10, version 1607 or Windows Server 2016.
+
+1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
+
+2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
+
+3. On the **Rule Type** page, click **Program**, and then click **Next**.
+
+4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**.
+
+5. On the **Action** page, click **Block the connection**, and then click **Next**.
+
+6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**.
+
+7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.**
+
+8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**.
+
+9. Configure the **Protocols and Ports** page with the following info, and then click **OK**.
+
+ - For **Protocol type**, choose **TCP**.
+
+ - For **Local port**, choose **All Ports**.
+
+ - For **Remote port**, choose **All ports**.
+
+
+If your organization tests network traffic, do not use a network proxy as Windows Firewall does not block proxy traffic. Instead, use a network traffic analyzer. Based on your needs, there are many network traffic analyzers available at no cost.
+
+### 2.2 Cortana and Search MDM policies
+
+For Windows 10 only, the following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Experience/AllowCortana | Choose whether to let Cortana install and run on the device. |
+| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results.
Default: Allowed|
+
+### 3. Date & Time
+
+You can prevent Windows from setting the time automatically.
+
+- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically**
+
+ -or-
+
+- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
+
+### 4. Device metadata retrieval
+
+To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
+
+### 5. Font streaming
+
+Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
+
+If you're running Windows 10, version 1607 or Windows Server 2016, disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**.
+
+If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
+
+> [!NOTE]
+> After you apply this policy, you must restart the device for it to take effect.
+
+
+### 6. Insider Preview builds
+
+The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10.
+
+> [!NOTE]
+> This setting stops communication with the Windows Insider Preview service that checks for new builds. Windows Insider Preview builds only apply to Windows 10 and are not available for Windows Server 2016.
+
+To turn off Insider Preview builds for a released version of Windows 10:
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
+
+To turn off Insider Preview builds for Windows 10:
+
+> [!NOTE]
+> If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
+
+- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
+
+ -or-
+
+- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+
+ - **0**. Users cannot make their devices available for downloading and installing preview software.
+
+ - **1**. Users can make their devices available for downloading and installing preview software.
+
+ - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
+
+ -or-
+
+- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where:
+
+ - **0**. Users cannot make their devices available for downloading and installing preview software.
+
+ - **1**. Users can make their devices available for downloading and installing preview software.
+
+ - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
+
+### 7. Internet Explorer
+
+Use Group Policy to manage settings for Internet Explorer. You can find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**.
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
Default: Enabled
You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.|
+| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
Default: Enabled|
+| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
Default: Disabled You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
+| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
Default: Enabled |
+| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled|
+
+There are two more Group Policy objects that are used by Internet Explorer:
+
+| Path | Policy | Description |
+| - | - | - |
+| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled |
+| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
Default: Enabled |
+
+### 7.1 ActiveX control blocking
+
+ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
+
+For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
+
+### 8. Live Tiles
+
+To turn off Live Tiles:
+
+- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
+
+### 9. Mail synchronization
+
+To turn off mail synchronization for Microsoft Accounts that are configured on a device:
+
+- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts.
+
+ -or-
+
+- Remove any Microsoft Accounts from the Mail app.
+
+ -or-
+
+- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device.
+
+To turn off the Windows Mail app:
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application**
+
+### 10. Microsoft Account
+
+To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways.
+
+- Change the **Start** REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to 4.
+
+
+### 11. Microsoft Edge
+
+Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682).
+
+### 11.1 Microsoft Edge Group Policies
+
+Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**.
+
+> [!NOTE]
+> The Microsoft Edge Group Policy names were changed in Windows 10, version 1607. The table below reflects those changes.
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Configure autofill | Choose whether employees can use autofill on websites.
Default: Enabled |
+| Configure Do Not Track | Choose whether employees can send Do Not Track headers.
Default: Disabled |
+| Configure password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled |
+| Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions.
Default: Enabled |
+| Configure SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled |
+| Allow web content on New Tab page | Choose whether a new tab page appears.
Default: Enabled |
+| Configure Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** |
+
+
+The Windows 10, version 1511 Microsoft Edge Group Policy names are:
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Turn off autofill | Choose whether employees can use autofill on websites.
Default: Enabled |
+| Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers.
Default: Disabled |
+| Turn off password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled |
+| Turn off address bar search suggestions | Choose whether the address bar shows search suggestions.
Default: Enabled |
+| Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled |
+| Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled |
+| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** |
+
+### 11.2 Microsoft Edge MDM policies
+
+The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Browser/AllowAutoFill | Choose whether employees can use autofill on websites.
Default: Allowed |
+| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
Default: Not allowed |
+| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
Default: Allowed |
+| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
Default: Allowed |
+| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed |
+
+
+For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
+
+### 12. Network Connection Status Indicator
+
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCSI, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
+
+In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was http://www.msftncsi.com.
+
+You can turn off NCSI through Group Policy:
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
+
+> [!NOTE]
+> After you apply this policy, you must restart the device for the policy setting to take effect.
+
+### 13. Offline maps
+
+You can turn off the ability to download and update offline maps.
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data**
+
+ -and-
+
+- In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
+
+### 14. OneDrive
+
+To turn off OneDrive in your organization:
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage**
+
+### 15. Preinstalled apps
+
+Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
+
+To remove the News app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage**
+
+To remove the Weather app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage**
+
+To remove the Money app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage**
+
+To remove the Sports app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage**
+
+To remove the Twitter app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage**
+
+To remove the XBOX app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage**
+
+To remove the Sway app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage**
+
+To remove the OneNote app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage**
+
+To remove the Get Office app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage**
+
+To remove the Get Skype app:
+
+- Right-click the Sports app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
+
+### 16. Settings > Privacy
+
+Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
+
+- [16.1 General](#bkmk-general)
+
+- [16.2 Location](#bkmk-priv-location)
+
+- [16.3 Camera](#bkmk-priv-camera)
+
+- [16.4 Microphone](#bkmk-priv-microphone)
+
+- [16.5 Notifications](#bkmk-priv-notifications)
+
+- [16.6 Speech, inking, & typing](#bkmk-priv-speech)
+
+- [16.7 Account info](#bkmk-priv-accounts)
+
+- [16.8 Contacts](#bkmk-priv-contacts)
+
+- [16.9 Calendar](#bkmk-priv-calendar)
+
+- [16.10 Call history](#bkmk-priv-callhistory)
+
+- [16.11 Email](#bkmk-priv-email)
+
+- [16.12 Messaging](#bkmk-priv-messaging)
+
+- [16.13 Radios](#bkmk-priv-radios)
+
+- [16.14 Other devices](#bkmk-priv-other-devices)
+
+- [16.15 Feedback & diagnostics](#bkmk-priv-feedback)
+
+- [16.16 Background apps](#bkmk-priv-background)
+
+- [16.17 Motion](#bkmk-priv-motion)
+
+### 16.1 General
+
+**General** includes options that don't fall into other areas.
+
+To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
+
+> [!NOTE]
+> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero).
+
+To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**.
+
+ Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**.
+
+ -or-
+
+- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
+
+ -or-
+
+- Create a provisioning package, using:
+
+ - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen**
+
+ - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen**
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost**, with a value of 0 (zero).
+
+To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
+
+> [!NOTE]
+> If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
+
+
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+
+ - **0**. Not allowed
+
+ - **1**. Allowed (default)
+
+To turn off **Let websites provide locally relevant content by accessing my language list**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
+
+To turn off **Let apps on my other devices open apps and continue experiences on this devices**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**.
+
+To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**:
+
+- Turn off the feature in the UI.
+
+### 16.2 Location
+
+In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
+
+To turn off **Location for this device**:
+
+- Click the **Change** button in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
+
+ -or-
+
+- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Turned off and the employee can't turn it back on.
+
+ - **1**. Turned on, but lets the employee choose whether to use it. (default)
+
+ - **2**. Turned on and the employee can't turn it off.
+
+ > [!NOTE]
+ > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+
+ -or-
+
+- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where
+
+ - **No**. Turns off location service.
+
+ - **Yes**. Turns on location service. (default)
+
+To turn off **Location**:
+
+- Turn off the feature in the UI.
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+ -or-
+
+To turn off **Location history**:
+
+- Erase the history using the **Clear** button in the UI.
+
+To turn off **Choose apps that can use your location**:
+
+- Turn off each app using the UI.
+
+### 16.3 Camera
+
+In the **Camera** area, you can choose which apps can access a device's camera.
+
+To turn off **Let apps use my camera**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+ -or-
+
+- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Apps can't use the camera.
+
+ - **1**. Apps can use the camera.
+
+ > [!NOTE]
+ > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+
+ -or-
+
+- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where:
+
+ - **0**. Apps can't use the camera.
+
+ - **1**. Apps can use the camera.
+
+To turn off **Choose apps that can use your camera**:
+
+- Turn off the feature in the UI for each app.
+
+### 16.4 Microphone
+
+In the **Microphone** area, you can choose which apps can access a device's microphone.
+
+To turn off **Let apps use my microphone**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can use your microphone**:
+
+- Turn off the feature in the UI for each app.
+
+### 16.5 Notifications
+
+In the **Notifications** area, you can choose which apps have access to notifications.
+
+To turn off **Let apps access my notifications**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access my notifications**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 16.6 Speech, inking, & typing
+
+In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
+
+> [!NOTE]
+> For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
+
+To turn off the functionality:
+
+- Click the **Stop getting to know me** button, and then click **Turn off**.
+
+ -or-
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning**
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero).
+
+ -and-
+
+- Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
+
+
+If you're running at least Windows 10, version 1607, you can turn off updates to the speech recognition and speech synthesis models:
+
+Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Speech_AllowSpeechModelUpdate), where:
+
+- **0** (default). Not allowed.
+- **1**. Allowed.
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences**, with a value of 0 (zero).
+
+### 16.7 Account info
+
+In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
+
+To turn off **Let apps access my name, picture, and other account info**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose the apps that can access your account info**:
+
+- Turn off the feature in the UI for each app.
+
+### 16.8 Contacts
+
+In the **Contacts** area, you can choose which apps can access an employee's contacts list.
+
+To turn off **Choose apps that can access contacts**:
+
+- Turn off the feature in the UI for each app.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 16.9 Calendar
+
+In the **Calendar** area, you can choose which apps have access to an employee's calendar.
+
+To turn off **Let apps access my calendar**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can access calendar**:
+
+- Turn off the feature in the UI for each app.
+
+### 16.10 Call history
+
+In the **Call history** area, you can choose which apps have access to an employee's call history.
+
+To turn off **Let apps access my call history**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 16.11 Email
+
+In the **Email** area, you can choose which apps have can access and send email.
+
+To turn off **Let apps access and send email**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 16.12 Messaging
+
+In the **Messaging** area, you can choose which apps can read or send messages.
+
+To turn off **Let apps read or send messages (text or MMS)**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can read or send messages**:
+
+- Turn off the feature in the UI for each app.
+
+### 16.13 Radios
+
+In the **Radios** area, you can choose which apps can turn a device's radio on or off.
+
+To turn off **Let apps control radios**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can control radios**:
+
+- Turn off the feature in the UI for each app.
+
+### 16.14 Other devices
+
+In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
+
+To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices**
+
+To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 16.15 Feedback & diagnostics
+
+In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
+
+To change how frequently **Windows should ask for my feedback**:
+
+> [!NOTE]
+> Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
+
+
+
+- To change from **Automatically (Recommended)**, use the drop-down list in the UI.
+
+ -or-
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications**
+
+ -or-
+
+- Create the registry keys (REG\_DWORD type):
+
+ - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds
+
+ - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod
+
+ Based on these settings:
+
+ | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod |
+ |---------------|-----------------------------|-----------------------------|
+ | Automatically | Delete the registry setting | Delete the registry setting |
+ | Never | 0 | 0 |
+ | Always | 100000000 | Delete the registry setting |
+ | Once a day | 864000000000 | 1 |
+ | Once a week | 6048000000000 | 1 |
+
+
+
+To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**:
+
+- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**.
+
+ > [!NOTE]
+ > You can't use the UI to change the telemetry level to **Security**.
+
+
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry**
+
+ -or-
+
+- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Maps to the **Security** level.
+
+ - **1**. Maps to the **Basic** level.
+
+ - **2**. Maps to the **Enhanced** level.
+
+ - **3**. Maps to the **Full** level.
+
+ -or-
+
+- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where:
+
+ - **0**. Maps to the **Security** level.
+
+ - **1**. Maps to the **Basic** level.
+
+ - **2**. Maps to the **Enhanced** level.
+
+ - **3**. Maps to the **Full** level.
+
+### 16.16 Background apps
+
+In the **Background Apps** area, you can choose which apps can run in the background.
+
+To turn off **Let apps run in the background**:
+
+- Turn off the feature in the UI for each app.
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 16.17 Motion
+
+In the **Motion** area, you can choose which apps have access to your motion data.
+
+To turn off **Let Windows and your apps use your motion data and collect motion history**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion**
+
+### 17. Software Protection Platform
+
+Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
+
+For Windows 10:
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation**
+
+ -or-
+
+- Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled.
+
+For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core:
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation**
+
+The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
+
+### 18. Sync your settings
+
+You can control if your settings are synchronized:
+
+- In the UI: **Settings** > **Accounts** > **Sync your settings**
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**
+
+ -or-
+
+- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
+
+ -or-
+
+- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where
+
+ - **No**. Settings are not synchronized.
+
+ - **Yes**. Settings are synchronized. (default)
+
+To turn off Messaging cloud sync:
+
+- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
+
+### 19. Teredo
+
+You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
+
+>[!NOTE]
+>If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work.
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**.
+
+ -or-
+
+- From an elevated command prompt, run **netsh interface teredo set state disabled**
+
+### 20. Wi-Fi Sense
+
+Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
+
+To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**.
+
+ -or-
+
+- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero).
+
+ -or-
+
+- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909).
+
+ -or-
+
+- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910).
+
+When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
+
+### 21. Windows Defender
+
+You can disconnect from the Microsoft Antimalware Protection Service.
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS**
+
+ -or-
+
+- For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+ -or-
+
+- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero).
+
+ -and-
+
+ From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0**
+
+You can stop sending file samples back to Microsoft.
+
+- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
+
+ -or-
+
+- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Always prompt.
+
+ - **1**. (default) Send safe samples automatically.
+
+ - **2**. Never send.
+
+ - **3**. Send all samples automatically.
+
+ -or-
+
+- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send.
+
+You can stop downloading definition updates:
+
+- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
+
+ -and-
+
+- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing.
+
+For Windows 10 only, you can stop Enhanced Notifications:
+
+- Turn off the feature in the UI.
+
+You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
+
+### 22. Windows Media Player
+
+To remove Windows Media Player on Windows 10:
+
+- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**.
+
+ -or-
+
+- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
+
+To remove Windows Media Player on Windows Server 2016:
+
+- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
+
+### 23. Windows spotlight
+
+Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy.
+
+If you're running Windows 10, version 1607 or later, you only need to enable the following Group Policy:
+
+- **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
+
+If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
+
+- Configure the following in **Settings**:
+
+ - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**.
+
+ > [!NOTE]
+ > In Windows 10, version 1507 and Windows 10, version 1511, this setting was called **Show me tips, tricks, and more on the lock screen**.
+
+ - **Personalization** > **Start** > **Occasionally show suggestions in Start**.
+
+ - **System** > **Notifications & actions** > **Show me tips about Windows**.
+
+ -or-
+
+- Apply the Group Policies:
+
+ - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
+ - Add a location in the **Path to local lock screen image** box.
+
+ - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
+
+ > [!NOTE]
+ > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**.
+
+
+
+ - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**.
+
+ - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**.
+
+For more info, see [Windows Spotlight on the lock screen](../manage/windows-spotlight.md).
+
+### 24. Windows Store
+
+You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. On Windows Server 2016, this will block Windows Store calls from Universal Windows Apps.
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**.
+
+### 25. Windows Update Delivery Optimization
+
+Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
+
+By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
+
+Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
+
+In Windows 10, version 1607, you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Simple** (99) or **Bypass** (100), as described below.
+
+### 25.1 Settings > Update & security
+
+You can set up Delivery Optimization from the **Settings** UI.
+
+- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
+
+### 25.2 Delivery Optimization Group Policies
+
+You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**.
+
+| Policy | Description |
+|---------------------------|-----------------------------------------------------------------------------------------------------|
+| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including
|
+| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates.
**Note:** This ID must be a GUID.|
+| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).|
+| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.|
+| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
+
+### 25.3 Delivery Optimization MDM policies
+
+The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Policy | Description |
+|---------------------------|-----------------------------------------------------------------------------------------------------|
+| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including
|
+| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
**Note** This ID must be a GUID.|
+| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).|
+| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.|
+| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
+
+
+### 25.4 Delivery Optimization Windows Provisioning
+
+If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
+
+Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](https://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization.
+
+1. Open Windows ICD, and then click **New provisioning package**.
+
+2. In the **Name** box, type a name for the provisioning package, and then click **Next.**
+
+3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**.
+
+4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies.
+
+For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684).
+
+### 26. Windows Update
+
+You can turn off Windows Update by setting the following registry entries:
+
+- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+
+ -and-
+
+- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+
+ -and-
+
+- Add a REG\_DWORD value called **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1.
+
+
+You can turn off automatic updates by doing one of the following. This is not recommended.
+
+- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
+
+ -or-
+
+- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Notify the user before downloading the update.
+
+ - **1**. Auto install the update and then notify the user to schedule a device restart.
+
+ - **2** (default). Auto install and restart.
+
+ - **3**. Auto install and restart at a specified time.
+
+ - **4**. Auto install and restart without end-user control.
+
+ - **5**. Turn off automatic updates.
+
+To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
diff --git a/windows/configure/manage-cortana-in-enterprise.md b/windows/configure/manage-cortana-in-enterprise.md
new file mode 100644
index 0000000000..33b7160191
--- /dev/null
+++ b/windows/configure/manage-cortana-in-enterprise.md
@@ -0,0 +1,5 @@
+---
+title: Cortana integration in your business or enterprise (Windows 10)
+description: The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/cortana-at-work-overview
+---
\ No newline at end of file
diff --git a/windows/configure/manage-tips-and-suggestions.md b/windows/configure/manage-tips-and-suggestions.md
new file mode 100644
index 0000000000..547f77a1aa
--- /dev/null
+++ b/windows/configure/manage-tips-and-suggestions.md
@@ -0,0 +1,64 @@
+---
+title: Manage Windows 10 and Windows Store tips, tricks, and suggestions (Windows 10)
+description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees.
+keywords: ["device management"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: devices
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Manage Windows 10 and Windows Store tips, tricks, and suggestions
+
+
+**Applies to**
+
+- Windows 10
+
+
+Since its inception, Windows 10 has included a number of user experience features that provide useful tips, tricks, and suggestions as you use Windows, as well as app suggestions from the Windows Store. These features are designed to help people get the most out of their Windows 10 experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Windows Store. Examples of such user experiences include:
+
+* **Windows Spotlight on the lock screen**. Daily updated images on the lock screen that can include additional facts and tips in “hotspots” that are revealed on hover.
+
+* **Start menu app suggestions**. App suggestions in Start that recommend productivity tool or utilities from the Windows Store.
+
+* **Additional apps on Start**. Additional apps pre-installed on the Start screen which can enhance the user’s experience.
+
+* **Windows tips**. Contextual tips that appear based on specific user actions to reveal related Windows features or help users complete a scenario.
+
+* **Microsoft account notifications**. For users who have a connected Microsoft account, toast notifications about their account like parental control notifications or subscription expiration.
+
+>[!TIP]
+> On all Windows desktop editions, users can directly enable and disable Windows 10 tips, tricks, and suggestions and Windows Store suggestions. For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, tricks, or suggestions as they use Windows.
+
+Windows 10, version 1607 (also known as the Anniversary Update), provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions.
+
+## Options available to manage Windows 10 tips and tricks and Windows Store suggestions
+
+| Windows 10 edition | Disable |Show Microsoft apps only | Show Microsoft and popular third-party apps |
+| --- | --- | --- | --- |
+| Windows 10 Pro | No | Yes | Yes (default) |
+| Windows 10 Enterprise | Yes | Yes | Yes (default) |
+| Windows 10 Pro Education | Yes (default) | Yes | No (setting cannot be changed) |
+| Windows 10 Education | Yes (default) | Yes | No (setting cannot be changed) |
+
+
+
+## Related topics
+
+- [Manage Windows 10 Start layout](windows-10-start-layout-options-and-policies.md)
+- [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
+- [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md)
+- [Windows 10 editions for education customers](https://technet.microsoft.com/en-us/edu/windows/windows-editions-for-education-customers)
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/configure/mobile-lockdown-designer.md b/windows/configure/mobile-lockdown-designer.md
new file mode 100644
index 0000000000..61fd0bf61e
--- /dev/null
+++ b/windows/configure/mobile-lockdown-designer.md
@@ -0,0 +1,86 @@
+---
+title: Manage and update Windows 10 (Windows 10)
+description: Learn about managing and updating Windows 10.
+ms.assetid: E5716355-02AB-4B75-A962-14B1A7F7BDA0
+keywords: Windows 10, MDM, WSUS, Windows update
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: jdeckerMS
+---
+
+# Manage and update Windows 10
+
+Learn about managing and updating Windows 10.
+
+>[!NOTE]
+>Information for Windows 10 Enterprise also applies to Windows 10 IoT Enterprise, and information for Windows 10 Mobile Enterprise also applies to Windows 10 IoT Mobile. For information about managing devices running Windows 10 IoT Core, see [Windows 10 IoT Core Commercialization](https://www.windowsforiotdevices.com/).
+
+## In this section
+
+
+
+
+
+## Related topics
+[Windows 10 and Windows 10 Mobile](../index.md)
+
+
+[Learn how Microsoft does IT at the IT Showcase](https://www.microsoft.com/itshowcase)
diff --git a/windows/configure/product-ids-in-windows-10-mobile.md b/windows/configure/product-ids-in-windows-10-mobile.md
new file mode 100644
index 0000000000..6fd085952b
--- /dev/null
+++ b/windows/configure/product-ids-in-windows-10-mobile.md
@@ -0,0 +1,262 @@
+---
+title: Product IDs in Windows 10 Mobile (Windows 10)
+description: You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user.
+ms.assetid: 31116BED-C16A-495A-BD44-93218A087A1C
+keywords: ["lockdown"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: mobile
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Product IDs in Windows 10 Mobile
+
+
+**Applies to**
+
+- Windows 10 Mobile
+
+You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user.
+
+## Apps included in Windows 10 Mobile
+
+
+The following table lists the product ID and AUMID for each app that is included in Windows 10 Mobile.
+
+
+
+
+
+Topic
+Description
+
+
+
+
+[Update Windows 10 in the enterprise](waas-update-windows-10.md) Learn how to manage updates to Windows 10 in your organization, including Update Compliance, and Windows Update for Business.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Get product ID and AUMID for other apps
+
+
+To get the product ID and AUMID for apps that are installed from Windows Store or installed locally ([side-loaded](https://go.microsoft.com/fwlink/p/?LinkID=623433)), use the following steps.
+
+**Prerequisites**: a device with an SD card inserted and all apps installed that you want to get IDs for
+
+1. On Start , swipe over to the App list, then tap **Settings**  > **Accounts** > **Apps Corner**.
+
+2. Tap **Apps**, tap to select the app that you want to get IDs for, and then tap done 
+
+3. Tap **advanced**, and then **tap export to SD card**.
+
+4. Connect the device to a PC using USB, and then open the WEHLockdown.xml file on the SD card of the device to view the product ID and AUMID for each app.
+
+## Related topics
+
+
+[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
+
+[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/configure/provision-pcs-for-initial-deployment.md b/windows/configure/provision-pcs-for-initial-deployment.md
new file mode 100644
index 0000000000..86c8e234ff
--- /dev/null
+++ b/windows/configure/provision-pcs-for-initial-deployment.md
@@ -0,0 +1,123 @@
+---
+title: Provision PCs with common settings (Windows 10)
+description: Create a provisioning package to apply common settings to a PC running Windows 10.
+ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
+keywords: ["runtime provisioning", "provisioning package"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Provision PCs with common settings for initial deployment (simple provisioning)
+
+
+**Applies to**
+
+- Windows 10
+
+This topic explains how to create and apply a simple provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home.
+
+You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
+
+## Advantages
+- You can configure new devices without reimaging.
+
+- Works on both mobile and desktop devices.
+
+- No network connectivity required.
+
+- Simple to apply.
+
+[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md)
+
+## What does simple provisioning do?
+
+In a simple provisioning package, you can configure:
+
+- Device name
+- Upgraded product edition
+- Wi-Fi network
+- Active Directory enrollment
+- Local administrator account
+
+Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. To learn about provisioning packages that include more than the settings in a simple provisioning package, see [Provision PCs with apps and certificates](provision-pcs-with-apps-and-certificates.md).
+
+> [!TIP]
+> Use simple provisioning to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
+
+
+
+## Create the provisioning package
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Simple provisioning**.
+
+ 
+
+3. Name your project and click **Finish**. The screens for simple provisioning will walk you through the following steps.
+
+ 
+
+4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
+
+5. (*Optional*) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
+ - Pro to Education
+ - Pro to Enterprise
+ - Enterprise to Education
+
+6. Click **Set up network**.
+
+7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
+
+8. Click **Enroll into Active Directory**.
+
+9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (*Optional*) Enter a user name and password to create a local administrator account.
+
+ > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
+ - Use a least-privileged domain account to join the device to the domain.
+ - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
+ - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
+
+10. Click **Finish**.
+
+11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
+
+12. Click **Create**.
+
+> [!IMPORTANT]
+> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+
+ **Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
+
+
+## Learn more
+
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+
+## Related topics
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+
+
+
+
+
diff --git a/windows/configure/provision-pcs-with-apps-and-certificates.md b/windows/configure/provision-pcs-with-apps-and-certificates.md
new file mode 100644
index 0000000000..6e4614a977
--- /dev/null
+++ b/windows/configure/provision-pcs-with-apps-and-certificates.md
@@ -0,0 +1,196 @@
+---
+title: Provision PCs with apps and certificates (Windows 10)
+description: Create a provisioning package to apply settings to a PC running Windows 10.
+ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
+keywords: ["runtime provisioning", "provisioning package"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Provision PCs with apps and certificates for initial deployment (advanced provisioning)
+
+
+**Applies to**
+
+- Windows 10
+
+
+This topic explains how to create and apply a provisioning package that contains apps and certificates to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
+
+You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
+
+## Advantages
+- You can configure new devices without reimaging.
+
+- Works on both mobile and desktop devices.
+
+- No network connectivity required.
+
+- Simple to apply.
+
+[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md)
+
+## Create the provisioning package
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Advanced provisioning**.
+
+ 
+
+3. Name your project and click **Next**.
+
+3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.
+
+
+### Add a desktop app to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**.
+
+2. Add all the files required for the app install, including the data files and the installer.
+
+3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option.
+
+> [!NOTE]
+> If you are installing more than one app, then use `CommandLine` to invoke the script or batch file that orchestrates installation of the files. For more information, see [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md).
+
+
+### Add a universal app to your package
+
+Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](../manage/acquire-apps-windows-store-for-business.md), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer.
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**.
+
+2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page.
+
+ 
+
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
+
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
+
+ 
+
+5. For **DeviceContextAppLicense**, enter the **LicenseProductID**.
+
+ - In Windows Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**.
+
+ 
+
+ - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
+
+6. In the **Available customizations** pane, click the **LicenseProductId** that you just added.
+
+7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed *
+
+
+
+App
+Product ID
+AUMID
+
+
+Alarms and clock
+44F7D2B4-553D-4BEC-A8B7-634CE897ED5F
+Microsoft.WindowsAlarms_8wekyb3d8bbwe!App
+
+
+Calculator
+B58171C6-C70C-4266-A2E8-8F9C994F4456
+Microsoft.WindowsCalculator_8wekyb3d8bbwe!App
+
+
+Camera
+F0D8FEFD-31CD-43A1-A45A-D0276DB069F1
+Microsoft.WindowsCamera_8wekyb3d8bbwe!App
+
+
+Contact Support
+0DB5FCFF-4544-458A-B320-E352DFD9CA2B
+Windows.ContactSupport_cw5n1h2txyewy!App
+
+
+Cortana
+FD68DCF4-166F-4C55-A4CA-348020F71B94
+Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
+
+
+Excel
+EAD3E7C0-FAE6-4603-8699-6A448138F4DC
+Microsoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel
+
+
+Facebook
+82A23635-5BD9-DF11-A844-00237DE2DB9E
+Microsoft.MSFacebook_8wekyb3d8bbwe!x82a236355bd9df11a84400237de2db9e
+
+
+File Explorer
+C5E2524A-EA46-4F67-841F-6A9465D9D515
+c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy!App
+
+
+FM Radio
+F725010E-455D-4C09-AC48-BCDEF0D4B626
+N/A
+
+
+Get Started
+B3726308-3D74-4A14-A84C-867C8C735C3C
+Microsoft.Getstarted_8wekyb3d8bbwe!App
+
+
+Groove Music
+D2B6A184-DA39-4C9A-9E0A-8B589B03DEC0
+Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic
+
+
+Maps
+ED27A07E-AF57-416B-BC0C-2596B622EF7D
+Microsoft.WindowsMaps_8wekyb3d8bbwe!App
+
+
+Messaging
+27E26F40-E031-48A6-B130-D1F20388991A
+Microsoft.Messaging_8wekyb3d8bbwe!x27e26f40ye031y48a6yb130yd1f20388991ax
+
+
+Microsoft Edge
+395589FB-5884-4709-B9DF-F7D558663FFD
+Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
+
+
+Money
+1E0440F1-7ABF-4B9A-863D-177970EEFB5E
+Microsoft.BingFinance_8wekyb3d8bbwe!AppexFinance
+
+
+Movies and TV
+6AFFE59E-0467-4701-851F-7AC026E21665
+Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo
+
+
+News
+9C3E8CAD-6702-4842-8F61-B8B33CC9CAF1
+Microsoft.BingNews_8wekyb3d8bbwe!AppexNews
+
+
+OneDrive
+AD543082-80EC-45BB-AA02-FFE7F4182BA8
+Microsoft.MicrosoftSkydrive_8wekyb3d8bbwe!App
+
+
+OneNote
+CA05B3AB-F157-450C-8C49-A1F127F5E71D
+Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim
+
+
+Outlook Calendar
+
+
+Outlook Mail
+
+
+People
+60BE1FB8-3291-4B21-BD39-2221AB166481
+Microsoft.People_8wekyb3d8bbwe!xb94d6231y84ddy49a8yace3ybc955e769e85x
+
+
+Phone (dialer)
+F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7
+Microsoft.CommsPhone_8wekyb3d8bbwe!App
+
+
+Photos
+FCA55E1B-B9A4-4289-882F-084EF4145005
+Microsoft.Windows.Photos_8wekyb3d8bbwe!App
+
+
+Podcasts
+C3215724-B279-4206-8C3E-61D1A9D63ED3
+Microsoft.MSPodcast_8wekyb3d8bbwe!xc3215724yb279y4206y8c3ey61d1a9d63ed3x
+
+
+Powerpoint
+B50483C4-8046-4E1B-81BA-590B24935798
+Microsoft.Office.PowerPoint_8wekyb3d8bbwe!microsoft.pptim
+
+
+Settings
+2A4E62D8-8809-4787-89F8-69D0F01654FB
+2a4e62d8-8809-4787-89f8-69d0f01654fb_8wekyb3d8bbwe!App
+
+
+Skype
+C3F8E570-68B3-4D6A-BDBB-C0A3F4360A51
+Microsoft.SkypeApp_kzf8qxf38zg5c!Skype.AppId
+
+
+Skype Video
+27E26F40-E031-48A6-B130-D1F20388991A
+Microsoft.Messaging_8wekyb3d8bbwe!App
+
+
+Sports
+0F4C8C7E-7114-4E1E-A84C-50664DB13B17
+Microsoft.BingSports_8wekyb3d8bbwe!AppexSports
+
+
+Storage
+5B04B775-356B-4AA0-AAF8-6491FFEA564D
+N/A
+
+
+Store
+7D47D89A-7900-47C5-93F2-46EB6D94C159
+Microsoft.WindowsStore_8wekyb3d8bbwe!App
+
+
+Voice recorder
+7311B9C5-A4E9-4C74-BC3C-55B06BA95AD0
+Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe!App
+
+
+Wallet
+587A4577-7868-4745-A29E-F996203F1462
+Microsoft.MicrosoftWallet_8wekyb3d8bbwe!App
+
+
+Weather
+63C2A117-8604-44E7-8CEF-DF10BE3A57C8
+Microsoft.BingWeather_8wekyb3d8bbwe!App
+
+
+Windows Feedback
+7604089D-D13F-4A2D-9998-33FC02B63CE3
+Microsoft.WindowsFeedback_8wekyb3d8bbwe!App
+
+
+Word
+258F115C-48F4-4ADB-9A68-1387E634459B
+Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word
+
+
+
+Xbox
+B806836F-EEBE-41C9-8669-19E243B81B83
+Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp
+
+
+
+
+## Related topics
+[Windows 10 and Windows 10 Mobile](../index.md)
+
+
+[Learn how Microsoft does IT at the IT Showcase](https://www.microsoft.com/itshowcase)
diff --git a/windows/configure/provisioning-create-package.md b/windows/configure/provisioning-create-package.md
new file mode 100644
index 0000000000..f543e6d10f
--- /dev/null
+++ b/windows/configure/provisioning-create-package.md
@@ -0,0 +1,149 @@
+---
+title: Create a provisioning package (Windows 10)
+description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Create a provisioning package for Windows 10
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+You use Windows Imaging and Configuration Designer (ICD) to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10.
+
+>[Learn how to install Windows ICD.](provisioning-install-icd.md)
+
+## Start a new project
+
+1. Open Windows ICD:
+ - From either the Start screen or Start menu search, type 'Imaging and Configuration Designer' and click on the Windows ICD shortcut,
+
+ or
+
+ - Navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
+
+2. Select your desired option on the **Start** page, which offers three options for creating a provisioning package, as shown in the following image:
+
+ 
+
+ - The **Simple provisioning** and **Provision school devices** options provide wizard-style walkthroughs for creating a provisioning package based on a set of common settings.
+ - The **Advanced provisioning** option opens a new project with all **Runtime settings** available.
+
+ >[!TIP]
+ >You can start a project in the simple editor and then switch the project to the advanced editor.
+ >
+ >
+
+3. Enter a name for your project, and then click **Next**.
+
+4. Select the settings you want to configure, based on the type of device, and then click **Next**. The following table describes the options.
+
+ | Windows edition | Settings available for customization | Provisioning package can apply to |
+ | --- | --- | --- |
+ | All Windows editions | Common settings | All Windows 10 devices |
+ | All Windows desktop editions | Common settings and settings specific to desktop devices | All Windows 10 desktop editions (Home, Pro, Enterprise, Pro Education, Enterprise Education) |
+ | All Windows mobile editions | Common settings and settings specific to mobile devices | All Windows 10 Mobile devices |
+ | Windows 10 IoT Core | Common settings and settings specific to Windows 10 IoT Core | All Windows 10 IoT Core devices |
+ | Windows 10 Holographic | Common settings and settings specific to Windows 10 Holographic | [Microsoft HoloLens](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) |
+ | Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) |
+
+5. On the **Import a provisioning package (optional)** page, you can click **Finish** to create your project, or browse to and select an existing provisioning packge to import to your project, and then click **Finish**.
+
+>[!TIP]
+>**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages you create so you don't have to reconfigure those common settings repeatedly.
+
+After you click **Finish**, Windows ICD will open the appropriate walkthrough page if you selected **Simple provisioning** or **Provision school devices**, or the **Available customizations** pane if you selected **Advanced provisioning**. The remainder of this topic will explain the **Advanced provisioning scenario**.
+
+- For instructions on **Simple provisioning**, see [Provision PCs with common settings](provision-pcs-for-initial-deployment.md).
+- For instructions on **Provision school devices**, see [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain).
+
+
+## Configure settings
+
+For an advanced provisioning project, Windows ICD opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings.
+
+
+
+The settings in Windows ICD are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
+
+The process for configuring settings is similar for all settings. The following table shows an example.
+
+
+
+
+
+Topic
+Description
+
+
+
+
+[Update Windows 10 in the enterprise](waas-update-windows-10.md) Learn how to manage updates to Windows 10 in your organization, including Update Compliance, and Windows Update for Business.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows ICD when you select the setting, as shown in the following image.
+
+
+
+
+ ## Build package
+
+1. After you're done configuring your customizations, click **Export** and select **Provisioning Package**.
+
+ 
+
+2. In the **Describe the provisioning package** window, enter the following information, and then click **Next**:
+ - **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field.
+ - **Version (in Major.Minor format** - - Optional. You can change the default package version by specifying a new value in the **Version** field.
+ - **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages).
+ - **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0.
+
+3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate. Both selections are optional. Click **Next** after you make your selections.
+
+ - **Encrypt package** - If you select this option, an auto-generated password will be shown on the screen.
+ - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
+
+ >[!NOTE]
+ >You should only configure provisioning package security when the package is used for device provisioning and the package has contents with sensitive security data such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device.
+ >
+ >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner.
+
+4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows ICD uses the project folder as the output location.
+
+5. In the **Build the provisioning package** window, click **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+
+ If you need to cancel the build, click Cancel. This cancels the current build process, closes the wizard, and takes you back to the Customizations Page.
+
+6. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+
+ If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+ If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+
+7. When you are done, click **Finish** to close the wizard and go back to the Customizations page.
+
+**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
+
+## Learn more
+
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+
+
+## Related topics
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
\ No newline at end of file
diff --git a/windows/configure/provisioning-how-it-works.md b/windows/configure/provisioning-how-it-works.md
new file mode 100644
index 0000000000..1f9b72eb6c
--- /dev/null
+++ b/windows/configure/provisioning-how-it-works.md
@@ -0,0 +1,184 @@
+---
+title: How provisioning works in Windows 10 (Windows 10)
+description: A provisioning package (.ppkg) is a container for a collection of configuration settings.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# How provisioning works in Windows 10
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 devices. Windows Imaging and Configuration Designer (Windows ICD) is a tool that makes it easy to create a provisioning package. Windows ICD is contained in the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
+
+## Provisioning packages
+
+A provisioning package contains specific configurations/settings and assets that can be provided through a removable media or simply downloaded to the device.
+
+To enable adding multiple sets of settings or configurations, the configuration data used by the provisioning engine is built out of multiple configuration sources that consist of separate provisioning packages. Each provisioning package contains the provisioning data from a different source.
+
+A provisioning package (.ppkg) is a container for a collection of configuration settings. The package has the following format:
+
+- Package metadata – The metadata contains basic information about the package such as package name, description, version, ranking, and so on.
+
+- XML descriptors – Each descriptor defines a customization asset or configuration setting included in the package.
+
+- Asset payloads – The payloads of a customization asset or a configuration setting associated with an app or data asset.
+
+You can use provisioning packages for runtime device provisioning by accessing the package on a removable media attached to the device, through near field communication (NFC), or by downloading from a remote source location.
+
+## Precedence for provisioning packages
+
+When multiple provisioning packages are available for device provisioning, the combination of package owner type and package rank level defined in the package manifest is used to resolve setting conflicts. The pre-defined package owner types are listed below in the order of lowest to highest owner type precedence:
+
+1. Microsoft
+
+2. Silicon Vender
+
+3. OEM
+
+4. System Integrator
+
+5. Mobile Operator
+
+6. IT Admin
+
+The valid value range of package rank level is 0 to 99.
+
+When setting conflicts are encountered, the final values provisioned on the device are determined by the owner type precedence and the rank level of the packages containing the settings. For example, the value of a setting in a package with owner **System Integrator** and rank level **3** takes precedence over the same setting in a package with owner **OEM** and rank level **4**. This is because the System Integrator owner type has the higher precedence over the OEM owner type. For packages with the same owner type, the package rank level determines the package from which the setting values get provisioned on the device.
+
+## Windows provisioning XML
+
+Windows provisioning XML is the framework that allows Microsoft and OEM components to declare end-user configurable settings and the on-device infrastructure for applying the settings with minimal work by the component owner.
+
+Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows ICD to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows ICD translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format.
+
+When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the Windows provisioning CSP. The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use.
+
+## Provisioning engine
+
+The provisioning engine is the core component for managing provisioning and configuration at runtime in a device running Windows 10.
+
+The provisioning engine provides the following functionality:
+
+- Provisioning configuration at any time when the device is running including first boot and setup or OOBE. It is also extensible to other points during the run-time of the device.
+- Reading and combining settings from multiple sources of configuration that may be added to an image by Microsoft, the OEM, or system integrator, or added by IT/education administrators or users to the device at run-time. Configuration sources may be built into the image or from provisioning packages added to the device.
+- Responding to triggers or events and initiating a provisioning stage.
+- Authenticating the provisioning packages.
+- Selecting a set of configuration based on the stage and a set of keys—such as the SIM, MCC/MNC, IMSI range, and so on—that map to a specific configuration then passing this configuration to the configuration management infrastructure to be applied.
+- Working with OOBE and the control panel UI to allow user selection of configuration when a specific match cannot be determined.
+
+## Configuration manager
+
+The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to Configuration Service Providers (CSPs) to perform the specific management requests and settings.
+
+The provisioning engine relies on configuration manager for all of the actual processing and application of a chosen configuration. The provisioning engine determines the stage of provisioning and, based on a set of keys, determines the set of configuration to send to the configuration manager. The configuration manager in turn parses and calls into the CSPs for the setting to be applied.
+
+Underneath the configuration manager are the CSPs. Each section of configuration translates to a particular CSP to handle interpreting into an action on the device. Each CSP translates the instructions in the configuration and calls into the appropriate APIs and components to perform the requested provisioning actions.
+
+## Policy and resource manager
+
+The policy, resource, and context manager components manage the enrollment and unenrollment of devices into enterprise environments. The enrollment process into an enterprise is essentially the provisioning of configuration and device management policies that the enterprise wants to enforce on the device. This is usually done through the explicit signing up of the device to an enterprise's device management server over a network connection. This provides the user with the ability to access the enterprise's resources through the device and the enterprise with a means to manage and control access and manage and control the device itself.
+
+The key differences between enterprise enrollment and the configuration performed by the provisioning engine are:
+- Enrollment enforces a limited and controlled set of policies on the device that the user may not have full control over. The provisioning engine exposes a larger set of settings that configure more aspects of the device and are generally user adjustable.
+- The policy manager manages policy settings from multiple entities and performs a selection of the setting based on priority of the entities. The provisioning engine applies the settings and does not offer a means of prioritizing settings from different sources. The more specific provisioning is the last one applied and the one that is used.
+- Individual policy settings applied from different enrollment entities are stored so they can be removed later during unenrollment. This enables the user to remove enterprise policy and return the device to a state without the enterprise restrictions and any sensitive data. The provisioning engine does not maintain individual provisioning settings or a means to roll back all applied settings.
+
+In Windows 10, the application of policy and enrollment through provisioning is required to support cases where an enterprise or educational institution does not have a DM server for full device management. The provisioning engine supports provisioning enrollment and policy through its configuration and integrates with the existing policy and resource manager components directly or through the configuration manager.
+
+## Triggers and stages
+
+Triggers are events during the lifetime of the system that start a provisioning stage. Some examples of triggers are: boot, OOBE, SIM change, user added, administrator added, user login, device update, and various manual triggers (such as deployment over USB or launched from an email attachment or USB flash drive).
+
+When a trigger occurs, provisioning is initiated for a particular provisioning stage. The stages are grouped into sets based on the scope of the settings:
+- **Static**: First stage run for provisioning to apply configuration settings to the system to set up OOBE or apply device-wide settings that cannot be done when the image is being created.
+- **System**: Run during OOBE and configure system-wide settings.
+- **UICC**: UICC stages run for each new UICC in a device to handle configuration and branding based on the identity of the UICC or SIM card. This enables the runtime configuration scenarios where an OEM can maintain one image that can be configured for multiple operators.
+- **Update**: Runs after an update to apply potential updated settings changes.
+- **User**: runs during a user account first run to configure per-user settings.
+
+
+
+
+
+
+
+
+
+## Device provisioning during OOBE
+
+The provisioning engine always applies provisioning packages persisted in the C:\Recovery\Customizations folder on the OS partition. When the provisioning engine applies provisioning packages in the %ProgramData%\Microsoft\Provisioning folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect.
+
+Device users can apply a provisioning package from a remote source when the device first boots to OOBE. The device provisioning during OOBE is only triggered after the language, locale, time zone, and other settings on the first OOBE UI page are configured. On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key. When device provisioning is triggered, the provisioning UI is displayed in the OOBE page. The provisioning UI allows users to select a provisioning package acquired from a remote source, such as through NFC or a removable media.
+
+The following table shows how device provisioning can be initiated when a user first boots to OOBE.
+
+
+| Package delivery | Initiation method | Supported device |
+| --- | --- | --- |
+| Removable media - USB drive or SD card (Packages must be placed at media root) | 5 fast taps on the Windows key to launch the provisioning UI |All Windows devices |
+| From an administrator device through machine to machine NFC or NFC tag(The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows 10 Mobile devices and IoT Core devices |
+
+The provisioning engine always copies the acquired provisioning packages to the %ProgramData%\Microsoft\Provisioning folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device.
+
+When the provisioning engine applies provisioning packages during OOBE, it applies only the runtime settings from the package to the device. Runtime settings can be system-wide configuration settings, including security policy, Windows app install/uninstall, network configuration, bootstrapping MDM enrollment, provisioning of file assets, account and domain configuration, Windows edition upgrade, and more. The provisioning engine also checks for the configuration settings on the device, such as region/locale or SIM card, and applies the multivariant settings with matching condition(s).
+
+## Device provisioning at runtime
+
+At device runtime, standalone provisioning packages can be applied by user initiation. Only runtime configuration settings including multivariant settings contained in a provisioning package can be applied at device runtime.
+
+The following table shows when provisioning at device runtime can be initiated.
+
+| Package delivery | Initiation method | Supported device |
+| --- | --- | --- |
+| Removable media - USB drive or SD card(Packages must be placed at media root) | **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** | All Windows devices |
+| Downloaded from a network connection and copied to a local folder | Double-click the package file | Windows 10 for desktop editions devices |
+| From an administrator device connected to the target device through USB tethering | Drag and drop the package file onto the target device | Windows 10 Mobile devices and IoT Core devices |
+
+When applying provisioning packages from a removable media attached to the device, the Settings UI allows viewing contents of a package before selecting the package for provisioning. To minimize the risk of the device being spammed by applying provisioning packages from unknown sources, a provisioning package can be signed and encrypted. Partners can also set policies to limit the application of provisioning packages at device runtime. Applying provisioning packages at device runtime requires administrator privilege. If the package is not signed or trusted, a user must provide consent before the package is applied to the device. If the package is encrypted, a valid password is needed to decrypt the package before it can be applied to the device.
+
+When applying multiple provisioning packages to a device, the provisioning engine resolves settings with conflicting configuration values from different packages by evaluating the package ranking using the combination of package owner type and package rank level defined in the package metadata. A configuration setting applied from a provisioning package with the highest package ranking will be the final value applied to the device.
+
+After a standalone provisioning package is applied to the device, the package is persisted in the %ProgramData%\Microsoft\Provisioning folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**. However, Windows 10 doesn't provide an uninstall option to revert runtime settings when removing a provisioning package from the device.
+
+
+## Learn more
+
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+
+## Related topics
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/configure/provisioning-install-icd.md b/windows/configure/provisioning-install-icd.md
new file mode 100644
index 0000000000..9727bc089d
--- /dev/null
+++ b/windows/configure/provisioning-install-icd.md
@@ -0,0 +1,106 @@
+---
+title: Install Windows Imaging and Configuration Designer (Windows 10)
+description: Learn how to install and run Windows ICD.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Install Windows Imaging and Configuration Designer (ICD)
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+Use the Windows Imaging and Configuration Designer (ICD) tool in the Windows Assessment and Deployment Kit (ADK) to create provisioning packages to easily configure devices running Windows 10. Windows ICD is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices.
+
+## Supported platforms
+
+Windows ICD can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core. You can run Windows ICD on the following operating systems:
+
+- Windows 10 - x86 and amd64
+- Windows 8.1 Update - x86 and amd64
+- Windows 8.1 - x86 and amd64
+- Windows 8 - x86 and amd64
+- Windows 7 - x86 and amd64
+- Windows Server 2016
+- Windows Server 2012 R2 Update
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+## Install Windows ICD
+
+1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511 or version 1607).
+
+ >[!NOTE]
+ >The rest of this procedure uses Windows ADK for Windows 10, version 1607 as an example.
+
+2. Save **adksetup.exe** and then run it.
+
+3. On the **Specify Location** page, select an installation path and then click **Next**.
+ >[!NOTE]
+ >The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows ICD, the space requirement is approximately 32 MB.
+4. Make a selection on the **Windows Kits Privacy** page, and then click **Next**.
+
+5. Accept the **License Agreement**, and then click **Next**.
+
+6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**.
+
+ 
+
+## Current Windows ICD limitations
+
+
+- You can only run one instance of Windows ICD on your computer at a time.
+
+- Be aware that when adding apps and drivers, all files stored in the same folder will be imported and may cause errors during the build process.
+
+- The Windows ICD UI does not support multivariant configurations. Instead, you must use the Windows ICD command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md).
+
+- While you can open multiple projects at the same time within Windows ICD, you can only build one project at a time.
+
+- In order to enable the simplified authoring jscripts to work on a server SKU running Windows ICD, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security** -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**.
+
+- If you copy a Windows ICD project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC.
+
+ For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows ICD. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows ICD might attempt to resolve the path to the files that point to the original PC.
+
+- **Recommended**: Before starting, copy all source files to the PC running Windows ICD, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device.
+
+**Next step**: [How to create a provisioning package](provisioning-create-package.md)
+
+## Learn more
+
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+## Related topics
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/configure/provisioning-multivariant.md b/windows/configure/provisioning-multivariant.md
new file mode 100644
index 0000000000..3bc7652233
--- /dev/null
+++ b/windows/configure/provisioning-multivariant.md
@@ -0,0 +1,322 @@
+---
+title: Create a provisioning package with multivariant settings (Windows 10)
+description: Create a provisioning package with multivariant settings to customize the provisioned settings.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Create a provisioning package with multivariant settings
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+Multivariant provisioning packages enable you to create a single provisioning package that can work for multiple locales.
+
+To provision multivariant settings, you must create a provisioning package with defined **Conditions** and **Settings** that are tied to these conditions. When you install this package on a Windows 10 device, the provisioning engine applies the matching condition settings at every event and triggers provisioning.
+
+The following events trigger provisioning on Windows 10 devices:
+
+| Event | Windows 10 Mobile | Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) |
+| --- | --- | --- |
+| System boot | Supported | Supported |
+| Operating system update | Supported | Planned |
+| Package installation during device first run experience | Supported | Supported |
+| Detection of SIM presence or update | Supported | Not supported |
+| Package installation at runtime | Supported | Supported |
+| Roaming detected | Supported | Not supported |
+
+## Target, TargetState, Condition, and priorities
+
+Targets describe keying for a variant and must be described or pre-declared before being referenced by the variant.
+
+- You can define multiple **Target** child elements for each **Id** that you need for the customization setting.
+
+- Within a **Target** you can define multiple **TargetState** elements.
+
+- Within a **TargetState** element you can create multiple **Condition** elements.
+
+- A **Condition** element defines the matching type between the condition and the specified value.
+
+The following table shows the conditions supported in Windows 10 provisioning:
+
+>[!NOTE]
+>You can use any of these supported conditions when defining your **TargetState**.
+
+| Condition Name | Condition priority | Windows 10 Mobile | Windows 10 for desktop editions | Value type | Value description |
+| --- | --- | --- | --- | --- | --- |
+| MNC | P0 | Supported | N/A | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. |
+| MCC | P0 | Supported | N/A | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. |
+| SPN | P0 | Supported | N/A | String | Use to target settings based on the Service Provider Name (SPN) value. |
+| PNN | P0 | Supported | N/A | String | Use to target settings based on public land mobile network (PLMN) Network Name value. |
+| GID1 | P0 | Supported | N/A | Digit string | Use to target settings based on the Group Identifier (level 1) value. |
+| ICCID | P0 | Supported | N/A | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. |
+| Roaming | P0 | Supported | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). |
+| UICC | P0 | Supported | N/A | Enumeration | Use to specify the UICC state. Set the value to one of the following:- 0 - Empty- 1 - Ready- 2 - Locked |
+| UICCSLOT | P0 | Supported | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:- 0 - Slot 0- 1 - Slot 1 |
+| ProcessorType | P1 | Supported | Supported | String | Use to target settings based on the processor type. |
+| ProcessorName | P1 | Supported | Supported | String | Use to target settings based on the processor name. |
+| AoAc | P1 | Supported | Supported | Boolean | Set the value to 0 or 1. |
+| PowerPlatformRole | P1 | Supported | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the POWER_PLATFORM_ROLE enumeration. |
+| Architecture | P1 | Supported | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. |
+| Server | P1 | Supported | Supported | Boolean | Set the value to 0 or 1. |
+| Region | P1 | Supported | Supported | Enumeration | Use to target settings based on country/region. |
+| Lang | P1 | Supported | Supported | Enumeration | Use to target settings based on language code. |
+| ROMLANG | P1 | Supported | N/A | Digit string | Use to specify the PhoneROMLanguage that's set for DeviceTargeting. This condition is used primarily to detect variants for China. For example, you can use this condition and set the value to "0804". |
+
+The matching types supported in Windows 10 are:
+
+| Matching type | Syntax | Example |
+| --- | --- | --- |
+| Straight match | Matching type is specified as-is | <Condition Name="ProcessorName" Value="Barton" /> |
+| Regex match | Matching type is prefixed by "Pattern:" | <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /> |
+| Numeric range match | Matching type is prefixed by "!Range:" | <Condition Name="MNC" Value="!Range:400, 550" /> |
+
+
+- When all **Condition** elements are TRUE, **TargetState** is TRUE (**AND** logic).
+
+- If any of the **TargetState** elements is TRUE, **Target** is TRUE (**OR** logic), and **Id** can be used for the setting customization.
+
+
+You can define more than one **TargetState** within a provisioning package to apply variant settings that match device conditions. When the provisioning engine evalues each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the variant settings are applied, the system assigns a priority to every **TargetState**.
+
+A variant setting that matches a **TargetState** with a lower priority is applied before the variant that matches a **TargetState** with a higher priority. Variant settings that match more than one **TargetState** with equal priority are applied according to the order that each **TargetState** is defined in the provisioning package.
+
+The **TargetState** priority is assigned based on the conditions priority and the priority evaluation rules are as followed:
+
+1. **TargetState** with P0 conditions is higher than **TargetState** without P0 conditions.
+
+
+2. **TargetState** with P1 conditions is higher than **TargetState** without P0 and P1 conditions.
+
+
+3. If N₁>N₂>0, the **TargetState** priority with N₁ P0 conditions is higher than the **TargetState** with N₂ P1 conditions.
+
+
+4. For **TargetState** without P0 conditions, if N₁>N₂>0 **TargetState** with N₁ P1 conditions is higher than the **TargetState** with N₂ P1 conditions.
+
+
+5. For **TargetState** without P0 and P1 conditions, if N₁>N₂>0 **TargetState** priority with N₁ P2 conditions is higher than the **TargetState** with N₂ P2 conditions.
+
+
+6. For rules 3, 4, and 5, if N₁=N₂, **TargetState** priorities are considered equal.
+
+
+## Create a provisioning package with multivariant settings
+
+Follow these steps to create a provisioning package with multivariant capabilities.
+
+
+1. Build a provisioning package and configure the customizations you need to apply during certain conditions. For more information, see [Create a provisioning package](provisioning-create-package.md).
+
+
+2. After you've [configured the settings](provisioning-create-package.md#configure-settings), save the project.
+
+
+3. Open the project folder and copy the customizations.xml file.
+
+4. Use an XML or text editor to open the customizations.xml file.
+
+ The customizations.xml file holds the package metadata (including the package owner and rank) and the settings that you configured when you created your provisioning package. The Customizations node contains a Common section, which contains the customization settings.
+
+ The following example shows the contents of a sample customizations.xml file.
+
+ ```XML
+
+Expand a category.  Select a setting.  Enter a value for the setting. Click **Add** if the button is displayed.  Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and additional settings are displayed.  When the setting is configured, it is displayed in the **Selected customizations** pane. 
The receiving device uses this information to understand information in the Data field. |
+| **Data** | Tag data with small header in raw binary format that contains a chunk of the provisioning package to be transferred. |
+
+
+
+### NFC provisioning helper
+
+The NFC provisioning helper device must split the provisioning package raw content into multiple parts and publish these in order. Each part should follow the following format:
+
+
+
+For each part:
+- **Version** should always be 0x00.
+- **Leading byte** should always be 0xFF.
+- **Order** represents which message chunk (out of the whole message) the part belongs to. The Order begins with zero (0).
+- **Total** represents the total number of chunks to be transferred for the whole message.
+- **Chunk payload** represents each of the split parts.
+
+The NFC provisioning helper device must publish the record in a type of Windows.ProvPlugins.Chunk.
+
+**Code example**
+
+The following example shows how to write to an NFC tag. This example assumes that the tag is already in range of the writing device.
+
+```
+ private async void WriteProvPkgToTag(IStorageFile provPkgFile)
+ {
+ var buffer = await FileIO.ReadBufferAsync(provPkgFile);
+ if (null == buffer)
+ {
+ return;
+ }
+
+ var proximityDevice = Windows.Networking.Proximity.ProximityDevice.GetDefault();
+ if (null == proximityDevice)
+ {
+ return;
+ }
+
+ var dataWriter = new DataWriter();
+ var header = new NfcProvHeader();
+
+ header.version = NFC_PROV_MESSAGE_CURRENT_VERSION; // Currently the supported version is 0x00.
+ header.leading = NFC_PROV_MESSAGE_LEADING_BYTE; // The leading byte should be always 0xFF.
+ header.index = 0; // Assume we only have 1 chunk.
+ header.total = 1; // Assume we only have 1 chunk.
+
+ // Write the header first and then the raw data of the provisioning package.
+ dataWriter.WriteBytes(GetBytes(header));
+ dataWriter.WriteBuffer(buffer);
+
+ var chunkPubId = proximityDevice.PublishBinaryMessage(
+ "Windows:WriteTag.ProvPlugins.Chunk",
+ dataWriter.DetachBuffer());
+ }
+```
+
+
+### NFC-enabled device tag components
+
+Provisioning from an NFC-enabled source device allows for larger provisioning packages than can be transferred using an NFC tag. When provisioning from an NFC-enabled device, we recommend that the total file size not exceed 120 KB. Be aware that the larger the NFC file is, the longer it will take to transfer the provisioning file. Depending on your NFC hardware, the transfer time for a 120 KB file will vary between 2.5 seconds and 10 seconds.
+
+To provision from an NFC-enabled source device, use [ProximityDevice class API](https://msdn.microsoft.com/library/windows/apps/windows.networking.proximity.proximitydevice.aspx) to write your own custom tool that transfers your provisioning package in chunks to your target mobile device. The tool must publish binary messages (transmit) a Header message, followed by one or more Chunk messages. The Header specifies the total amount of data that will be transferred to the target device; the Chunks must contain binary raw data formatted provisioning data, as shown in the NFC tag components section.
+
+For detailed information and code samples on how to implement an NFC-enabled device tag, see **ConvertToNfcMessageAsync** in [this GitHub NfcProvisioner Universal Windows app example](https://github.com/Microsoft/Windows-universal-samples/blob/master/Samples/NfcProvisioner/cs/Scenario1.xaml.cs). The sample app shows you how to host the provisioning package on a master device so that you can transfer it to the receiving device.
+
+
+
+
+
+
+
+## Related topics
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/configure/provisioning-packages.md b/windows/configure/provisioning-packages.md
new file mode 100644
index 0000000000..557bf3e595
--- /dev/null
+++ b/windows/configure/provisioning-packages.md
@@ -0,0 +1,127 @@
+---
+title: Provisioning packages (Windows 10)
+description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Provisioning packages for Windows 10
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
+
+A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+
+Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
+
+The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Imaging and Configuration Designer (ICD), a tool for configuring provisioning packages.
+
+## New in Windows 10, version 1607
+
+Windows ICD for Windows 10, version 1607, simplifies common provisioning scenarios.
+
+
+
+Windows ICD in Windows 10, version 1607, supports the following scenarios for IT administrators:
+
+* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner.
+
+ > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md)
+
+* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices.
+
+ > [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](provision-pcs-with-apps-and-certificates.md)
+
+* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include:
+
+ * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment)
+ * AirWatch (password-string based enrollment)
+ * Mobile Iron (password-string based enrollment)
+ * Other MDMs (cert-based enrollment)
+
+> [!NOTE]
+> Windows ICD in Windows 10, version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index).
+
+## Benefits of provisioning packages
+
+
+Provisioning packages let you:
+
+- Quickly configure a new device without going through the process of installing a new image.
+
+- Save time by configuring multiple devices using one provisioning package.
+
+- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure.
+
+- Set up a device without the device having network connectivity.
+
+Provisioning packages can be:
+
+- Installed using removable media such as an SD card or USB flash drive.
+
+- Attached to an email.
+
+- Downloaded from a network share.
+
+## What you can configure
+
+
+The following table provides some examples of what you can configure using provisioning packages.
+
+| Customization options | Examples |
+|--------------------------|-----------------------------------------------------------------------------------------------|
+| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters |
+| Applications | Windows apps, line-of-business applications |
+| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* |
+| Certificates | Root certification authority (CA), client certificates |
+| Connectivity profiles | Wi-Fi, proxy settings, Email |
+| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
+| Data assets | Documents, music, videos, pictures |
+| Start menu customization | Start menu layout, application pinning |
+| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on |
+\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices.
+
+
+For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
+
+## Learn more
+
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+## Related topics
+
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/configure/provisioning-script-to-install-app.md b/windows/configure/provisioning-script-to-install-app.md
new file mode 100644
index 0000000000..8754c66299
--- /dev/null
+++ b/windows/configure/provisioning-script-to-install-app.md
@@ -0,0 +1,222 @@
+---
+title: Use a script to install a desktop app in provisioning packages (Windows 10)
+description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Use a script to install a desktop app in provisioning packages
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+This walkthrough describes how to leverage the ability to include scripts in a Windows 10 provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed, however, some care is needed in order to avoid unintended behavior during script execution (see Remarks below).
+
+>**Prerequisite**: [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), version 1511 or higher
+
+>[!NOTE]
+>This scenario is only supported for installing applications on Windows 10 for desktop, version 1511 or higher.
+
+## Assemble the application assets
+
+1. On the device where you’re authoring the package, place all of your assets in a known location. Each asset must have a unique filename, because all files will be copied to the same temp directory on the device. It’s common for many apps to have an installer called ‘install.exe’ or similar, and there may be name overlap because of that. To fix this, you can use the technique described in the next step to include a complete directory structure that is then expanded into the temp directory on the device. The most common use for this would be to include a subdirectory for each application.
+
+2. If you need to include a directory structure of files, you will need to cab the assets for easy inclusion in the provisioning packages.
+
+## Cab the application assets
+
+1. Create a .DDF file as below, replacing *file1* and *file2* with the files you want to package, and adding the name of file/directory.
+
+ ```
+ ;*** MSDN Sample Source Code MakeCAB Directive file example
+
+ ;
+
+ .OPTION EXPLICIT ; Generate errors on variable typos
+
+ .set DiskDirectoryTemplate=CDROM ; All cabinets go in a single directory
+
+ .Set MaxDiskFileCount=1000; Limit file count per cabinet, so that
+
+ ; scanning is not too slow
+
+ .Set FolderSizeThreshold=200000 ; Aim for ~200K per folder
+
+ .Set CompressionType=MSZIP
+
+ ;** All files are compressed in cabinet files
+
+ .Set Cabinet=on
+
+ .Set Compress=on
+
+ ;-------------------------------------------------------------------
+
+ ;** CabinetNameTemplate = name of cab
+
+ ;** DiskDirectory1 = output directory where cab will be created
+
+ ;-------------------------------------------------------------------
+
+ .Set CabinetNameTemplate=tt.cab
+
+ .Set DiskDirectory1=.
+
+ ;-------------------------------------------------------------------
+
+ ; Replace **Version**(1 byte) **Leading**
(1 byte)**Order**(1 byte) **Total**(1 byte) **Chunk payload**(N bytes)
+
+
+ ## Learn more
+
+[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
+
+
+
+
+
+
+
+
+
diff --git a/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
new file mode 100644
index 0000000000..211f47f9c2
--- /dev/null
+++ b/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -0,0 +1,444 @@
+---
+title: Set up a kiosk on Windows 10 Pro, Enterprise, or Education (Windows 10)
+description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
+ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
+keywords: ["assigned access", "kiosk", "lockdown"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Set up a kiosk on Windows 10 Pro, Enterprise, or Education
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653)
+
+A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
+
+**Note**
+A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
+
+
+
+## Other settings to lock down
+
+
+For a more secure kiosk experience, we recommend that you make the following configuration changes to the device:
+
+- Put device in **Tablet mode**.
+
+ If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.**
+
+- Hide **Ease of access** feature on the logon screen.
+
+ Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools.
+
+- Disable the hardware power button.
+
+ Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
+
+- Remove the power button from the sign-in screen.
+
+ Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
+
+- Disable the camera.
+
+ Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**.
+
+- Turn off app notifications on the lock screen.
+
+ Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
+
+- Disable removable media.
+
+ Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
+
+ **Note**
+ To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
+
+
+
+## Assigned access method for Universal Windows apps
+
+
+Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access:
+
+| Method | Account type | Windows 10 edition |
+| --- | --- | --- |
+| [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education |
+| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
+| [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
+| [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education |
+
+
+
+### Requirements
+
+- A domain or local user account.
+
+- A Universal Windows app that is installed or provisioned for that account and is an above lock screen app. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386).
+
+ The app can be your own company app that you have made available in your own app Store. To set up assigned access using MDM or PowerShell, you also need the Application User Model ID (AUMID) for the app. [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
+
+ The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs.
+
+**Note**
+Assigned access does not work on a device that is connected to more than one monitor.
+
+
+
+### Set up assigned access in PC settings
+
+1. Go to **Start** > **Settings** > **Accounts** > **Other users**.
+
+2. Choose **Set up assigned access**.
+
+3. Choose an account.
+
+4. Choose an app. Only apps that can run above the lock screen will be displayed. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
+
+5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on.
+
+To remove assigned access, in step 3, choose **Don't use assigned access**.
+
+### Set up assigned access in MDM
+
+Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you enter the user account name and AUMID for the app to run in kiosk mode.
+
+[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
+
+[See the technical reference for the Assigned Access configuration service provider.](https://go.microsoft.com/fwlink/p/?LinkId=626608)
+
+### Set up assigned access using Windows Imaging and Configuration Designer (ICD)
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+> **Important**
+When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+**Create a provisioning package for a kiosk device**
+
+1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+
+2. Choose **Advanced provisioning**.
+
+3. Name your project, and click **Next**.
+
+4. Choose **All Windows desktop editions** and click **Next**.
+
+5. On **New project**, click **Finish**. The workspace for your package opens.
+
+6. Expand **Runtime settings** > **AssignedAccess**, and click **AssignedAccessSettings**.
+
+7. Enter a string to specify the user account and app (by AUMID). For example:
+
+ "Account":"contoso\\\\kiosk","AUMID":"8f82d991-f842-44c3-9a95-521b58fc2084"
+
+8. On the **File** menu, select **Save.**
+
+9. On the **Export** menu, select **Provisioning package**.
+
+10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+ - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
+
+12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
+
+ Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+
+ If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+
+ If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+**Apply the provisioning package**
+
+1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges.
+
+2. Consent to allow the package to be installed.
+
+ After you allow the package to be installed, the settings will be applied to the device
+
+[Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012)
+
+### Set up assigned access using Windows PowerShell
+
+You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices.
+
+To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
+
+```
+Set-AssignedAccess -AppUserModelId
+
+
+
+Topic
+Description
+
+
+
+
+
+
- **Only guest** allows anyone to use the PC as a local standard (non-admin) account.
- **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.
- **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. |
+| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.
- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.
Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. |
+| AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. |
+| AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. |
+| AccountManagement: EnableAccountManager | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. |
+| Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. |
+| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. When **SetEduPolicies** is **True**, the following additional settings are applied:
- Local storage locations are restricted. Users can only save files to the cloud.
- Custom Start and taskbar layouts are set.\*
- A custom sign-in screen background image is set.\*
- Additional educational policies are applied (see full list below).
\*Only applies to Windows 10 Pro Education, Enterprise, and Education |
+| Customization: SetPowerPolicies | When set as **True**:
- Prevents users from changing power settings
- Turns off hibernate
- Overrides all power state transitions to sleep (e.g. lid close) |
+| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
+| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
+
+
+##Configuring shared PC mode on Windows
+You can configure Windows to be in shared PC mode in a couple different ways:
+- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune)
+
+
+
+- A provisioning package created with the Windows Imaging and Configuration Designer (ICD): You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in ICD as SharedPC.
+
+
+
+
+### Create a provisioning package for shared use
+
+Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+
+2. On the **Start page**, select **Advanced provisioning**.
+
+3. Enter a name and (optionally) a description for the project, and click **Next**.
+
+4. Select **All Windows desktop editions**, and click **Next**.
+
+5. Click **Finish**. Your project opens in Windows ICD.
+
+6. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization)
+
+7. On the **File** menu, select **Save.**
+8. On the **Export** menu, select **Provisioning package**.
+9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+10. Set a value for **Package Version**.
+ > [!TIP]
+ > You can make changes to existing packages and change the version number to update previously applied packages.
+
+11. (*Optional*) In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+ - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+
+ > [!IMPORTANT]
+ > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
+
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+ Optionally, you can click **Browse** to change the default output location.
+13. Click **Next**.
+14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+ If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+ If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+ - Shared network folder
+
+ - SharePoint site
+
+ - Removable media (USB/SD) (select this option to apply to a PC during initial setup)
+
+
+### Apply the provisioning package
+
+You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up.
+
+**During initial setup**
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+ 
+
+2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. If there is only one provisioning package on the USB drive, you don't need to press the Windows key five times, Windows will automatically ask you if you want to set up the device. Select **Set up**.
+
+ 
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+ 
+
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+ 
+
+5. Select **Yes, add it**.
+
+ 
+
+6. Read and accept the Microsoft Software License Terms.
+
+ 
+
+7. Select **Use Express settings**.
+
+ 
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+ 
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+ 
+
+10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+ 
+
+
+**After setup**
+
+On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install.
+
+
+
+> [!NOTE]
+> If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
+
+## Guidance for accounts on shared PCs
+
+* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
+* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out.
+* On a Windows PC joined to Azure Active Directory:
+ * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
+ * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
+* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out.
+* If admin accounts are necessary on the PC
+ * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
+ * Create admin accounts before setting up shared PC mode, or
+ * Create exempt accounts before signing out when turning shared pc mode on.
+* The account management service supports accounts that are exempt from deletion.
+ * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
+ * To add the account SID to the registry key using PowerShell:
+ ```
+ $adminName = "LocalAdmin"
+ $adminPass = 'Pa$$word123'
+ iex "net user /add $adminName $adminPass"
+ $user = New-Object System.Security.Principal.NTAccount($adminName)
+ $sid = $user.Translate([System.Security.Principal.SecurityIdentifier])
+ $sid = $sid.Value;
+ New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
+ ```
+
+
+
+
+## Policies set by shared PC mode
+Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
+
+> [!IMPORTANT]
+> It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
+
+
+
+
+
+
+
+## Related topics
+
+[Set up a device for anyone to use (kiosk)](set-up-a-device-for-anyone-to-use.md)
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/configure/settings-that-can-be-locked-down.md b/windows/configure/settings-that-can-be-locked-down.md
new file mode 100644
index 0000000000..c0348677ba
--- /dev/null
+++ b/windows/configure/settings-that-can-be-locked-down.md
@@ -0,0 +1,517 @@
+---
+title: Settings and quick actions that can be locked down in Windows 10 Mobile (Windows 10)
+description: This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
+ms.assetid: 69E2F202-D32B-4FAC-A83D-C3051DF02185
+keywords: ["lockdown"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: mobile
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Settings and quick actions that can be locked down in Windows 10 Mobile
+
+
+**Applies to**
+
+- Windows 10 Mobile
+
+This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
+
+## Settings lockdown
+
+
+You can use Lockdown.xml to configure lockdown settings.
+
+The following table lists the settings pages and page groups. Use the page name in the Settings section of Lockdown.xml. The Settings section contains an allow list of pages in the Settings app.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Quick actions lockdown
+
+
+Quick action buttons are locked down in exactly the same way as Settings pages/groups. By default they are always conditional.
+
+You can specify the quick actions as follows:
+
+``` syntax
+
+
+
+
+Main menu
+Sub-menu
+Page name
+
+
+System
+
+ SettingsPageGroupPCSystem
+
+
+
+ Display
+SettingsPageDisplay
+
+
+
+ Notifications & actions
+SettingsPageAppsNotifications
+
+
+
+ Phone
+SettingsPageCalls
+
+
+
+ Messaging
+SettingsPageMessaging
+
+
+
+ Battery
+SettingsPageBatterySaver
+
+
+
+ Apps for websites
+SettingsPageAppsForWebsites
+
+
+
+ Storage
+SettingsPageStorageSenseStorageOverview
+
+
+
+ Driving mode
+SettingsPageDrivingMode
+
+
+
+ Offline maps
+SettingsPageMaps
+
+
+
+ About
+SettingsPagePCSystemInfo
+
+
+Devices
+
+ SettingsPageGroupDevices
+
+
+
+ Default camera
+SettingsPagePhotos
+
+
+
+ Bluetooth
+SettingsPagePCSystemBluetooth
+
+
+
+ NFC
+SettingsPagePhoneNFC
+
+
+
+ Mouse
+SettingsPageMouseTouchpad
+
+
+
+ USB
+SettingsPageUsb
+
+
+Network and wireless
+
+ SettingsPageGroupNetwork
+
+
+
+ Cellular & SIM
+SettingsPageNetworkCellular
+
+
+
+ Wi-Fi
+SettingsPageNetworkWiFi
+
+
+
+ Airplane mode
+SettingsPageNetworkAirplaneMode
+
+
+
+ Data usage
+SettingsPageDataSenseOverview
+
+
+
+ Mobile hotspot
+SettingsPageNetworkMobileHotspot
+
+
+
+ VPN
+SettingsPageNetworkVPN
+
+
+Personalization
+
+ SettingsPageGroupPersonalization
+
+
+
+ Start
+SettingsPageBackGround
+
+
+
+ Colors
+SettingsPageColors
+
+
+
+ Sounds
+SettingsPageSounds
+
+
+
+ Lock screen
+SettingsPageLockscreen
+
+
+
+ Glance screen
+SettingsPageGlance
+
+
+
+ Navigation bar
+SettingsNagivationBar
+
+
+Accounts
+
+ SettingsPageGroupAccounts
+
+
+
+ Your info
+SettingsPageAccountsPicture
+
+
+
+ Sign-in options
+SettingsPageAccountsSignInOptions
+
+
+
+ Email & app accounts
+SettingsPageAccountsEmailApp
+
+
+
+ Access work or school
+SettingsPageWorkAccess
+
+
+
+ Sync your settings
+SettingsPageAccountsSync
+
+
+
+ SettingsPageAppsCorner
+
+
+Time & language
+
+ SettingsPageGroupTimeRegion
+
+
+
+ Date & time
+SettingsPageTimeRegionDateTime
+
+
+
+ Language
+SettingsPageTimeLanguage
+
+
+
+ Region
+SettingsPageTimeRegion
+
+
+
+ Keyboard
+SettingsPageKeyboard
+
+
+
+ Speech
+SettingsPageSpeech
+
+
+Ease of access
+
+ SettingsPageGroupEaseOfAccess
+
+
+
+ Narrator
+SettingsPageEaseOfAccessNarrator
+
+
+
+ Magnifier
+SettingsPageEaseOfAccessMagnifier
+
+
+
+ High contrast
+SettingsPageEaseOfAccessHighContrast
+
+
+
+ Closed captions
+SettingsPageEaseOfAccessClosedCaptioning
+
+
+
+ More options
+SettingsPageEaseOfAccessMoreOptions
+
+
+Privacy
+
+ SettingsPageGroupPrivacy
+
+
+
+ Location
+SettingsPagePrivacyLocation
+
+
+
+ Camera
+SettingsPagePrivacyWebcam
+
+
+
+ Microphone
+SettingsPagePrivacyMicrophone
+
+
+
+ Motion
+SettingsPagePrivacyMotionData
+
+
+
+ Notifications
+SettingsPagePrivacyNotifications
+
+
+
+ Speech. inking, & typing
+SettingsPagePrivacyPersonalization
+
+
+
+ Account info
+SettingsPagePrivacyAccountInfo
+
+
+
+ Contacts
+SettingsPagePrivacyContacts
+
+
+
+ Calendar
+SettingsPagePrivacyCalendar
+
+
+
+ Phone calls
+SettingsPagePrivacyPhoneCall
+
+
+
+ Call history
+SettingsPagePrivacyCallHistory
+
+
+ Email
+SettingsPagePrivacyEmail
+
+
+
+ Messaging
+SettingsPagePrivacyMessaging
+
+
+
+ Radios
+SettingsPagePrivacyRadios
+
+
+
+ Continue App Experiences
+SettingsPagePrivacyCDP
+
+
+
+ Background apps
+SettingsPagePrivacyBackgroundApps
+
+
+
+ Accessory apps
+SettingsPageAccessories
+
+
+
+ Advertising ID
+SettingsPagePrivacyAdvertisingId
+
+
+
+ Other devices
+SettingsPagePrivacyCustomPeripherals
+
+
+
+ Feedback and diagnostics
+SettingsPagePrivacySIUFSettings
+
+
+Update and security
+
+ SettingsPageGroupRestore
+
+
+
+ Phone update
+SettingsPageRestoreMusUpdate
+
+
+
+ Windows Insider Program
+SettingsPageFlights
+
+
+
+ Device encryption
+SettingsPageGroupPCSystemDeviceEncryption
+
+
+
+ Backup
+SettingsPageRestoreOneBackup
+
+
+
+ Find my phone
+SettingsPageFindMyDevice
+
+
+
+ For developers
+SettingsPageSystemDeveloperOptions
+
+
+OEM
+
+ SettingsPageGroupExtensibility
+
+
+
+
+ Extensibility
+SettingsPageExtensibility
+
+
+
+
+## Related topics
+[Windows 10 and Windows 10 Mobile](../index.md)
+
+
+[Learn how Microsoft does IT at the IT Showcase](https://www.microsoft.com/itshowcase)
diff --git a/windows/configure/stop-employees-from-using-the-windows-store.md b/windows/configure/stop-employees-from-using-the-windows-store.md
new file mode 100644
index 0000000000..d09e5ae2be
--- /dev/null
+++ b/windows/configure/stop-employees-from-using-the-windows-store.md
@@ -0,0 +1,124 @@
+---
+title: Configure access to Windows Store (Windows 10)
+description: IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.
+ms.assetid: 7AA60D3D-2A69-45E7-AAB0-B8AFC29C2E97
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store, mobile
+author: TrudyHa
+localizationpriority: high
+---
+
+# Configure access to Windows Store
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+
+IT pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.
+
+## Options to configure access to Windows Store
+
+
+You can use these tools to configure access to Windows Store: AppLocker or Group Policy. For Windows 10, this is only supported on Windows 10 Enterprise edition.
+
+## Block Windows Store using AppLocker
+
+Applies to: Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile
+
+
+AppLocker provides policy-based access control management for applications. You can block access to Windows Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Windows Store app as the packaged app that you want to block from client computers.
+
+For more information on AppLocker, see [What is AppLocker?](../keep-secure/what-is-applocker.md) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md).
+
+**To block Windows Store using AppLocker**
+
+1. Type secpol in the search bar to find and start AppLocker.
+
+2. In the console tree of the snap-in, click **Application Control Policies**, click **AppLocker**, and then click **Packaged app Rules**.
+
+3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**.
+
+4. On **Before You Begin**, click **Next**.
+
+5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
+
+6. On **Publisher**, you can select **Use an installed app package as a reference**, and then click **Select**.
+
+7. On **Select applications**, find and click **Store** under **Applications** column, and then click **OK**. Click **Next**.
+
+ [Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md) has more information on reference options and setting the scope on packaged app rules.
+
+8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**.
+
+## Block Windows Store using Group Policy
+
+
+Applies to: Windows 10 Enterprise, version 1511, Windows 10 Education
+
+> [!Note]
+> Not supported on Windows 10 Pro.
+
+You can also use Group Policy to manage access to Windows Store.
+
+**To block Windows Store using Group Policy**
+
+1. Type gpedit in the search bar to find and start Group Policy Editor.
+
+2. In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates** , click **Windows Components**, and then click **Store**.
+
+3. In the Setting pane, click **Turn off Store application**, and then click **Edit policy setting**.
+
+4. On the **Turn off Store application** setting page, click **Enabled**, and then click **OK**.
+
+## Block Windows Store using management tool
+
+
+Applies to: Windows 10 Mobile
+
+If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 configuration service providers (CSP) with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block-store-applocker) to manage access to Windows Store app.
+
+When your MDM tool supports Windows Store for Business, the MDM can use these CSPs to block Windows Store app:
+
+- [Policy](https://go.microsoft.com/fwlink/p/?LinkId=717030)
+
+- [EnterpriseAssignedAccess](https://msdn.microsoft.com/library/windows/hardware/mt157024.aspx) (Windows 10 Mobile, only)
+
+For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md).
+
+## Show private store only using Group Policy
+Applies to Windows 10 Enterprise, version 1607, Windows 10 Education
+
+If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
+
+**To show private store only in Windows Store app**
+
+1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
+
+2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**.
+
+3. Right-click **Only display the private store within the Windows Store app** in the right pane, and click **Edit**.
+
+ This opens the **Only display the private store within the Windows Store app** policy settings.
+
+4. On the **Only display the private store within the Windows Store app** setting page, click **Enabled**, and then click **OK**.
+
+## Related topics
+
+[Distribute apps using your private store](distribute-apps-from-your-private-store.md)
+
+[Manage access to private store](manage-access-to-private-store.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/configure/windows-10-start-layout-options-and-policies.md b/windows/configure/windows-10-start-layout-options-and-policies.md
new file mode 100644
index 0000000000..85a835748e
--- /dev/null
+++ b/windows/configure/windows-10-start-layout-options-and-policies.md
@@ -0,0 +1,178 @@
+---
+title: Manage Windows 10 Start and taskbar layout (Windows 10)
+description: Organizations might want to deploy a customized Start and taskbar layout to devices running Windows 10 Enterprise or Windows 10 Education.
+ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A
+keywords: ["start screen", "start menu"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Manage Windows 10 Start and taskbar layout
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu)
+
+Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default.
+
+>[!NOTE]
+>Taskbar configuration is available starting in Windows 10, version 1607.
+
+## Start options
+
+
+
+Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy.
+
+The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table.
+
+
+
+
+
+Topic
+Description
+
+
+
+
+[Update Windows 10 in the enterprise](waas-update-windows-10.md) Learn how to manage updates to Windows 10 in your organization, including Update Compliance, and Windows Update for Business.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ## Taskbar options
+
+Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region.
+
+There are three categories of apps that might be pinned to a taskbar:
+* Apps pinned by the user
+* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store)
+* Apps pinned by the enterprise, such as in an unattended Windows setup
+
+ **Note**
+ The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607.
+
+The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
+
+> **Note** In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
+
+
+
+Whether you apply the taskbar configuration to a clean install or an update, users will still be able to:
+* Pin additional apps
+* Change the order of pinned apps
+* Unpin any app
+
+### Taskbar configuration applied to clean install of Windows 10
+
+In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied.
+
+### Taskbar configuration applied to Windows 10 upgrades
+
+When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup.
+
+The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior:
+* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right.
+* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned.
+* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right.
+* New apps specified in updated layout file are pinned to right of user's pinned apps.
+
+
+
+## Related topics
+
+
+[Customize and export Start layout](customize-and-export-start-layout.md)
+
+[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+
+[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+
+[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+
+[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+
+[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/configure/windows-spotlight.md b/windows/configure/windows-spotlight.md
new file mode 100644
index 0000000000..eb3af0eb51
--- /dev/null
+++ b/windows/configure/windows-spotlight.md
@@ -0,0 +1,85 @@
+---
+title: Windows Spotlight on the lock screen (Windows 10)
+description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen.
+ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A
+keywords: ["lockscreen"]
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Windows Spotlight on the lock screen
+
+
+**Applies to**
+
+- Windows 10
+
+Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10.
+
+For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps.
+
+
+>[!NOTE]
+>In Windows 10, version 1607, the lock screen background does not display if you disable the **Animate windows when minimizing and mazimizing** setting in **This PC** > **Properties** > **Advanced system settings** > **Performance settings** > **Visual Effects**, or if you enable the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Desktop Windows Manager** > **Do not allow windows animations**.
+
+## What does Windows Spotlight include?
+
+
+- **Background image**
+
+ The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis.
+
+ 
+
+- **Feature suggestions, fun facts, tips**
+
+ The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
+
+## How do you turn off Windows Spotlight locally?
+
+
+To turn off Windows Spotlight locally, go to **Settings** > **Personalization** > **Lock screen** > **Background** > **Windows spotlight** > select a different lock screen background
+
+
+
+## How do you disable Windows Spotlight for managed devices?
+
+
+Windows 10, version 1607, provides three new Group Policy settings to help you manage Windows Spotlight on enterprise computers.
+
+**Windows 10 Pro, Enterprise, and Education**
+
+- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services.
+
+**Windows 10 Enterprise and Education**
+
+* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Windows Spotlight features in a single setting.
+* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.)
+
+Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
+
+>[!WARNING]
+> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release.
+
+
+
+Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image.
+
+
+
+## Related topics
+
+
+[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md
index 98951382e3..615e8a2869 100644
--- a/windows/deploy/TOC.md
+++ b/windows/deploy/TOC.md
@@ -54,18 +54,6 @@
## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
## [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
-## [Provisioning packages for Windows 10](provisioning-packages.md)
-### [How provisioning works in Windows 10](provisioning-how-it-works.md)
-### [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
-### [Create a provisioning package](provisioning-create-package.md)
-### [Apply a provisioning package](provisioning-apply-package.md)
-### [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-### [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-### [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
-### [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-### [NFC-based device provisioning](provisioning-nfc.md)
-### [Windows ICD command-line interface (reference)](provisioning-command-line.md)
-### [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
## [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md)
## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md)
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index f5417ba0f7..fe32881802 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -1,77 +1,43 @@
-# [Manage and update Windows 10](index.md)
+# [Manage Windows 10](index.md)
+## [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
+## [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
-## [Cortana integration in your business or enterprise](cortana-at-work-overview.md)
-### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md)
-#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work-scenario-1.md)
-#### [Test scenario 2 - Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
-#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work-scenario-3.md)
-#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work-scenario-4.md)
-#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work-scenario-5.md)
-#### [Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-6.md)
-### [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md)
-### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work-crm.md)
-### [Set up and test Cortana for Power BI in your organization](cortana-at-work-powerbi.md)
-### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work-voice-commands.md)
-### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work-policy-settings.md)
-### [Send feedback about Cortana at work back to Microsoft](cortana-at-work-feedback.md)
-## [Update Windows 10 in the enterprise](waas-update-windows-10.md)
-### [Quick guide to Windows as a service](waas-quick-start.md)
-### [Overview of Windows as a service](waas-overview.md)
-### [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-### [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-### [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
-### [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md)
-#### [Get started with Update Compliance](update-compliance-get-started.md)
-#### [Use Update Compliance](update-compliance-using.md)
-### [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-#### [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-#### [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-### [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-### [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-#### [Configure Windows Update for Business](waas-configure-wufb.md)
-#### [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-#### [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-#### [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-### [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-### [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-### [Manage device restarts after updates](waas-restart.md)
-## [Manage corporate devices](manage-corporate-devices.md)
-### [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
-### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
-### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
-### [New policies for Windows 10](new-policies-for-windows-10.md)
-### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
-### [Changes to Group Policy settings for Windows 10 Start menu](changes-to-start-policies-in-windows-10.md)
-### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
-### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md)
-## [Windows Spotlight on the lock screen](windows-spotlight.md)
-## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
-### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-### [Customize and export Start layout](customize-and-export-start-layout.md)
-### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
-### [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md)
-### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-### [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-### [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+## [Windows Store for Business](windows-store-for-business.md)
+### [Sign up and get started](sign-up-windows-store-for-business-overview.md)
+####[Windows Store for Business overview](windows-store-for-business-overview.md)
+#### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)
+#### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)
+#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)
+#### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)
+### [Find and acquire apps](find-and-acquire-apps-overview.md)
+#### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md)
+#### [Acquire apps in the Windows Store for Business](acquire-apps-windows-store-for-business.md)
+#### [Working with line-of-business apps](working-with-line-of-business-apps.md)
+### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)
+#### [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
+#### [Assign apps to employees](assign-apps-to-employees.md)
+#### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
+#### [Distribute offline apps](distribute-offline-apps.md)
+### [Manage apps](manage-apps-windows-store-for-business-overview.md)
+#### [App inventory managemement for Windows Store for Business](app-inventory-management-windows-store-for-business.md)
+#### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md)
+#### [Manage access to private store](manage-access-to-private-store.md)
+#### [Manage private store settings](manage-private-store-settings.md)
+#### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
+### [Device Guard signing portal](device-guard-signing-portal.md)
+#### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
+#### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
+### [Manage settings in the Windows Store for Business](manage-settings-windows-store-for-business.md)
+#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)
+#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)
+### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md)
## [Create mandatory user profiles](mandatory-user-profile.md)
-## [Lock down Windows 10](lock-down-windows-10.md)
-### [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)
-### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
-### [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
-#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
-#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
-#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
-### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
-### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
-### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
-### [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
-### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
-#### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
-#### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
-### [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
+## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
-## [Configure devices without MDM](configure-devices-without-mdm.md)
+## [New policies for Windows 10](new-policies-for-windows-10.md)
+## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
+## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
+## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Application Virtualization (App-V) for Windows](appv-for-windows.md)
### [Getting Started with App-V](appv-getting-started.md)
#### [What's new in App-V](appv-about-appv.md)
@@ -192,33 +158,5 @@
#### [Synchronizing Microsoft Office with UE-V](uev-synchronizing-microsoft-office-with-uev.md)
#### [Application Template Schema Reference for UE-V](uev-application-template-schema-reference.md)
#### [Security Considerations for UE-V](uev-security-considerations.md)
-## [Windows Store for Business](windows-store-for-business.md)
-### [Sign up and get started](sign-up-windows-store-for-business-overview.md)
-####[Windows Store for Business overview](windows-store-for-business-overview.md)
-#### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)
-#### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)
-#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)
-#### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)
-### [Find and acquire apps](find-and-acquire-apps-overview.md)
-#### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md)
-#### [Acquire apps in the Windows Store for Business](acquire-apps-windows-store-for-business.md)
-#### [Working with line-of-business apps](working-with-line-of-business-apps.md)
-### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)
-#### [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
-#### [Assign apps to employees](assign-apps-to-employees.md)
-#### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
-#### [Distribute offline apps](distribute-offline-apps.md)
-### [Manage apps](manage-apps-windows-store-for-business-overview.md)
-#### [App inventory managemement for Windows Store for Business](app-inventory-management-windows-store-for-business.md)
-#### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md)
-#### [Manage access to private store](manage-access-to-private-store.md)
-#### [Manage private store settings](manage-private-store-settings.md)
-#### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
-### [Device Guard signing portal](device-guard-signing-portal.md)
-#### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
-#### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
-### [Manage settings in the Windows Store for Business](manage-settings-windows-store-for-business.md)
-#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)
-#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)
-### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md)
-## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
+
+## [Change history for Manage Windows 10](change-history-for-manage-and-update-windows-10.md)
diff --git a/windows/update/TOC.md b/windows/update/TOC.md
new file mode 100644
index 0000000000..ea706d582d
--- /dev/null
+++ b/windows/update/TOC.md
@@ -0,0 +1,22 @@
+# [Update Windows 10](index.md)
+## [Quick guide to Windows as a service](waas-quick-start.md)
+## [Overview of Windows as a service](waas-overview.md)
+## [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+## [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+## [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+## [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md)
+### [Get started with Update Compliance](update-compliance-get-started.md)
+### [Use Update Compliance](update-compliance-using.md)
+## [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+### [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+### [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+## [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+## [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+### [Configure Windows Update for Business](waas-configure-wufb.md)
+### [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+### [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+### [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+## [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+## [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+## [Manage device restarts after updates](waas-restart.md)
+
diff --git a/windows/update/images/ActionCenterXML.jpg b/windows/update/images/ActionCenterXML.jpg
new file mode 100644
index 0000000000..b9832b2708
Binary files /dev/null and b/windows/update/images/ActionCenterXML.jpg differ
diff --git a/windows/update/images/AppsXML.jpg b/windows/update/images/AppsXML.jpg
new file mode 100644
index 0000000000..ecc1869bb5
Binary files /dev/null and b/windows/update/images/AppsXML.jpg differ
diff --git a/windows/update/images/AppsXML.png b/windows/update/images/AppsXML.png
new file mode 100644
index 0000000000..3981543264
Binary files /dev/null and b/windows/update/images/AppsXML.png differ
diff --git a/windows/update/images/ButtonsXML.jpg b/windows/update/images/ButtonsXML.jpg
new file mode 100644
index 0000000000..238eca7e68
Binary files /dev/null and b/windows/update/images/ButtonsXML.jpg differ
diff --git a/windows/update/images/CSPRunnerXML.jpg b/windows/update/images/CSPRunnerXML.jpg
new file mode 100644
index 0000000000..071b316a9e
Binary files /dev/null and b/windows/update/images/CSPRunnerXML.jpg differ
diff --git a/windows/update/images/ICDstart-option.PNG b/windows/update/images/ICDstart-option.PNG
new file mode 100644
index 0000000000..1ba49bb261
Binary files /dev/null and b/windows/update/images/ICDstart-option.PNG differ
diff --git a/windows/update/images/MenuItemsXML.png b/windows/update/images/MenuItemsXML.png
new file mode 100644
index 0000000000..cc681250bb
Binary files /dev/null and b/windows/update/images/MenuItemsXML.png differ
diff --git a/windows/update/images/SettingsXML.png b/windows/update/images/SettingsXML.png
new file mode 100644
index 0000000000..98a324bdea
Binary files /dev/null and b/windows/update/images/SettingsXML.png differ
diff --git a/windows/update/images/StartGrid.jpg b/windows/update/images/StartGrid.jpg
new file mode 100644
index 0000000000..36136f3201
Binary files /dev/null and b/windows/update/images/StartGrid.jpg differ
diff --git a/windows/update/images/StartGridPinnedApps.jpg b/windows/update/images/StartGridPinnedApps.jpg
new file mode 100644
index 0000000000..fbade52f53
Binary files /dev/null and b/windows/update/images/StartGridPinnedApps.jpg differ
diff --git a/windows/update/images/TilesXML.png b/windows/update/images/TilesXML.png
new file mode 100644
index 0000000000..cec52bbbf7
Binary files /dev/null and b/windows/update/images/TilesXML.png differ
diff --git a/windows/update/images/aadj1.jpg b/windows/update/images/aadj1.jpg
new file mode 100644
index 0000000000..2348fc4c84
Binary files /dev/null and b/windows/update/images/aadj1.jpg differ
diff --git a/windows/update/images/aadj2.jpg b/windows/update/images/aadj2.jpg
new file mode 100644
index 0000000000..39486bfc66
Binary files /dev/null and b/windows/update/images/aadj2.jpg differ
diff --git a/windows/update/images/aadj3.jpg b/windows/update/images/aadj3.jpg
new file mode 100644
index 0000000000..80e1f5762f
Binary files /dev/null and b/windows/update/images/aadj3.jpg differ
diff --git a/windows/update/images/aadj4.jpg b/windows/update/images/aadj4.jpg
new file mode 100644
index 0000000000..0db2910012
Binary files /dev/null and b/windows/update/images/aadj4.jpg differ
diff --git a/windows/update/images/aadjbrowser.jpg b/windows/update/images/aadjbrowser.jpg
new file mode 100644
index 0000000000..c8d909688e
Binary files /dev/null and b/windows/update/images/aadjbrowser.jpg differ
diff --git a/windows/update/images/aadjcal.jpg b/windows/update/images/aadjcal.jpg
new file mode 100644
index 0000000000..1858886f5f
Binary files /dev/null and b/windows/update/images/aadjcal.jpg differ
diff --git a/windows/update/images/aadjcalmail.jpg b/windows/update/images/aadjcalmail.jpg
new file mode 100644
index 0000000000..5a5661259a
Binary files /dev/null and b/windows/update/images/aadjcalmail.jpg differ
diff --git a/windows/update/images/aadjmail1.jpg b/windows/update/images/aadjmail1.jpg
new file mode 100644
index 0000000000..89b1fcc3b7
Binary files /dev/null and b/windows/update/images/aadjmail1.jpg differ
diff --git a/windows/update/images/aadjmail2.jpg b/windows/update/images/aadjmail2.jpg
new file mode 100644
index 0000000000..0608010c6a
Binary files /dev/null and b/windows/update/images/aadjmail2.jpg differ
diff --git a/windows/update/images/aadjmail3.jpg b/windows/update/images/aadjmail3.jpg
new file mode 100644
index 0000000000..d7154a7e0e
Binary files /dev/null and b/windows/update/images/aadjmail3.jpg differ
diff --git a/windows/update/images/aadjonedrive.jpg b/windows/update/images/aadjonedrive.jpg
new file mode 100644
index 0000000000..6fb1196d5f
Binary files /dev/null and b/windows/update/images/aadjonedrive.jpg differ
diff --git a/windows/update/images/aadjonenote.jpg b/windows/update/images/aadjonenote.jpg
new file mode 100644
index 0000000000..4ccd207f9f
Binary files /dev/null and b/windows/update/images/aadjonenote.jpg differ
diff --git a/windows/update/images/aadjonenote2.jpg b/windows/update/images/aadjonenote2.jpg
new file mode 100644
index 0000000000..1b6941e638
Binary files /dev/null and b/windows/update/images/aadjonenote2.jpg differ
diff --git a/windows/update/images/aadjonenote3.jpg b/windows/update/images/aadjonenote3.jpg
new file mode 100644
index 0000000000..3ac6911046
Binary files /dev/null and b/windows/update/images/aadjonenote3.jpg differ
diff --git a/windows/update/images/aadjpin.jpg b/windows/update/images/aadjpin.jpg
new file mode 100644
index 0000000000..dac6cfec30
Binary files /dev/null and b/windows/update/images/aadjpin.jpg differ
diff --git a/windows/update/images/aadjppt.jpg b/windows/update/images/aadjppt.jpg
new file mode 100644
index 0000000000..268d5fe662
Binary files /dev/null and b/windows/update/images/aadjppt.jpg differ
diff --git a/windows/update/images/aadjverify.jpg b/windows/update/images/aadjverify.jpg
new file mode 100644
index 0000000000..7b30210f39
Binary files /dev/null and b/windows/update/images/aadjverify.jpg differ
diff --git a/windows/update/images/aadjword.jpg b/windows/update/images/aadjword.jpg
new file mode 100644
index 0000000000..db2a58406e
Binary files /dev/null and b/windows/update/images/aadjword.jpg differ
diff --git a/windows/update/images/aadjwsfb.jpg b/windows/update/images/aadjwsfb.jpg
new file mode 100644
index 0000000000..428f1a26d4
Binary files /dev/null and b/windows/update/images/aadjwsfb.jpg differ
diff --git a/windows/update/images/admin-tools-folder.png b/windows/update/images/admin-tools-folder.png
new file mode 100644
index 0000000000..4831204f73
Binary files /dev/null and b/windows/update/images/admin-tools-folder.png differ
diff --git a/windows/update/images/admin-tools.png b/windows/update/images/admin-tools.png
new file mode 100644
index 0000000000..1470cffdd5
Binary files /dev/null and b/windows/update/images/admin-tools.png differ
diff --git a/windows/update/images/allow-rdp.png b/windows/update/images/allow-rdp.png
new file mode 100644
index 0000000000..55c13b53bc
Binary files /dev/null and b/windows/update/images/allow-rdp.png differ
diff --git a/windows/update/images/app-v-in-adk.png b/windows/update/images/app-v-in-adk.png
new file mode 100644
index 0000000000..a36ef9f00f
Binary files /dev/null and b/windows/update/images/app-v-in-adk.png differ
diff --git a/windows/update/images/apprule.png b/windows/update/images/apprule.png
new file mode 100644
index 0000000000..ec5417849a
Binary files /dev/null and b/windows/update/images/apprule.png differ
diff --git a/windows/update/images/appwarning.png b/windows/update/images/appwarning.png
new file mode 100644
index 0000000000..877d8afebd
Binary files /dev/null and b/windows/update/images/appwarning.png differ
diff --git a/windows/update/images/backicon.png b/windows/update/images/backicon.png
new file mode 100644
index 0000000000..3007e448b1
Binary files /dev/null and b/windows/update/images/backicon.png differ
diff --git a/windows/update/images/checklistbox.gif b/windows/update/images/checklistbox.gif
new file mode 100644
index 0000000000..cbcf4a4f11
Binary files /dev/null and b/windows/update/images/checklistbox.gif differ
diff --git a/windows/update/images/checklistdone.png b/windows/update/images/checklistdone.png
new file mode 100644
index 0000000000..7e53f74d0e
Binary files /dev/null and b/windows/update/images/checklistdone.png differ
diff --git a/windows/update/images/checkmark.png b/windows/update/images/checkmark.png
new file mode 100644
index 0000000000..f9f04cd6bd
Binary files /dev/null and b/windows/update/images/checkmark.png differ
diff --git a/windows/update/images/choose-package.png b/windows/update/images/choose-package.png
new file mode 100644
index 0000000000..2bf7a18648
Binary files /dev/null and b/windows/update/images/choose-package.png differ
diff --git a/windows/update/images/config-policy.png b/windows/update/images/config-policy.png
new file mode 100644
index 0000000000..b9cba70af6
Binary files /dev/null and b/windows/update/images/config-policy.png differ
diff --git a/windows/update/images/config-source.png b/windows/update/images/config-source.png
new file mode 100644
index 0000000000..58938bacf7
Binary files /dev/null and b/windows/update/images/config-source.png differ
diff --git a/windows/update/images/configconflict.png b/windows/update/images/configconflict.png
new file mode 100644
index 0000000000..011a2d76e7
Binary files /dev/null and b/windows/update/images/configconflict.png differ
diff --git a/windows/update/images/connect-aad.png b/windows/update/images/connect-aad.png
new file mode 100644
index 0000000000..8583866165
Binary files /dev/null and b/windows/update/images/connect-aad.png differ
diff --git a/windows/update/images/copy-to-change.png b/windows/update/images/copy-to-change.png
new file mode 100644
index 0000000000..21aa250c0c
Binary files /dev/null and b/windows/update/images/copy-to-change.png differ
diff --git a/windows/update/images/copy-to-path.png b/windows/update/images/copy-to-path.png
new file mode 100644
index 0000000000..1ef00fc86b
Binary files /dev/null and b/windows/update/images/copy-to-path.png differ
diff --git a/windows/update/images/copy-to.PNG b/windows/update/images/copy-to.PNG
new file mode 100644
index 0000000000..dad84cedc8
Binary files /dev/null and b/windows/update/images/copy-to.PNG differ
diff --git a/windows/update/images/cortana-about-me.png b/windows/update/images/cortana-about-me.png
new file mode 100644
index 0000000000..32c1ccefab
Binary files /dev/null and b/windows/update/images/cortana-about-me.png differ
diff --git a/windows/update/images/cortana-add-reminder.png b/windows/update/images/cortana-add-reminder.png
new file mode 100644
index 0000000000..3f03528e11
Binary files /dev/null and b/windows/update/images/cortana-add-reminder.png differ
diff --git a/windows/update/images/cortana-chicago-weather.png b/windows/update/images/cortana-chicago-weather.png
new file mode 100644
index 0000000000..9273bf201b
Binary files /dev/null and b/windows/update/images/cortana-chicago-weather.png differ
diff --git a/windows/update/images/cortana-complete-send-email-coworker-mic.png b/windows/update/images/cortana-complete-send-email-coworker-mic.png
new file mode 100644
index 0000000000..3238c8d31d
Binary files /dev/null and b/windows/update/images/cortana-complete-send-email-coworker-mic.png differ
diff --git a/windows/update/images/cortana-connect-crm.png b/windows/update/images/cortana-connect-crm.png
new file mode 100644
index 0000000000..c70c42f75e
Binary files /dev/null and b/windows/update/images/cortana-connect-crm.png differ
diff --git a/windows/update/images/cortana-connect-o365.png b/windows/update/images/cortana-connect-o365.png
new file mode 100644
index 0000000000..df1ffa449b
Binary files /dev/null and b/windows/update/images/cortana-connect-o365.png differ
diff --git a/windows/update/images/cortana-connect-uber.png b/windows/update/images/cortana-connect-uber.png
new file mode 100644
index 0000000000..724fecb5b5
Binary files /dev/null and b/windows/update/images/cortana-connect-uber.png differ
diff --git a/windows/update/images/cortana-crm-screen.png b/windows/update/images/cortana-crm-screen.png
new file mode 100644
index 0000000000..ded5d80a59
Binary files /dev/null and b/windows/update/images/cortana-crm-screen.png differ
diff --git a/windows/update/images/cortana-feedback.png b/windows/update/images/cortana-feedback.png
new file mode 100644
index 0000000000..6e14018c98
Binary files /dev/null and b/windows/update/images/cortana-feedback.png differ
diff --git a/windows/update/images/cortana-final-reminder.png b/windows/update/images/cortana-final-reminder.png
new file mode 100644
index 0000000000..f114e058e5
Binary files /dev/null and b/windows/update/images/cortana-final-reminder.png differ
diff --git a/windows/update/images/cortana-meeting-specific-time.png b/windows/update/images/cortana-meeting-specific-time.png
new file mode 100644
index 0000000000..a108355133
Binary files /dev/null and b/windows/update/images/cortana-meeting-specific-time.png differ
diff --git a/windows/update/images/cortana-meeting-tomorrow.png b/windows/update/images/cortana-meeting-tomorrow.png
new file mode 100644
index 0000000000..13273b6600
Binary files /dev/null and b/windows/update/images/cortana-meeting-tomorrow.png differ
diff --git a/windows/update/images/cortana-newyork-weather.png b/windows/update/images/cortana-newyork-weather.png
new file mode 100644
index 0000000000..b3879737be
Binary files /dev/null and b/windows/update/images/cortana-newyork-weather.png differ
diff --git a/windows/update/images/cortana-o365-screen.png b/windows/update/images/cortana-o365-screen.png
new file mode 100644
index 0000000000..ba06dd6de5
Binary files /dev/null and b/windows/update/images/cortana-o365-screen.png differ
diff --git a/windows/update/images/cortana-place-reminder.png b/windows/update/images/cortana-place-reminder.png
new file mode 100644
index 0000000000..89ccdab3e3
Binary files /dev/null and b/windows/update/images/cortana-place-reminder.png differ
diff --git a/windows/update/images/cortana-powerbi-create-report.png b/windows/update/images/cortana-powerbi-create-report.png
new file mode 100644
index 0000000000..a22789d72a
Binary files /dev/null and b/windows/update/images/cortana-powerbi-create-report.png differ
diff --git a/windows/update/images/cortana-powerbi-expand-nav.png b/windows/update/images/cortana-powerbi-expand-nav.png
new file mode 100644
index 0000000000..c8b47943f9
Binary files /dev/null and b/windows/update/images/cortana-powerbi-expand-nav.png differ
diff --git a/windows/update/images/cortana-powerbi-field-selection.png b/windows/update/images/cortana-powerbi-field-selection.png
new file mode 100644
index 0000000000..8aef58c23a
Binary files /dev/null and b/windows/update/images/cortana-powerbi-field-selection.png differ
diff --git a/windows/update/images/cortana-powerbi-getdata-samples.png b/windows/update/images/cortana-powerbi-getdata-samples.png
new file mode 100644
index 0000000000..3bfa4792df
Binary files /dev/null and b/windows/update/images/cortana-powerbi-getdata-samples.png differ
diff --git a/windows/update/images/cortana-powerbi-getdata.png b/windows/update/images/cortana-powerbi-getdata.png
new file mode 100644
index 0000000000..55b7b61589
Binary files /dev/null and b/windows/update/images/cortana-powerbi-getdata.png differ
diff --git a/windows/update/images/cortana-powerbi-myreport.png b/windows/update/images/cortana-powerbi-myreport.png
new file mode 100644
index 0000000000..cc04d9c6f0
Binary files /dev/null and b/windows/update/images/cortana-powerbi-myreport.png differ
diff --git a/windows/update/images/cortana-powerbi-pagesize.png b/windows/update/images/cortana-powerbi-pagesize.png
new file mode 100644
index 0000000000..fd1c1ef917
Binary files /dev/null and b/windows/update/images/cortana-powerbi-pagesize.png differ
diff --git a/windows/update/images/cortana-powerbi-report-qna.png b/windows/update/images/cortana-powerbi-report-qna.png
new file mode 100644
index 0000000000..d17949aa8a
Binary files /dev/null and b/windows/update/images/cortana-powerbi-report-qna.png differ
diff --git a/windows/update/images/cortana-powerbi-retail-analysis-dashboard.png b/windows/update/images/cortana-powerbi-retail-analysis-dashboard.png
new file mode 100644
index 0000000000..5b94a2e2fc
Binary files /dev/null and b/windows/update/images/cortana-powerbi-retail-analysis-dashboard.png differ
diff --git a/windows/update/images/cortana-powerbi-retail-analysis-dataset.png b/windows/update/images/cortana-powerbi-retail-analysis-dataset.png
new file mode 100644
index 0000000000..b2ffec3b70
Binary files /dev/null and b/windows/update/images/cortana-powerbi-retail-analysis-dataset.png differ
diff --git a/windows/update/images/cortana-powerbi-retail-analysis-sample.png b/windows/update/images/cortana-powerbi-retail-analysis-sample.png
new file mode 100644
index 0000000000..e3b61dcaa2
Binary files /dev/null and b/windows/update/images/cortana-powerbi-retail-analysis-sample.png differ
diff --git a/windows/update/images/cortana-powerbi-search.png b/windows/update/images/cortana-powerbi-search.png
new file mode 100644
index 0000000000..88a8b40296
Binary files /dev/null and b/windows/update/images/cortana-powerbi-search.png differ
diff --git a/windows/update/images/cortana-powerbi-settings.png b/windows/update/images/cortana-powerbi-settings.png
new file mode 100644
index 0000000000..0f51229895
Binary files /dev/null and b/windows/update/images/cortana-powerbi-settings.png differ
diff --git a/windows/update/images/cortana-redmond-weather.png b/windows/update/images/cortana-redmond-weather.png
new file mode 100644
index 0000000000..7e8adc1929
Binary files /dev/null and b/windows/update/images/cortana-redmond-weather.png differ
diff --git a/windows/update/images/cortana-reminder-edit.png b/windows/update/images/cortana-reminder-edit.png
new file mode 100644
index 0000000000..79cc280947
Binary files /dev/null and b/windows/update/images/cortana-reminder-edit.png differ
diff --git a/windows/update/images/cortana-reminder-list.png b/windows/update/images/cortana-reminder-list.png
new file mode 100644
index 0000000000..1f57fc0f05
Binary files /dev/null and b/windows/update/images/cortana-reminder-list.png differ
diff --git a/windows/update/images/cortana-reminder-mic.png b/windows/update/images/cortana-reminder-mic.png
new file mode 100644
index 0000000000..46a18e8e0b
Binary files /dev/null and b/windows/update/images/cortana-reminder-mic.png differ
diff --git a/windows/update/images/cortana-reminder-pending-mic.png b/windows/update/images/cortana-reminder-pending-mic.png
new file mode 100644
index 0000000000..159d408e0a
Binary files /dev/null and b/windows/update/images/cortana-reminder-pending-mic.png differ
diff --git a/windows/update/images/cortana-reminder-pending.png b/windows/update/images/cortana-reminder-pending.png
new file mode 100644
index 0000000000..a6b64b5621
Binary files /dev/null and b/windows/update/images/cortana-reminder-pending.png differ
diff --git a/windows/update/images/cortana-send-email-coworker-mic.png b/windows/update/images/cortana-send-email-coworker-mic.png
new file mode 100644
index 0000000000..0cfa8fb731
Binary files /dev/null and b/windows/update/images/cortana-send-email-coworker-mic.png differ
diff --git a/windows/update/images/cortana-send-email-coworker.png b/windows/update/images/cortana-send-email-coworker.png
new file mode 100644
index 0000000000..40ce18bdca
Binary files /dev/null and b/windows/update/images/cortana-send-email-coworker.png differ
diff --git a/windows/update/images/cortana-weather-multipanel.png b/windows/update/images/cortana-weather-multipanel.png
new file mode 100644
index 0000000000..e8db031744
Binary files /dev/null and b/windows/update/images/cortana-weather-multipanel.png differ
diff --git a/windows/update/images/crossmark.png b/windows/update/images/crossmark.png
new file mode 100644
index 0000000000..69432ff71c
Binary files /dev/null and b/windows/update/images/crossmark.png differ
diff --git a/windows/update/images/csp-placeholder.png b/windows/update/images/csp-placeholder.png
new file mode 100644
index 0000000000..fe6bcf4720
Binary files /dev/null and b/windows/update/images/csp-placeholder.png differ
diff --git a/windows/update/images/cspinicd.png b/windows/update/images/cspinicd.png
new file mode 100644
index 0000000000..a60ad9e2bf
Binary files /dev/null and b/windows/update/images/cspinicd.png differ
diff --git a/windows/update/images/csptable.png b/windows/update/images/csptable.png
new file mode 100644
index 0000000000..ee210cad69
Binary files /dev/null and b/windows/update/images/csptable.png differ
diff --git a/windows/update/images/deploymentworkflow.png b/windows/update/images/deploymentworkflow.png
new file mode 100644
index 0000000000..b665a0bfea
Binary files /dev/null and b/windows/update/images/deploymentworkflow.png differ
diff --git a/windows/update/images/doneicon.png b/windows/update/images/doneicon.png
new file mode 100644
index 0000000000..d80389f35b
Binary files /dev/null and b/windows/update/images/doneicon.png differ
diff --git a/windows/update/images/export-mgt-desktop.png b/windows/update/images/export-mgt-desktop.png
new file mode 100644
index 0000000000..13349c3b4e
Binary files /dev/null and b/windows/update/images/export-mgt-desktop.png differ
diff --git a/windows/update/images/export-mgt-mobile.png b/windows/update/images/export-mgt-mobile.png
new file mode 100644
index 0000000000..6a74c23e59
Binary files /dev/null and b/windows/update/images/export-mgt-mobile.png differ
diff --git a/windows/update/images/express-settings.png b/windows/update/images/express-settings.png
new file mode 100644
index 0000000000..99e9c4825a
Binary files /dev/null and b/windows/update/images/express-settings.png differ
diff --git a/windows/update/images/fig1-deferupgrades.png b/windows/update/images/fig1-deferupgrades.png
new file mode 100644
index 0000000000..f8c52b943e
Binary files /dev/null and b/windows/update/images/fig1-deferupgrades.png differ
diff --git a/windows/update/images/fig2-deploymenttimeline.png b/windows/update/images/fig2-deploymenttimeline.png
new file mode 100644
index 0000000000..a8061d2f15
Binary files /dev/null and b/windows/update/images/fig2-deploymenttimeline.png differ
diff --git a/windows/update/images/fig3-overlaprelease.png b/windows/update/images/fig3-overlaprelease.png
new file mode 100644
index 0000000000..58747a35cf
Binary files /dev/null and b/windows/update/images/fig3-overlaprelease.png differ
diff --git a/windows/update/images/funfacts.png b/windows/update/images/funfacts.png
new file mode 100644
index 0000000000..71355ec370
Binary files /dev/null and b/windows/update/images/funfacts.png differ
diff --git a/windows/update/images/genrule.png b/windows/update/images/genrule.png
new file mode 100644
index 0000000000..1d68f1ad0b
Binary files /dev/null and b/windows/update/images/genrule.png differ
diff --git a/windows/update/images/gp-branch.png b/windows/update/images/gp-branch.png
new file mode 100644
index 0000000000..997bcc830a
Binary files /dev/null and b/windows/update/images/gp-branch.png differ
diff --git a/windows/update/images/gp-exclude-drivers.png b/windows/update/images/gp-exclude-drivers.png
new file mode 100644
index 0000000000..0010749139
Binary files /dev/null and b/windows/update/images/gp-exclude-drivers.png differ
diff --git a/windows/update/images/gp-feature.png b/windows/update/images/gp-feature.png
new file mode 100644
index 0000000000..b862d545d4
Binary files /dev/null and b/windows/update/images/gp-feature.png differ
diff --git a/windows/update/images/gp-quality.png b/windows/update/images/gp-quality.png
new file mode 100644
index 0000000000..d7ff30172d
Binary files /dev/null and b/windows/update/images/gp-quality.png differ
diff --git a/windows/update/images/icd-adv-shared-pc.PNG b/windows/update/images/icd-adv-shared-pc.PNG
new file mode 100644
index 0000000000..a8da5fa78a
Binary files /dev/null and b/windows/update/images/icd-adv-shared-pc.PNG differ
diff --git a/windows/update/images/icd-school.PNG b/windows/update/images/icd-school.PNG
new file mode 100644
index 0000000000..e6a944a193
Binary files /dev/null and b/windows/update/images/icd-school.PNG differ
diff --git a/windows/update/images/icd-simple.PNG b/windows/update/images/icd-simple.PNG
new file mode 100644
index 0000000000..7ae8a1728b
Binary files /dev/null and b/windows/update/images/icd-simple.PNG differ
diff --git a/windows/update/images/icdbrowse.png b/windows/update/images/icdbrowse.png
new file mode 100644
index 0000000000..53c91074c7
Binary files /dev/null and b/windows/update/images/icdbrowse.png differ
diff --git a/windows/update/images/identitychoices.png b/windows/update/images/identitychoices.png
new file mode 100644
index 0000000000..9a69c04f20
Binary files /dev/null and b/windows/update/images/identitychoices.png differ
diff --git a/windows/update/images/launchicon.png b/windows/update/images/launchicon.png
new file mode 100644
index 0000000000..d469c68a2c
Binary files /dev/null and b/windows/update/images/launchicon.png differ
diff --git a/windows/update/images/license-terms.png b/windows/update/images/license-terms.png
new file mode 100644
index 0000000000..8dd34b0a18
Binary files /dev/null and b/windows/update/images/license-terms.png differ
diff --git a/windows/update/images/lockdownapps.png b/windows/update/images/lockdownapps.png
new file mode 100644
index 0000000000..ad928d87bc
Binary files /dev/null and b/windows/update/images/lockdownapps.png differ
diff --git a/windows/update/images/lockscreen.png b/windows/update/images/lockscreen.png
new file mode 100644
index 0000000000..68c64e15ec
Binary files /dev/null and b/windows/update/images/lockscreen.png differ
diff --git a/windows/update/images/lockscreenpolicy.png b/windows/update/images/lockscreenpolicy.png
new file mode 100644
index 0000000000..30b6a7ae9d
Binary files /dev/null and b/windows/update/images/lockscreenpolicy.png differ
diff --git a/windows/update/images/mdm-diag-report-powershell.PNG b/windows/update/images/mdm-diag-report-powershell.PNG
new file mode 100644
index 0000000000..86f5b49211
Binary files /dev/null and b/windows/update/images/mdm-diag-report-powershell.PNG differ
diff --git a/windows/update/images/mdm.png b/windows/update/images/mdm.png
new file mode 100644
index 0000000000..8ebcc00526
Binary files /dev/null and b/windows/update/images/mdm.png differ
diff --git a/windows/update/images/mobile-start-layout.png b/windows/update/images/mobile-start-layout.png
new file mode 100644
index 0000000000..d1055d6c87
Binary files /dev/null and b/windows/update/images/mobile-start-layout.png differ
diff --git a/windows/update/images/oma-uri-shared-pc.png b/windows/update/images/oma-uri-shared-pc.png
new file mode 100644
index 0000000000..68f9fa3b32
Binary files /dev/null and b/windows/update/images/oma-uri-shared-pc.png differ
diff --git a/windows/update/images/oobe.jpg b/windows/update/images/oobe.jpg
new file mode 100644
index 0000000000..53a5dab6bf
Binary files /dev/null and b/windows/update/images/oobe.jpg differ
diff --git a/windows/update/images/package.png b/windows/update/images/package.png
new file mode 100644
index 0000000000..f5e975e3e9
Binary files /dev/null and b/windows/update/images/package.png differ
diff --git a/windows/update/images/packageaddfileandregistrydata-global.png b/windows/update/images/packageaddfileandregistrydata-global.png
new file mode 100644
index 0000000000..775e290a36
Binary files /dev/null and b/windows/update/images/packageaddfileandregistrydata-global.png differ
diff --git a/windows/update/images/packageaddfileandregistrydata-stream.png b/windows/update/images/packageaddfileandregistrydata-stream.png
new file mode 100644
index 0000000000..0e1205c62b
Binary files /dev/null and b/windows/update/images/packageaddfileandregistrydata-stream.png differ
diff --git a/windows/update/images/packageaddfileandregistrydata.png b/windows/update/images/packageaddfileandregistrydata.png
new file mode 100644
index 0000000000..603420e627
Binary files /dev/null and b/windows/update/images/packageaddfileandregistrydata.png differ
diff --git a/windows/update/images/phoneprovision.png b/windows/update/images/phoneprovision.png
new file mode 100644
index 0000000000..01ada29ac9
Binary files /dev/null and b/windows/update/images/phoneprovision.png differ
diff --git a/windows/update/images/policytocsp.png b/windows/update/images/policytocsp.png
new file mode 100644
index 0000000000..80ca76cb62
Binary files /dev/null and b/windows/update/images/policytocsp.png differ
diff --git a/windows/update/images/powericon.png b/windows/update/images/powericon.png
new file mode 100644
index 0000000000..b497ff859d
Binary files /dev/null and b/windows/update/images/powericon.png differ
diff --git a/windows/update/images/priv-telemetry-levels.png b/windows/update/images/priv-telemetry-levels.png
new file mode 100644
index 0000000000..9581cee54d
Binary files /dev/null and b/windows/update/images/priv-telemetry-levels.png differ
diff --git a/windows/update/images/prov.jpg b/windows/update/images/prov.jpg
new file mode 100644
index 0000000000..1593ccb36b
Binary files /dev/null and b/windows/update/images/prov.jpg differ
diff --git a/windows/update/images/provisioning-csp-assignedaccess.png b/windows/update/images/provisioning-csp-assignedaccess.png
new file mode 100644
index 0000000000..14d49cdd89
Binary files /dev/null and b/windows/update/images/provisioning-csp-assignedaccess.png differ
diff --git a/windows/update/images/rdp.png b/windows/update/images/rdp.png
new file mode 100644
index 0000000000..ac088d0b06
Binary files /dev/null and b/windows/update/images/rdp.png differ
diff --git a/windows/update/images/resetdevice.png b/windows/update/images/resetdevice.png
new file mode 100644
index 0000000000..4e265c3f8d
Binary files /dev/null and b/windows/update/images/resetdevice.png differ
diff --git a/windows/update/images/settings-table.png b/windows/update/images/settings-table.png
new file mode 100644
index 0000000000..ada56513fc
Binary files /dev/null and b/windows/update/images/settings-table.png differ
diff --git a/windows/update/images/settingsicon.png b/windows/update/images/settingsicon.png
new file mode 100644
index 0000000000..0ad27fc558
Binary files /dev/null and b/windows/update/images/settingsicon.png differ
diff --git a/windows/update/images/setupmsg.jpg b/windows/update/images/setupmsg.jpg
new file mode 100644
index 0000000000..12935483c5
Binary files /dev/null and b/windows/update/images/setupmsg.jpg differ
diff --git a/windows/update/images/sign-in-prov.png b/windows/update/images/sign-in-prov.png
new file mode 100644
index 0000000000..55c9276203
Binary files /dev/null and b/windows/update/images/sign-in-prov.png differ
diff --git a/windows/update/images/spotlight.png b/windows/update/images/spotlight.png
new file mode 100644
index 0000000000..515269740b
Binary files /dev/null and b/windows/update/images/spotlight.png differ
diff --git a/windows/update/images/spotlight2.png b/windows/update/images/spotlight2.png
new file mode 100644
index 0000000000..27401c1a2b
Binary files /dev/null and b/windows/update/images/spotlight2.png differ
diff --git a/windows/update/images/start-pinned-app.png b/windows/update/images/start-pinned-app.png
new file mode 100644
index 0000000000..e1e4a24a00
Binary files /dev/null and b/windows/update/images/start-pinned-app.png differ
diff --git a/windows/update/images/startannotated.png b/windows/update/images/startannotated.png
new file mode 100644
index 0000000000..d46f3a70c2
Binary files /dev/null and b/windows/update/images/startannotated.png differ
diff --git a/windows/update/images/starticon.png b/windows/update/images/starticon.png
new file mode 100644
index 0000000000..fa8cbdff10
Binary files /dev/null and b/windows/update/images/starticon.png differ
diff --git a/windows/update/images/startlayoutpolicy.jpg b/windows/update/images/startlayoutpolicy.jpg
new file mode 100644
index 0000000000..d3c8d054fe
Binary files /dev/null and b/windows/update/images/startlayoutpolicy.jpg differ
diff --git a/windows/update/images/starttemplate.jpg b/windows/update/images/starttemplate.jpg
new file mode 100644
index 0000000000..900eed08c5
Binary files /dev/null and b/windows/update/images/starttemplate.jpg differ
diff --git a/windows/update/images/sysprep-error.png b/windows/update/images/sysprep-error.png
new file mode 100644
index 0000000000..aa004efbb6
Binary files /dev/null and b/windows/update/images/sysprep-error.png differ
diff --git a/windows/update/images/taskbar-blank.png b/windows/update/images/taskbar-blank.png
new file mode 100644
index 0000000000..185027f2fd
Binary files /dev/null and b/windows/update/images/taskbar-blank.png differ
diff --git a/windows/update/images/taskbar-default-plus.png b/windows/update/images/taskbar-default-plus.png
new file mode 100644
index 0000000000..8afcebac09
Binary files /dev/null and b/windows/update/images/taskbar-default-plus.png differ
diff --git a/windows/update/images/taskbar-default-removed.png b/windows/update/images/taskbar-default-removed.png
new file mode 100644
index 0000000000..b3ff924e9f
Binary files /dev/null and b/windows/update/images/taskbar-default-removed.png differ
diff --git a/windows/update/images/taskbar-default.png b/windows/update/images/taskbar-default.png
new file mode 100644
index 0000000000..41c6c72258
Binary files /dev/null and b/windows/update/images/taskbar-default.png differ
diff --git a/windows/update/images/taskbar-generic.png b/windows/update/images/taskbar-generic.png
new file mode 100644
index 0000000000..6d47a6795a
Binary files /dev/null and b/windows/update/images/taskbar-generic.png differ
diff --git a/windows/update/images/taskbar-region-defr.png b/windows/update/images/taskbar-region-defr.png
new file mode 100644
index 0000000000..6d707b16f4
Binary files /dev/null and b/windows/update/images/taskbar-region-defr.png differ
diff --git a/windows/update/images/taskbar-region-other.png b/windows/update/images/taskbar-region-other.png
new file mode 100644
index 0000000000..fab367ef7a
Binary files /dev/null and b/windows/update/images/taskbar-region-other.png differ
diff --git a/windows/update/images/taskbar-region-usuk.png b/windows/update/images/taskbar-region-usuk.png
new file mode 100644
index 0000000000..6bba65ee81
Binary files /dev/null and b/windows/update/images/taskbar-region-usuk.png differ
diff --git a/windows/update/images/taskbarSTARTERBLANK.png b/windows/update/images/taskbarSTARTERBLANK.png
new file mode 100644
index 0000000000..e206bdc196
Binary files /dev/null and b/windows/update/images/taskbarSTARTERBLANK.png differ
diff --git a/windows/update/images/trust-package.png b/windows/update/images/trust-package.png
new file mode 100644
index 0000000000..8a293ea4da
Binary files /dev/null and b/windows/update/images/trust-package.png differ
diff --git a/windows/update/images/twain.png b/windows/update/images/twain.png
new file mode 100644
index 0000000000..53cd5eadc7
Binary files /dev/null and b/windows/update/images/twain.png differ
diff --git a/windows/update/images/uc-01.png b/windows/update/images/uc-01.png
new file mode 100644
index 0000000000..7f4df9f6d7
Binary files /dev/null and b/windows/update/images/uc-01.png differ
diff --git a/windows/update/images/uc-02.png b/windows/update/images/uc-02.png
new file mode 100644
index 0000000000..8317f051c3
Binary files /dev/null and b/windows/update/images/uc-02.png differ
diff --git a/windows/update/images/uc-02a.png b/windows/update/images/uc-02a.png
new file mode 100644
index 0000000000..d12544e3a0
Binary files /dev/null and b/windows/update/images/uc-02a.png differ
diff --git a/windows/update/images/uc-03.png b/windows/update/images/uc-03.png
new file mode 100644
index 0000000000..58494c4128
Binary files /dev/null and b/windows/update/images/uc-03.png differ
diff --git a/windows/update/images/uc-03a.png b/windows/update/images/uc-03a.png
new file mode 100644
index 0000000000..39412fc8f3
Binary files /dev/null and b/windows/update/images/uc-03a.png differ
diff --git a/windows/update/images/uc-04.png b/windows/update/images/uc-04.png
new file mode 100644
index 0000000000..ef9a37d379
Binary files /dev/null and b/windows/update/images/uc-04.png differ
diff --git a/windows/update/images/uc-04a.png b/windows/update/images/uc-04a.png
new file mode 100644
index 0000000000..537d4bbe72
Binary files /dev/null and b/windows/update/images/uc-04a.png differ
diff --git a/windows/update/images/uc-05.png b/windows/update/images/uc-05.png
new file mode 100644
index 0000000000..21c8e9f9e0
Binary files /dev/null and b/windows/update/images/uc-05.png differ
diff --git a/windows/update/images/uc-05a.png b/windows/update/images/uc-05a.png
new file mode 100644
index 0000000000..2271181622
Binary files /dev/null and b/windows/update/images/uc-05a.png differ
diff --git a/windows/update/images/uc-06.png b/windows/update/images/uc-06.png
new file mode 100644
index 0000000000..03a559800b
Binary files /dev/null and b/windows/update/images/uc-06.png differ
diff --git a/windows/update/images/uc-06a.png b/windows/update/images/uc-06a.png
new file mode 100644
index 0000000000..15df1cfea0
Binary files /dev/null and b/windows/update/images/uc-06a.png differ
diff --git a/windows/update/images/uc-07.png b/windows/update/images/uc-07.png
new file mode 100644
index 0000000000..de1ae35e82
Binary files /dev/null and b/windows/update/images/uc-07.png differ
diff --git a/windows/update/images/uc-07a.png b/windows/update/images/uc-07a.png
new file mode 100644
index 0000000000..c0f2d9fd73
Binary files /dev/null and b/windows/update/images/uc-07a.png differ
diff --git a/windows/update/images/uc-08.png b/windows/update/images/uc-08.png
new file mode 100644
index 0000000000..877fcd64c0
Binary files /dev/null and b/windows/update/images/uc-08.png differ
diff --git a/windows/update/images/uc-08a.png b/windows/update/images/uc-08a.png
new file mode 100644
index 0000000000..89da287d3d
Binary files /dev/null and b/windows/update/images/uc-08a.png differ
diff --git a/windows/update/images/uc-09.png b/windows/update/images/uc-09.png
new file mode 100644
index 0000000000..37d7114f19
Binary files /dev/null and b/windows/update/images/uc-09.png differ
diff --git a/windows/update/images/uc-09a.png b/windows/update/images/uc-09a.png
new file mode 100644
index 0000000000..f6b6ec5b60
Binary files /dev/null and b/windows/update/images/uc-09a.png differ
diff --git a/windows/update/images/uc-10.png b/windows/update/images/uc-10.png
new file mode 100644
index 0000000000..3ab72d10d2
Binary files /dev/null and b/windows/update/images/uc-10.png differ
diff --git a/windows/update/images/uc-10a.png b/windows/update/images/uc-10a.png
new file mode 100644
index 0000000000..1c6b8b01dc
Binary files /dev/null and b/windows/update/images/uc-10a.png differ
diff --git a/windows/update/images/uc-11.png b/windows/update/images/uc-11.png
new file mode 100644
index 0000000000..8b4fc568ea
Binary files /dev/null and b/windows/update/images/uc-11.png differ
diff --git a/windows/update/images/uc-12.png b/windows/update/images/uc-12.png
new file mode 100644
index 0000000000..4198684c99
Binary files /dev/null and b/windows/update/images/uc-12.png differ
diff --git a/windows/update/images/uc-13.png b/windows/update/images/uc-13.png
new file mode 100644
index 0000000000..117f9b9fd8
Binary files /dev/null and b/windows/update/images/uc-13.png differ
diff --git a/windows/update/images/uc-14.png b/windows/update/images/uc-14.png
new file mode 100644
index 0000000000..66047984e7
Binary files /dev/null and b/windows/update/images/uc-14.png differ
diff --git a/windows/update/images/uc-15.png b/windows/update/images/uc-15.png
new file mode 100644
index 0000000000..c241cd9117
Binary files /dev/null and b/windows/update/images/uc-15.png differ
diff --git a/windows/update/images/uc-16.png b/windows/update/images/uc-16.png
new file mode 100644
index 0000000000..e7aff4d4ed
Binary files /dev/null and b/windows/update/images/uc-16.png differ
diff --git a/windows/update/images/uc-17.png b/windows/update/images/uc-17.png
new file mode 100644
index 0000000000..cb8e42ca5e
Binary files /dev/null and b/windows/update/images/uc-17.png differ
diff --git a/windows/update/images/uc-18.png b/windows/update/images/uc-18.png
new file mode 100644
index 0000000000..5eff59adc9
Binary files /dev/null and b/windows/update/images/uc-18.png differ
diff --git a/windows/update/images/uc-19.png b/windows/update/images/uc-19.png
new file mode 100644
index 0000000000..791900eafc
Binary files /dev/null and b/windows/update/images/uc-19.png differ
diff --git a/windows/update/images/uc-20.png b/windows/update/images/uc-20.png
new file mode 100644
index 0000000000..7dbb027b9f
Binary files /dev/null and b/windows/update/images/uc-20.png differ
diff --git a/windows/update/images/uc-21.png b/windows/update/images/uc-21.png
new file mode 100644
index 0000000000..418db41fe4
Binary files /dev/null and b/windows/update/images/uc-21.png differ
diff --git a/windows/update/images/uc-22.png b/windows/update/images/uc-22.png
new file mode 100644
index 0000000000..2ca5c47a61
Binary files /dev/null and b/windows/update/images/uc-22.png differ
diff --git a/windows/update/images/uc-23.png b/windows/update/images/uc-23.png
new file mode 100644
index 0000000000..58b82db82d
Binary files /dev/null and b/windows/update/images/uc-23.png differ
diff --git a/windows/update/images/uc-24.png b/windows/update/images/uc-24.png
new file mode 100644
index 0000000000..00bc61e3e1
Binary files /dev/null and b/windows/update/images/uc-24.png differ
diff --git a/windows/update/images/uc-25.png b/windows/update/images/uc-25.png
new file mode 100644
index 0000000000..4e0f0bdb03
Binary files /dev/null and b/windows/update/images/uc-25.png differ
diff --git a/windows/update/images/uev-adk-select-uev-feature.png b/windows/update/images/uev-adk-select-uev-feature.png
new file mode 100644
index 0000000000..1556f115c0
Binary files /dev/null and b/windows/update/images/uev-adk-select-uev-feature.png differ
diff --git a/windows/update/images/uev-archdiagram.png b/windows/update/images/uev-archdiagram.png
new file mode 100644
index 0000000000..eae098e666
Binary files /dev/null and b/windows/update/images/uev-archdiagram.png differ
diff --git a/windows/update/images/uev-checklist-box.gif b/windows/update/images/uev-checklist-box.gif
new file mode 100644
index 0000000000..8af13c51d1
Binary files /dev/null and b/windows/update/images/uev-checklist-box.gif differ
diff --git a/windows/update/images/uev-deployment-preparation.png b/windows/update/images/uev-deployment-preparation.png
new file mode 100644
index 0000000000..b665a0bfea
Binary files /dev/null and b/windows/update/images/uev-deployment-preparation.png differ
diff --git a/windows/update/images/uev-generator-process.png b/windows/update/images/uev-generator-process.png
new file mode 100644
index 0000000000..e16cedd0a7
Binary files /dev/null and b/windows/update/images/uev-generator-process.png differ
diff --git a/windows/update/images/w10servicing-f1-branches.png b/windows/update/images/w10servicing-f1-branches.png
new file mode 100644
index 0000000000..ac4a549aed
Binary files /dev/null and b/windows/update/images/w10servicing-f1-branches.png differ
diff --git a/windows/update/images/waas-active-hours-policy.PNG b/windows/update/images/waas-active-hours-policy.PNG
new file mode 100644
index 0000000000..af80ef6652
Binary files /dev/null and b/windows/update/images/waas-active-hours-policy.PNG differ
diff --git a/windows/update/images/waas-active-hours.PNG b/windows/update/images/waas-active-hours.PNG
new file mode 100644
index 0000000000..c262c302ed
Binary files /dev/null and b/windows/update/images/waas-active-hours.PNG differ
diff --git a/windows/update/images/waas-auto-update-policy.PNG b/windows/update/images/waas-auto-update-policy.PNG
new file mode 100644
index 0000000000..52a1629cbf
Binary files /dev/null and b/windows/update/images/waas-auto-update-policy.PNG differ
diff --git a/windows/update/images/waas-do-fig1.png b/windows/update/images/waas-do-fig1.png
new file mode 100644
index 0000000000..2a2b6872e9
Binary files /dev/null and b/windows/update/images/waas-do-fig1.png differ
diff --git a/windows/update/images/waas-do-fig2.png b/windows/update/images/waas-do-fig2.png
new file mode 100644
index 0000000000..cc42b328eb
Binary files /dev/null and b/windows/update/images/waas-do-fig2.png differ
diff --git a/windows/update/images/waas-do-fig3.png b/windows/update/images/waas-do-fig3.png
new file mode 100644
index 0000000000..d9182d3b20
Binary files /dev/null and b/windows/update/images/waas-do-fig3.png differ
diff --git a/windows/update/images/waas-do-fig4.png b/windows/update/images/waas-do-fig4.png
new file mode 100644
index 0000000000..a66741ed90
Binary files /dev/null and b/windows/update/images/waas-do-fig4.png differ
diff --git a/windows/update/images/waas-overview-patch.png b/windows/update/images/waas-overview-patch.png
new file mode 100644
index 0000000000..6ac0a03227
Binary files /dev/null and b/windows/update/images/waas-overview-patch.png differ
diff --git a/windows/update/images/waas-restart-policy.PNG b/windows/update/images/waas-restart-policy.PNG
new file mode 100644
index 0000000000..936f9aeb08
Binary files /dev/null and b/windows/update/images/waas-restart-policy.PNG differ
diff --git a/windows/update/images/waas-rings.png b/windows/update/images/waas-rings.png
new file mode 100644
index 0000000000..041a59ce87
Binary files /dev/null and b/windows/update/images/waas-rings.png differ
diff --git a/windows/update/images/waas-sccm-fig1.png b/windows/update/images/waas-sccm-fig1.png
new file mode 100644
index 0000000000..6bf2b1c621
Binary files /dev/null and b/windows/update/images/waas-sccm-fig1.png differ
diff --git a/windows/update/images/waas-sccm-fig10.png b/windows/update/images/waas-sccm-fig10.png
new file mode 100644
index 0000000000..ad3b5c922f
Binary files /dev/null and b/windows/update/images/waas-sccm-fig10.png differ
diff --git a/windows/update/images/waas-sccm-fig11.png b/windows/update/images/waas-sccm-fig11.png
new file mode 100644
index 0000000000..6c4f905630
Binary files /dev/null and b/windows/update/images/waas-sccm-fig11.png differ
diff --git a/windows/update/images/waas-sccm-fig12.png b/windows/update/images/waas-sccm-fig12.png
new file mode 100644
index 0000000000..87464dd5f1
Binary files /dev/null and b/windows/update/images/waas-sccm-fig12.png differ
diff --git a/windows/update/images/waas-sccm-fig2.png b/windows/update/images/waas-sccm-fig2.png
new file mode 100644
index 0000000000..c83e7bc781
Binary files /dev/null and b/windows/update/images/waas-sccm-fig2.png differ
diff --git a/windows/update/images/waas-sccm-fig3.png b/windows/update/images/waas-sccm-fig3.png
new file mode 100644
index 0000000000..dcbc83b8ff
Binary files /dev/null and b/windows/update/images/waas-sccm-fig3.png differ
diff --git a/windows/update/images/waas-sccm-fig4.png b/windows/update/images/waas-sccm-fig4.png
new file mode 100644
index 0000000000..782c5ca6ef
Binary files /dev/null and b/windows/update/images/waas-sccm-fig4.png differ
diff --git a/windows/update/images/waas-sccm-fig5.png b/windows/update/images/waas-sccm-fig5.png
new file mode 100644
index 0000000000..cb399a6c6f
Binary files /dev/null and b/windows/update/images/waas-sccm-fig5.png differ
diff --git a/windows/update/images/waas-sccm-fig6.png b/windows/update/images/waas-sccm-fig6.png
new file mode 100644
index 0000000000..77dd02d61e
Binary files /dev/null and b/windows/update/images/waas-sccm-fig6.png differ
diff --git a/windows/update/images/waas-sccm-fig7.png b/windows/update/images/waas-sccm-fig7.png
new file mode 100644
index 0000000000..a74c7c8133
Binary files /dev/null and b/windows/update/images/waas-sccm-fig7.png differ
diff --git a/windows/update/images/waas-sccm-fig8.png b/windows/update/images/waas-sccm-fig8.png
new file mode 100644
index 0000000000..2dfaf75ddf
Binary files /dev/null and b/windows/update/images/waas-sccm-fig8.png differ
diff --git a/windows/update/images/waas-sccm-fig9.png b/windows/update/images/waas-sccm-fig9.png
new file mode 100644
index 0000000000..311d79dc94
Binary files /dev/null and b/windows/update/images/waas-sccm-fig9.png differ
diff --git a/windows/update/images/waas-strategy-fig1a.png b/windows/update/images/waas-strategy-fig1a.png
new file mode 100644
index 0000000000..7a924c43bc
Binary files /dev/null and b/windows/update/images/waas-strategy-fig1a.png differ
diff --git a/windows/update/images/waas-wsus-fig1.png b/windows/update/images/waas-wsus-fig1.png
new file mode 100644
index 0000000000..14bf35958a
Binary files /dev/null and b/windows/update/images/waas-wsus-fig1.png differ
diff --git a/windows/update/images/waas-wsus-fig10.png b/windows/update/images/waas-wsus-fig10.png
new file mode 100644
index 0000000000..3efa119693
Binary files /dev/null and b/windows/update/images/waas-wsus-fig10.png differ
diff --git a/windows/update/images/waas-wsus-fig11.png b/windows/update/images/waas-wsus-fig11.png
new file mode 100644
index 0000000000..ae6d79221a
Binary files /dev/null and b/windows/update/images/waas-wsus-fig11.png differ
diff --git a/windows/update/images/waas-wsus-fig12.png b/windows/update/images/waas-wsus-fig12.png
new file mode 100644
index 0000000000..47479ea1df
Binary files /dev/null and b/windows/update/images/waas-wsus-fig12.png differ
diff --git a/windows/update/images/waas-wsus-fig13.png b/windows/update/images/waas-wsus-fig13.png
new file mode 100644
index 0000000000..f0b1578094
Binary files /dev/null and b/windows/update/images/waas-wsus-fig13.png differ
diff --git a/windows/update/images/waas-wsus-fig14.png b/windows/update/images/waas-wsus-fig14.png
new file mode 100644
index 0000000000..b5b930ddad
Binary files /dev/null and b/windows/update/images/waas-wsus-fig14.png differ
diff --git a/windows/update/images/waas-wsus-fig15.png b/windows/update/images/waas-wsus-fig15.png
new file mode 100644
index 0000000000..95e38c039e
Binary files /dev/null and b/windows/update/images/waas-wsus-fig15.png differ
diff --git a/windows/update/images/waas-wsus-fig16.png b/windows/update/images/waas-wsus-fig16.png
new file mode 100644
index 0000000000..3848ac1772
Binary files /dev/null and b/windows/update/images/waas-wsus-fig16.png differ
diff --git a/windows/update/images/waas-wsus-fig17.png b/windows/update/images/waas-wsus-fig17.png
new file mode 100644
index 0000000000..5511da3e5c
Binary files /dev/null and b/windows/update/images/waas-wsus-fig17.png differ
diff --git a/windows/update/images/waas-wsus-fig18.png b/windows/update/images/waas-wsus-fig18.png
new file mode 100644
index 0000000000..f9ac774754
Binary files /dev/null and b/windows/update/images/waas-wsus-fig18.png differ
diff --git a/windows/update/images/waas-wsus-fig19.png b/windows/update/images/waas-wsus-fig19.png
new file mode 100644
index 0000000000..f69d793afe
Binary files /dev/null and b/windows/update/images/waas-wsus-fig19.png differ
diff --git a/windows/update/images/waas-wsus-fig2.png b/windows/update/images/waas-wsus-fig2.png
new file mode 100644
index 0000000000..167774a6c9
Binary files /dev/null and b/windows/update/images/waas-wsus-fig2.png differ
diff --git a/windows/update/images/waas-wsus-fig20.png b/windows/update/images/waas-wsus-fig20.png
new file mode 100644
index 0000000000..ea6bbb350a
Binary files /dev/null and b/windows/update/images/waas-wsus-fig20.png differ
diff --git a/windows/update/images/waas-wsus-fig3.png b/windows/update/images/waas-wsus-fig3.png
new file mode 100644
index 0000000000..272e8c05e9
Binary files /dev/null and b/windows/update/images/waas-wsus-fig3.png differ
diff --git a/windows/update/images/waas-wsus-fig4.png b/windows/update/images/waas-wsus-fig4.png
new file mode 100644
index 0000000000..bb5f27e3da
Binary files /dev/null and b/windows/update/images/waas-wsus-fig4.png differ
diff --git a/windows/update/images/waas-wsus-fig5.png b/windows/update/images/waas-wsus-fig5.png
new file mode 100644
index 0000000000..23faf303c6
Binary files /dev/null and b/windows/update/images/waas-wsus-fig5.png differ
diff --git a/windows/update/images/waas-wsus-fig6.png b/windows/update/images/waas-wsus-fig6.png
new file mode 100644
index 0000000000..7857351d19
Binary files /dev/null and b/windows/update/images/waas-wsus-fig6.png differ
diff --git a/windows/update/images/waas-wsus-fig7.png b/windows/update/images/waas-wsus-fig7.png
new file mode 100644
index 0000000000..e7f02649d2
Binary files /dev/null and b/windows/update/images/waas-wsus-fig7.png differ
diff --git a/windows/update/images/waas-wsus-fig8.png b/windows/update/images/waas-wsus-fig8.png
new file mode 100644
index 0000000000..da5f620425
Binary files /dev/null and b/windows/update/images/waas-wsus-fig8.png differ
diff --git a/windows/update/images/waas-wsus-fig9.png b/windows/update/images/waas-wsus-fig9.png
new file mode 100644
index 0000000000..f3d5a4eb6a
Binary files /dev/null and b/windows/update/images/waas-wsus-fig9.png differ
diff --git a/windows/update/images/waas-wufb-gp-broad.png b/windows/update/images/waas-wufb-gp-broad.png
new file mode 100644
index 0000000000..92b71c8936
Binary files /dev/null and b/windows/update/images/waas-wufb-gp-broad.png differ
diff --git a/windows/update/images/waas-wufb-gp-cb2-settings.png b/windows/update/images/waas-wufb-gp-cb2-settings.png
new file mode 100644
index 0000000000..ae6ed4d856
Binary files /dev/null and b/windows/update/images/waas-wufb-gp-cb2-settings.png differ
diff --git a/windows/update/images/waas-wufb-gp-cb2.png b/windows/update/images/waas-wufb-gp-cb2.png
new file mode 100644
index 0000000000..006a8c02d3
Binary files /dev/null and b/windows/update/images/waas-wufb-gp-cb2.png differ
diff --git a/windows/update/images/waas-wufb-gp-cbb1-settings.png b/windows/update/images/waas-wufb-gp-cbb1-settings.png
new file mode 100644
index 0000000000..c9e1029b8b
Binary files /dev/null and b/windows/update/images/waas-wufb-gp-cbb1-settings.png differ
diff --git a/windows/update/images/waas-wufb-gp-cbb2-settings.png b/windows/update/images/waas-wufb-gp-cbb2-settings.png
new file mode 100644
index 0000000000..e5aff1cc89
Binary files /dev/null and b/windows/update/images/waas-wufb-gp-cbb2-settings.png differ
diff --git a/windows/update/images/waas-wufb-gp-cbb2q-settings.png b/windows/update/images/waas-wufb-gp-cbb2q-settings.png
new file mode 100644
index 0000000000..33a02165c6
Binary files /dev/null and b/windows/update/images/waas-wufb-gp-cbb2q-settings.png differ
diff --git a/windows/update/images/waas-wufb-gp-create.png b/windows/update/images/waas-wufb-gp-create.png
new file mode 100644
index 0000000000..d74eec4b2e
Binary files /dev/null and b/windows/update/images/waas-wufb-gp-create.png differ
diff --git a/windows/update/images/waas-wufb-gp-edit-defer.png b/windows/update/images/waas-wufb-gp-edit-defer.png
new file mode 100644
index 0000000000..c697b42ffd
Binary files /dev/null and b/windows/update/images/waas-wufb-gp-edit-defer.png differ
diff --git a/windows/update/images/waas-wufb-gp-edit.png b/windows/update/images/waas-wufb-gp-edit.png
new file mode 100644
index 0000000000..1b8d21a175
Binary files /dev/null and b/windows/update/images/waas-wufb-gp-edit.png differ
diff --git a/windows/update/images/waas-wufb-gp-scope-cb2.png b/windows/update/images/waas-wufb-gp-scope-cb2.png
new file mode 100644
index 0000000000..fcacdbea57
Binary files /dev/null and b/windows/update/images/waas-wufb-gp-scope-cb2.png differ
diff --git a/windows/update/images/waas-wufb-gp-scope.png b/windows/update/images/waas-wufb-gp-scope.png
new file mode 100644
index 0000000000..a04d8194df
Binary files /dev/null and b/windows/update/images/waas-wufb-gp-scope.png differ
diff --git a/windows/update/images/waas-wufb-intune-cb2a.png b/windows/update/images/waas-wufb-intune-cb2a.png
new file mode 100644
index 0000000000..3e8c1ce19e
Binary files /dev/null and b/windows/update/images/waas-wufb-intune-cb2a.png differ
diff --git a/windows/update/images/waas-wufb-intune-cbb1a.png b/windows/update/images/waas-wufb-intune-cbb1a.png
new file mode 100644
index 0000000000..bc394fe563
Binary files /dev/null and b/windows/update/images/waas-wufb-intune-cbb1a.png differ
diff --git a/windows/update/images/waas-wufb-intune-cbb2a.png b/windows/update/images/waas-wufb-intune-cbb2a.png
new file mode 100644
index 0000000000..a980e0e43a
Binary files /dev/null and b/windows/update/images/waas-wufb-intune-cbb2a.png differ
diff --git a/windows/update/images/waas-wufb-intune-step11a.png b/windows/update/images/waas-wufb-intune-step11a.png
new file mode 100644
index 0000000000..7291484c93
Binary files /dev/null and b/windows/update/images/waas-wufb-intune-step11a.png differ
diff --git a/windows/update/images/waas-wufb-intune-step19a.png b/windows/update/images/waas-wufb-intune-step19a.png
new file mode 100644
index 0000000000..de132abd28
Binary files /dev/null and b/windows/update/images/waas-wufb-intune-step19a.png differ
diff --git a/windows/update/images/waas-wufb-intune-step2a.png b/windows/update/images/waas-wufb-intune-step2a.png
new file mode 100644
index 0000000000..9a719b8fda
Binary files /dev/null and b/windows/update/images/waas-wufb-intune-step2a.png differ
diff --git a/windows/update/images/waas-wufb-intune-step7a.png b/windows/update/images/waas-wufb-intune-step7a.png
new file mode 100644
index 0000000000..daa96ba18c
Binary files /dev/null and b/windows/update/images/waas-wufb-intune-step7a.png differ
diff --git a/windows/update/images/who-owns-pc.png b/windows/update/images/who-owns-pc.png
new file mode 100644
index 0000000000..d3ce1def8d
Binary files /dev/null and b/windows/update/images/who-owns-pc.png differ
diff --git a/windows/update/images/wifisense-grouppolicy.png b/windows/update/images/wifisense-grouppolicy.png
new file mode 100644
index 0000000000..1142d834bd
Binary files /dev/null and b/windows/update/images/wifisense-grouppolicy.png differ
diff --git a/windows/update/images/wifisense-registry.png b/windows/update/images/wifisense-registry.png
new file mode 100644
index 0000000000..cbb1fa8347
Binary files /dev/null and b/windows/update/images/wifisense-registry.png differ
diff --git a/windows/update/images/wifisense-settingscreens.png b/windows/update/images/wifisense-settingscreens.png
new file mode 100644
index 0000000000..cbb6903177
Binary files /dev/null and b/windows/update/images/wifisense-settingscreens.png differ
diff --git a/windows/update/images/win10-mobile-mdm-fig1.png b/windows/update/images/win10-mobile-mdm-fig1.png
new file mode 100644
index 0000000000..6ddac1df99
Binary files /dev/null and b/windows/update/images/win10-mobile-mdm-fig1.png differ
diff --git a/windows/update/images/win10servicing-fig2-featureupgrade.png b/windows/update/images/win10servicing-fig2-featureupgrade.png
new file mode 100644
index 0000000000..e4dc76b44f
Binary files /dev/null and b/windows/update/images/win10servicing-fig2-featureupgrade.png differ
diff --git a/windows/update/images/win10servicing-fig3.png b/windows/update/images/win10servicing-fig3.png
new file mode 100644
index 0000000000..688f92b173
Binary files /dev/null and b/windows/update/images/win10servicing-fig3.png differ
diff --git a/windows/update/images/win10servicing-fig4-upgradereleases.png b/windows/update/images/win10servicing-fig4-upgradereleases.png
new file mode 100644
index 0000000000..961c8bebe2
Binary files /dev/null and b/windows/update/images/win10servicing-fig4-upgradereleases.png differ
diff --git a/windows/update/images/win10servicing-fig5.png b/windows/update/images/win10servicing-fig5.png
new file mode 100644
index 0000000000..dc4b2fc5b2
Binary files /dev/null and b/windows/update/images/win10servicing-fig5.png differ
diff --git a/windows/update/images/win10servicing-fig6.png b/windows/update/images/win10servicing-fig6.png
new file mode 100644
index 0000000000..4cdc5f9c6f
Binary files /dev/null and b/windows/update/images/win10servicing-fig6.png differ
diff --git a/windows/update/images/win10servicing-fig7.png b/windows/update/images/win10servicing-fig7.png
new file mode 100644
index 0000000000..0a9a851449
Binary files /dev/null and b/windows/update/images/win10servicing-fig7.png differ
diff --git a/windows/update/images/windows-10-management-cyod-byod-flow.png b/windows/update/images/windows-10-management-cyod-byod-flow.png
new file mode 100644
index 0000000000..6121e93832
Binary files /dev/null and b/windows/update/images/windows-10-management-cyod-byod-flow.png differ
diff --git a/windows/update/images/windows-10-management-gp-intune-flow.png b/windows/update/images/windows-10-management-gp-intune-flow.png
new file mode 100644
index 0000000000..c9e3f2ea31
Binary files /dev/null and b/windows/update/images/windows-10-management-gp-intune-flow.png differ
diff --git a/windows/update/images/windows-10-management-range-of-options.png b/windows/update/images/windows-10-management-range-of-options.png
new file mode 100644
index 0000000000..e4de546709
Binary files /dev/null and b/windows/update/images/windows-10-management-range-of-options.png differ
diff --git a/windows/update/images/wsfb-distribute.png b/windows/update/images/wsfb-distribute.png
new file mode 100644
index 0000000000..d0482f6ebe
Binary files /dev/null and b/windows/update/images/wsfb-distribute.png differ
diff --git a/windows/update/images/wsfb-firstrun.png b/windows/update/images/wsfb-firstrun.png
new file mode 100644
index 0000000000..2673567a1e
Binary files /dev/null and b/windows/update/images/wsfb-firstrun.png differ
diff --git a/windows/update/images/wsfb-inventory-viewlicense.png b/windows/update/images/wsfb-inventory-viewlicense.png
new file mode 100644
index 0000000000..9fafad1aff
Binary files /dev/null and b/windows/update/images/wsfb-inventory-viewlicense.png differ
diff --git a/windows/update/images/wsfb-inventory.png b/windows/update/images/wsfb-inventory.png
new file mode 100644
index 0000000000..b060fb30e4
Binary files /dev/null and b/windows/update/images/wsfb-inventory.png differ
diff --git a/windows/update/images/wsfb-inventoryaddprivatestore.png b/windows/update/images/wsfb-inventoryaddprivatestore.png
new file mode 100644
index 0000000000..bb1152e35b
Binary files /dev/null and b/windows/update/images/wsfb-inventoryaddprivatestore.png differ
diff --git a/windows/update/images/wsfb-landing.png b/windows/update/images/wsfb-landing.png
new file mode 100644
index 0000000000..beae0b52af
Binary files /dev/null and b/windows/update/images/wsfb-landing.png differ
diff --git a/windows/update/images/wsfb-licenseassign.png b/windows/update/images/wsfb-licenseassign.png
new file mode 100644
index 0000000000..5904abb3b9
Binary files /dev/null and b/windows/update/images/wsfb-licenseassign.png differ
diff --git a/windows/update/images/wsfb-licensedetails.png b/windows/update/images/wsfb-licensedetails.png
new file mode 100644
index 0000000000..53e0f5c935
Binary files /dev/null and b/windows/update/images/wsfb-licensedetails.png differ
diff --git a/windows/update/images/wsfb-licensereclaim.png b/windows/update/images/wsfb-licensereclaim.png
new file mode 100644
index 0000000000..9f94cd3600
Binary files /dev/null and b/windows/update/images/wsfb-licensereclaim.png differ
diff --git a/windows/update/images/wsfb-manageinventory.png b/windows/update/images/wsfb-manageinventory.png
new file mode 100644
index 0000000000..9a544ddc21
Binary files /dev/null and b/windows/update/images/wsfb-manageinventory.png differ
diff --git a/windows/update/images/wsfb-offline-distribute-mdm.png b/windows/update/images/wsfb-offline-distribute-mdm.png
new file mode 100644
index 0000000000..ec0e77a9a9
Binary files /dev/null and b/windows/update/images/wsfb-offline-distribute-mdm.png differ
diff --git a/windows/update/images/wsfb-onboard-1.png b/windows/update/images/wsfb-onboard-1.png
new file mode 100644
index 0000000000..012e91a845
Binary files /dev/null and b/windows/update/images/wsfb-onboard-1.png differ
diff --git a/windows/update/images/wsfb-onboard-2.png b/windows/update/images/wsfb-onboard-2.png
new file mode 100644
index 0000000000..2ff98fb1f7
Binary files /dev/null and b/windows/update/images/wsfb-onboard-2.png differ
diff --git a/windows/update/images/wsfb-onboard-3.png b/windows/update/images/wsfb-onboard-3.png
new file mode 100644
index 0000000000..ed9a61d353
Binary files /dev/null and b/windows/update/images/wsfb-onboard-3.png differ
diff --git a/windows/update/images/wsfb-onboard-4.png b/windows/update/images/wsfb-onboard-4.png
new file mode 100644
index 0000000000..d99185ddc6
Binary files /dev/null and b/windows/update/images/wsfb-onboard-4.png differ
diff --git a/windows/update/images/wsfb-onboard-5.png b/windows/update/images/wsfb-onboard-5.png
new file mode 100644
index 0000000000..68049f4425
Binary files /dev/null and b/windows/update/images/wsfb-onboard-5.png differ
diff --git a/windows/update/images/wsfb-onboard-7.png b/windows/update/images/wsfb-onboard-7.png
new file mode 100644
index 0000000000..38b7348b21
Binary files /dev/null and b/windows/update/images/wsfb-onboard-7.png differ
diff --git a/windows/update/images/wsfb-online-distribute-mdm.png b/windows/update/images/wsfb-online-distribute-mdm.png
new file mode 100644
index 0000000000..4b0f7cbf3a
Binary files /dev/null and b/windows/update/images/wsfb-online-distribute-mdm.png differ
diff --git a/windows/update/images/wsfb-paid-app-temp.png b/windows/update/images/wsfb-paid-app-temp.png
new file mode 100644
index 0000000000..89e3857d07
Binary files /dev/null and b/windows/update/images/wsfb-paid-app-temp.png differ
diff --git a/windows/update/images/wsfb-permissions-assignrole.png b/windows/update/images/wsfb-permissions-assignrole.png
new file mode 100644
index 0000000000..de2e1785ba
Binary files /dev/null and b/windows/update/images/wsfb-permissions-assignrole.png differ
diff --git a/windows/update/images/wsfb-private-store-gpo.PNG b/windows/update/images/wsfb-private-store-gpo.PNG
new file mode 100644
index 0000000000..5e7fe44ec2
Binary files /dev/null and b/windows/update/images/wsfb-private-store-gpo.PNG differ
diff --git a/windows/update/images/wsfb-privatestore.png b/windows/update/images/wsfb-privatestore.png
new file mode 100644
index 0000000000..74c9f1690d
Binary files /dev/null and b/windows/update/images/wsfb-privatestore.png differ
diff --git a/windows/update/images/wsfb-privatestoreapps.png b/windows/update/images/wsfb-privatestoreapps.png
new file mode 100644
index 0000000000..1ddb543796
Binary files /dev/null and b/windows/update/images/wsfb-privatestoreapps.png differ
diff --git a/windows/update/images/wsfb-renameprivatestore.png b/windows/update/images/wsfb-renameprivatestore.png
new file mode 100644
index 0000000000..c6db282581
Binary files /dev/null and b/windows/update/images/wsfb-renameprivatestore.png differ
diff --git a/windows/update/images/wsfb-settings-mgmt.png b/windows/update/images/wsfb-settings-mgmt.png
new file mode 100644
index 0000000000..2a7b590d19
Binary files /dev/null and b/windows/update/images/wsfb-settings-mgmt.png differ
diff --git a/windows/update/images/wsfb-settings-permissions.png b/windows/update/images/wsfb-settings-permissions.png
new file mode 100644
index 0000000000..63d04d270b
Binary files /dev/null and b/windows/update/images/wsfb-settings-permissions.png differ
diff --git a/windows/update/images/wsfb-wsappaddacct.png b/windows/update/images/wsfb-wsappaddacct.png
new file mode 100644
index 0000000000..5c0bd9a4ce
Binary files /dev/null and b/windows/update/images/wsfb-wsappaddacct.png differ
diff --git a/windows/update/images/wsfb-wsappprivatestore.png b/windows/update/images/wsfb-wsappprivatestore.png
new file mode 100644
index 0000000000..9c29e7604c
Binary files /dev/null and b/windows/update/images/wsfb-wsappprivatestore.png differ
diff --git a/windows/update/images/wsfb-wsappsignin.png b/windows/update/images/wsfb-wsappsignin.png
new file mode 100644
index 0000000000..c2c2631a94
Binary files /dev/null and b/windows/update/images/wsfb-wsappsignin.png differ
diff --git a/windows/update/images/wsfb-wsappworkacct.png b/windows/update/images/wsfb-wsappworkacct.png
new file mode 100644
index 0000000000..5eb9035124
Binary files /dev/null and b/windows/update/images/wsfb-wsappworkacct.png differ
diff --git a/windows/update/images/wufb-config1a.png b/windows/update/images/wufb-config1a.png
new file mode 100644
index 0000000000..1514b87528
Binary files /dev/null and b/windows/update/images/wufb-config1a.png differ
diff --git a/windows/update/images/wufb-config2.png b/windows/update/images/wufb-config2.png
new file mode 100644
index 0000000000..f54eef9a50
Binary files /dev/null and b/windows/update/images/wufb-config2.png differ
diff --git a/windows/update/images/wufb-config3a.png b/windows/update/images/wufb-config3a.png
new file mode 100644
index 0000000000..538028cfdc
Binary files /dev/null and b/windows/update/images/wufb-config3a.png differ
diff --git a/windows/update/images/wufb-do.png b/windows/update/images/wufb-do.png
new file mode 100644
index 0000000000..8d6c9d0b8a
Binary files /dev/null and b/windows/update/images/wufb-do.png differ
diff --git a/windows/update/images/wufb-groups.png b/windows/update/images/wufb-groups.png
new file mode 100644
index 0000000000..13cdea04b0
Binary files /dev/null and b/windows/update/images/wufb-groups.png differ
diff --git a/windows/update/images/wufb-pause-feature.png b/windows/update/images/wufb-pause-feature.png
new file mode 100644
index 0000000000..afeac43e29
Binary files /dev/null and b/windows/update/images/wufb-pause-feature.png differ
diff --git a/windows/update/images/wufb-qual.png b/windows/update/images/wufb-qual.png
new file mode 100644
index 0000000000..4a93408522
Binary files /dev/null and b/windows/update/images/wufb-qual.png differ
diff --git a/windows/update/images/wufb-sccm.png b/windows/update/images/wufb-sccm.png
new file mode 100644
index 0000000000..1d568c1fe4
Binary files /dev/null and b/windows/update/images/wufb-sccm.png differ
diff --git a/windows/update/index.md b/windows/update/index.md
new file mode 100644
index 0000000000..44e2083297
--- /dev/null
+++ b/windows/update/index.md
@@ -0,0 +1,122 @@
+nterprise
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly, and spreads the required effort out into a continuous updating process, reducing the overall effort required to maintain Windows 10 devices in your environment. In addition, with the Windows 10 operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them.
+
+>[!TIP]
+>See [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history) for details about each Windows 10 update released to date.
+
+
+
+## In this section
+
+| Topic | Description|
+| --- | --- |
+| [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the new servicing model for Windows 10. |
+| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. |
+| [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. |
+| [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. |
+| [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Explains how to assign devices to Current Branch (CB) or Current Branch for Business (CBB) for feature and quality updates, and how to enroll devices in Windows Insider. |
+| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization. |
+| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. |
+| [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. |
+| [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
+| [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
+| [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
+| [Manage device restarts after updates](waas-restart.md) | Explains how to use Group Policy to manage device restarts. |
+
+>[!TIP]
+>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
+>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager).---
+title: Manage and update Windows 10 (Windows 10)
+description: Learn about managing and updating Windows 10.
+ms.assetid: E5716355-02AB-4B75-A962-14B1A7F7BDA0
+keywords: Windows 10, MDM, WSUS, Windows update
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: jdeckerMS
+---
+
+# Manage and update Windows 10
+
+Learn about managing and updating Windows 10.
+
+>[!NOTE]
+>Information for Windows 10 Enterprise also applies to Windows 10 IoT Enterprise, and information for Windows 10 Mobile Enterprise also applies to Windows 10 IoT Mobile. For information about managing devices running Windows 10 IoT Core, see [Windows 10 IoT Core Commercialization](https://www.windowsforiotdevices.com/).
+
+## In this section
+
+
+
+
+
+Start
+Policy
+Setting
+
+
+User tile
+Group Policy: Remove Logoff on the Start menu
+
+
+
+Most used
+Group Policy: Remove frequent programs from the Start menu
+Settings > Personalization > Start > Show most used apps
+
+
+Settings > Personalization > Start > Occasionally show suggestions in Start
+
+
+Recently added
+not applicable
+Settings > Personalization > Start > Show recently added apps
+
+
+Pinned folders
+not applicable
+Settings > Personalization > Start > Choose which folders appear on Start
+
+
+Power
+Group Policy: Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands
+None
+
+
+Start layout
+None
+
+
+Jump lists
+Group Policy: Do not keep history of recently opened documents
+Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
+
+
+Start size
+Settings > Personalization > Start > Use Start full screen
+
+
+
+All Settings
+Group Policy: Prevent changes to Taskbar and Start Menu Settings
+None
+
+
+
+
+## Related topics
+[Windows 10 and Windows 10 Mobile](../index.md)
+
+
+[Learn how Microsoft does IT at the IT Showcase](https://www.microsoft.com/itshowcase)
diff --git a/windows/update/waas-branchcache.md b/windows/update/waas-branchcache.md
new file mode 100644
index 0000000000..6e44cbaaa1
--- /dev/null
+++ b/windows/update/waas-branchcache.md
@@ -0,0 +1,66 @@
+---
+title: Configure BranchCache for Windows 10 updates (Windows 10)
+description: Use BranchCache to optimize network bandwidth during update deployment.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Configure BranchCache for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
+
+- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
+
+ >[!TIP]
+ >Distributed Cache mode is preferred to Hosted Cache mode for Windows 10 updates to get the most benefit from peer-to-peer distribution.
+
+- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf.
+
+For detailed information about how Distributed Cache mode and Hosted Cache mode work, see [BranchCache Overview](https://technet.microsoft.com/library/dd637832(v=ws.10).aspx).
+
+## Configure clients for BranchCache
+
+Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](https://technet.microsoft.com/library/dd637820%28v=ws.10%29.aspx) in the [BranchCache Early Adopter’s Guide](https://technet.microsoft.com/library/dd637762(v=ws.10).aspx).
+
+In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows 10, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+
+## Configure servers for BranchCache
+
+You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and System Center Configuration Manager.
+
+For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](https://technet.microsoft.com/library/jj572990) or [BranchCache Deployment Guide (Windows Server 2016)](https://technet.microsoft.com/windows-server-docs/networking/branchcache/deploy/branchcache-deployment-guide).
+
+In addition to these steps, there is one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode.
+
+>[!NOTE]
+>Configuration Manager only supports Distributed Cache mode.
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/update/waas-configure-wufb.md b/windows/update/waas-configure-wufb.md
new file mode 100644
index 0000000000..fcb36d20f6
--- /dev/null
+++ b/windows/update/waas-configure-wufb.md
@@ -0,0 +1,233 @@
+---
+title: Configure Windows Update for Business (Windows 10)
+description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Configure Windows Update for Business
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for both Windows 10, version 1511, and Windows 10, version 1607. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx).
+
+>[!IMPORTANT]
+>For Windows Update for Business policies to be honored, the Telemetry level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system telemetry level](https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization#configure-the-operating-system-telemetry-level).
+
+Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md).
+
+## Start by grouping devices
+
+By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed in Windows 10. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. For more information, see [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).
+
+>[!TIP]
+>In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/).
+
+
+## Configure devices for Current Branch (CB) or Current Branch for Business (CBB)
+
+With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](https://technet.microsoft.com/en-us/itpro/windows/manage/introduction-to-windows-10-servicing).
+
+**Release branch policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
+| GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
+| MDM for version 1607: ../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
+| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**RequireDeferredUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
+
+
+## Configure when devices receive Feature Updates
+
+After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of 180 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
+
+>[!IMPORTANT]
+>This policy does not apply to Windows 10 Mobile Enterprise.
+
+**Examples**
+
+| Settings | Scenario and behavior |
+| --- | --- |
+| Device is on CBDeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Device will not receive update until February, 30 days later. |
+| Device is on CBBDeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Four months later, in April, Feature Update X is released to CBB. Device will receive the Feature Update 30 days following this CBB release and will update in May. |
+
+
+**Defer Feature Updates policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
+| GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
+| MDM for version 1607: ../Vendor/MSFT/Policy/Config/Update/**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
+| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
+
+
+## Pause Feature Updates
+
+You can also pause a device from receiving Feature Updates by a period of up to 60 days from when the value is set. After 60 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
+
+>[!IMPORTANT]
+>This policy does not apply to Windows 10 Mobile Enterprise.
+
+**Pause Feature Updates policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates |
+| GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
+| MDM for version 1607: ../Vendor/MSFT/Policy/Config/Update/**PauseFeatureUpdates** | \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates |
+| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
+
+
+You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+
+The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+
+| Value | Status|
+| --- | --- |
+| 0 | Feature Updates not paused |
+| 1 | Feature Updates paused |
+| 2 | Feature Updates have auto-resumed after being paused |
+
+
+## Configure when devices receive Quality Updates
+
+Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
+
+You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When this is done, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates.
+
+>[!IMPORTANT]
+>This policy defers both Feature and Quality Updates on Windows 10 Mobile Enterprise.
+
+**Defer Quality Updates policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays |
+| GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod |
+| MDM for version 1607: ../Vendor/MSFT/Policy/Config/Update/**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays |
+| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate |
+
+
+## Pause Quality Updates
+
+You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the system will scan Windows Updates for applicable Quality Updates. Following this scan, Quality Updates for the device can then be paused again.
+
+>[!IMPORTANT]
+>This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise.
+
+**Pause Quality Updates policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |\Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates |
+| GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
+| MDM for version 1607: ../Vendor/MSFT/Policy/Config/Update/**PauseQualityUpdates** | \Microsoft\PolicyManager\default\Update\PauseQualityUpdates |
+| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
+
+
+You can check the date that Quality Updates were paused at by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+
+The local group policy editor (GPEdit.msc) will not reflect if your Quality Update Pause period has expired. Although the device will resume Quality Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Quality Updates, you can check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+
+| Value | Status|
+| --- | --- |
+| 0 | Quality Updates not paused |
+| 1 | Quality Updates paused |
+| 2 | Quality Updates have auto-resumed after being paused |
+
+## Exclude drivers from Quality Updates
+
+In Windows 10, version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete.
+
+**Exclude driver policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
+| MDM for version 1607: ../Vendor/MSFT/Policy/Config/Update/**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
+
+
+
+## Summary: MDM and Group Policy for version 1607
+
+Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607.
+
+**GPO: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
+
+| GPO Key | Key type | Value |
+| --- | --- | --- |
+| BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)32: systems take Feature Updates for the Current Branch for Business (CBB)Note: Other value or absent: receive all applicable updates (CB) |
+| DeferQualityUpdates | REG_DWORD | 1: defer quality updatesOther value or absent: don’t defer quality updates |
+| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days |
+| PauseQualityUpdates | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates |
+|DeferFeatureUpdates | REG_DWORD | 1: defer feature updatesOther value or absent: don’t defer feature updates |
+| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days |
+| PauseFeatureUpdates | REG_DWORD |1: pause feature updatesOther value or absent: don’t pause feature updates |
+| ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update driversOther value or absent: offer Windows Update drivers |
+
+
+**MDM: HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\default\Update**
+
+| MDM Key | Key type | Value |
+| --- | --- | --- |
+| BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)32: systems take Feature Updates for the Current Branch for Business (CBB)Note: Other value or absent: receive all applicable updates (CB) |
+| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days |
+| PauseQualityUpdates | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates |
+| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days |
+| PauseFeatureUpdates | REG_DWORD | 1: pause feature updatesOther value or absent: don’t pause feature updates |
+| ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update driversOther value or absent: offer Windows Update drivers |
+
+## Update devices from Windows 10, version 1511 to version 1607
+
+Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. However,Windows Update for Business clients running version 1511 will still see their policies honored after they update to version 1607; the old policy keys will continue to exist with their values ported forward during the update. Following the update to version 1607, it should be noted that only the version 1511 keys will be populated and not the new version 1607 keys, until the newer keys are explicitly defined on the device by the administrator.
+
+### How version 1511 policies are respected on version 1607
+
+When a client running version 1607 sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for version 1607. If these are not present, it will then check to see if any of the version 1511 keys are set and defer accordingly. Update keys for version 1607 will always supersede the version 1511 equivalent.
+
+### Comparing the version 1511 keys to the version 1607 keys
+
+In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates. In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other.
+
+
+
+
+
+Topic
+Description
+
+
+
+
+[Update Windows 10 in the enterprise](waas-update-windows-10.md) Learn how to manage updates to Windows 10 in your organization, including Update Compliance, and Windows Update for Business.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Version 1511 GPO keys Version 1607 GPO keys
+**DeferUpgrade**: *enable/disable*
+Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***Pause**: *enable/disable* Enabling will pause both upgrades and updates for a max of 35 days **DeferFeatureUpdates**: *enable/disable***BranchReadinessLevel** Set device on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable* Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdates**: *Enable/disable***DeferQualityUpdatesPeriodinDays**: *0 - 30 days***PauseQualityUpdates**: *enable/disable* Enabling will pause Quality updates for a max of 35 days**ExcludeWUDrivers**: *enable/disable*
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
diff --git a/windows/update/waas-delivery-optimization.md b/windows/update/waas-delivery-optimization.md
new file mode 100644
index 0000000000..b1701d80d9
--- /dev/null
+++ b/windows/update/waas-delivery-optimization.md
@@ -0,0 +1,259 @@
+---
+title: Configure Delivery Optimization for Windows 10 updates (Windows 10)
+description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Configure Delivery Optimization for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager.
+
+Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize the peer-to-peer functionality of Delivery Optimization, machines need to have access to the internet.
+
+For more details, see [Download mode](#download-mode).
+
+>[!NOTE]
+>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead.
+
+By default in Windows 10 Enterprise and Education, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
+
+## Delivery Optimization options
+
+You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
+
+- Group Policy: Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization
+- MDM: .Vendor/MSFT/Policy/Config/DeliveryOptimization
+
+Several Delivery Optimization features are configurable.
+
+
+
+### Download mode (DODownloadMode)
+
+Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do.
+
+| Download mode option | Functionality when set |
+| --- | --- |
+| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. |
+| LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. |
+| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and AD DS sites. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
+| Internet (3) | Enable Internet peer sources for Delivery Optimization. |
+| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. |
+|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. For example, select this mode so that clients can use BranchCache. |
+
+>[!NOTE]
+>Group mode is a best effort optimization and should not be relied on for an authentication of identity of devices participating in the group.
+
+### Group ID (DOGroupID)
+
+By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
+
+>[!NOTE]
+>This configuration is optional and not required for most implementations of Delivery Optimization.
+
+### Max Cache Age (DOMaxCacheAge)
+
+In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
+
+### Max Cache Size (DOMaxCacheSize)
+
+This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client computer that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20.
+
+### Absolute Max Cache Size (DOAbsoluteMaxCacheSize)
+
+This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the **DOMaxCacheSize** setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the **DOMaxCacheSize** setting. The default value for this setting is 10 GB.
+
+### Maximum Download Bandwidth (DOMaxDownloadBandwidth)
+
+This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of 0 means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
+
+### Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
+
+This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+
+### Max Upload Bandwidth (DOMaxUploadBandwidth)
+
+This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
+
+### Minimum Background QoS (DOMinBackgroundQoS)
+
+This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more bytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
+
+### Modify Cache Drive (DOModifyCacheDrive)
+
+This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (e.g., %SYSTEMDRIVE%), a drive letter (e.g., D:), or a folder path (e.g., D:\DOCache).
+
+### Monthly Upload Data Cap (DOMonthlyUploadDataCap)
+
+This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB.
+
+## Delivery Optimization configuration examples
+
+Delivery Optimization can be configured in various ways, leveraging the policies described in the previous section. The following samples describe some common scenarios that organizations may want to set up, given specific scenarios in use for their organization.
+
+### Use Delivery Optimzation with group download mode
+
+Delivery Optimization by default will consider all PCs in an organizations as peers for sharing content, even those that might be located across a slower WAN link. Group download mode is designed to help with this by limiting the PCs that can be used. In Windows 10, version 1511, group download mode considers PCs in the same domain and with the same configured Group ID to be eligible peers. In Windows 10, version 1607, the default behavior also adds the PC's AD DS site into the grouping determination.
+
+**To use Group Policy to configure Delivery Optimization for group download mode**
+
+1. Open Group Policy Management Console (GPMC).
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Group**.
+
+5. Right-click the **Delivery Optimization – Group** GPO, and then click **Edit**.
+
+6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
+
+7. Right-click the **Download Mode** setting, and then click **Edit**.
+
+8. Enable the policy, and then select the **Group** download mode.
+
+9. Right-click the **GroupID** setting, and then click **Edit**. Enable the policy, and then specify a unique GUID for each group of PCs. (This is not required for Windows 10, version 1607, since the AD site code will be used to group devices automatically.)
+
+10. Click **OK**, and then close the Group Policy Management Editor.
+
+11. In GPMC, select the **Delivery Optimization – Group** policy.
+
+12. On the **Scope** tab, under **Security Filtering**, configure the policy to be targeted to an approprite computer group.
+
+**To use Intune to configure Delivery Optimization for group download mode**
+
+1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
+
+2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
+
+3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
+
+5. In **Setting name**, type **Set Delivery Optimization to Group**, and then select **Integer** from the **Data type** list.
+
+6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode**.
+
+7. In the **Value** box, type **2**, and then click **OK**.
+
+ >[!NOTE]
+ >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
+
+8. Click **Save Policy**.
+
+9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**.
+
+ >[!NOTE]
+ >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
+
+10. In the **Manage Deployment** dialog box, select the **All Computers** group, click **Add**, and then click **OK**.
+
+### Use WSUS and BranchCache with Windows 10, version 1511
+
+In Windows 10, version 1511, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **HTTP only** download mode, which results in Background Intelligent Transfer Service (BITS) being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available.
+
+**To use Group Policy to configure HTTP only download mode**
+
+1. Open Group Policy Management Console (GPMC).
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – HTTP Only**.
+
+5. Right-click the **Delivery Optimization – HTTP Only** GPO, and then click **Edit**.
+
+6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
+
+7. Right-click the **Download Mode** setting, and then click **Edit**.
+
+8. Enable the policy, and then select the **HTTP only** download mode.
+
+9. Click **OK**, and then close the Group Policy Management Editor.
+
+10. In GPMC, select the **Delivery Optimization – HTTP Only** policy.
+
+11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, browse to the **Domain Computers** group, and then click **OK**.
+
+ 
+
+ >[!NOTE]
+ >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group.
+
+### Use WSUS and BranchCache with Windows 10, version 1607
+
+In Windows 10, version 1607, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **Bypass** download mode (new in Windows 10, version 1607), which results in BITS being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available.
+
+**To use Group Policy to enable the Bypass download mode**
+
+1. Open Group Policy Management Console (GPMC).
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Bypass**.
+
+5. Right-click the **Delivery Optimization – Bypass** GPO, and then click **Edit**.
+
+6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
+
+7. Right-click the **Download Mode** setting, and then click **Edit**.
+
+8. Enable the policy, and then select the **Bypass** download mode. (Note that this download mode is only present in the Windows 10, version 1607, Group Policy ADMX files.)
+
+9. Click **OK**, and then close the Group Policy Management Editor.
+
+10. In GPMC, select the **Delivery Optimization – Bypass** policy.
+
+11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, select the **Domain Computers** group, and then click **OK**.
+
+ >[!NOTE]
+ >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group.
+
+### Set “preferred” cache devices for Delivery Optimization
+
+In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devices’s configuration (Delivery Optimization only caches content relative to the client downloading the content).
+
+To specify which devices are preferred, you can set the **Max Cache Age** configuration with a value of **Unlimited** (0). As a result, these devices will be used more often as sources for other devices downloading the same files.
+
+On devices that are not preferred, you can choose to set the following policy to prioritize data coming from local peers instead of the Internet:
+
+- Set **DOMinBackgroundQoS** with a low value, for example `65536` which is the equivalent of 64 KB/s.
+
+## Learn more
+
+[Windows 10, Delivery Optimization, and WSUS](https://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/)
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/update/waas-deployment-rings-windows-10-updates.md b/windows/update/waas-deployment-rings-windows-10-updates.md
new file mode 100644
index 0000000000..1277f71080
--- /dev/null
+++ b/windows/update/waas-deployment-rings-windows-10-updates.md
@@ -0,0 +1,79 @@
+---
+title: Build deployment rings for Windows 10 updates (Windows 10)
+description: Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Build deployment rings for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+For Windows as a service, maintenance is ongoing and iterative. Deploying previous versions of Windows required organizations to build sets of users to roll out the changes in phases. Typically, these users ranged (in order) from the most adaptable and least risky to the least adaptable or riskiest. With Windows 10, a similar methodology exists, but construction of the groups is a little different.
+
+Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows 10, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings.
+
+Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct. Also, there are times in which client computers could move between different deployment rings when necessary.
+
+Table 1 provides an example of the deployment rings you might use.
+
+**Table 1**
+
+| Deployment ring | Servicing branch | Total weeks after Current Branch (CB) or Current Branch for Business (CBB) release |
+| --- | --- | --- |
+| Preview | Windows Insider | Pre-CB |
+| Ring 1 Pilot IT | CB | CB + 0 weeks |
+| Ring 2 Pilot business users | CB | CB + 4 weeks |
+| Ring 3 Broad IT | CB | CB + 6 weeks |
+| Ring 4 Broad business users | CBB | CBB + 0 weeks |
+| Ring 5 Broad business users #2 | CBB | CBB + 2 weeks as required by capacity or other constraints |
+
+>[!NOTE]
+>In this example, there are no rings made up of the long-term servicing branch (LTSB). The LTSB servicing branch does not receive feature updates.
+>
+>Windows Insider is in the deployment ring list for informational purposes only. Windows Insider PCs must be enrolled manually on each device and serviced based on the Windows Insider level chosen in the **Settings** app on that particular PC. Feature update servicing for Windows Insiderdevices is done completely through Windows Update; no servicing tools can manage Windows Insider feature updates.
+
+
+As Table 1 shows, each combination of servicing branch and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing branch to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing branch they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense.
+
+
+
+
+
+## Steps to manage updates for Windows 10
+
+Version 1511 MDM keys Version 1607 MDM keys
+**RequireDeferUpgade**: *bool* Puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***PauseDeferrals**: *bool* Enabling will pause both upgrades and updates for a max of 35 days **BranchReadinessLevel** Set system on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable* Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdatesPeriodinDays**: *0 - 30 days***PauseQualityUpdates**: *enable/disable* Enabling will pause Quality updates for a max of 35 days**ExcludeWUDriversInQualityUpdate**: *enable/disable<*/td>
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage device restarts after updates](waas-restart.md)
+
diff --git a/windows/update/waas-integrate-wufb.md b/windows/update/waas-integrate-wufb.md
new file mode 100644
index 0000000000..26e1d2bb42
--- /dev/null
+++ b/windows/update/waas-integrate-wufb.md
@@ -0,0 +1,111 @@
+---
+title: Integrate Windows Update for Business with management solutions (Windows 10)
+description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Integrate Windows Update for Business with management solutions
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
+
+## Integrate Windows Update for Business with Windows Server Update Services
+
+
+For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup:
+
+- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
+- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies
+
+### Configuration example \#1: Deferring Windows Update updates with other update content hosted on WSUS
+
+**Configuration:**
+
+- Device is configured to defer Windows Quality Updates using Windows Update for Business
+- Device is also configured to be managed by WSUS
+- Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled)
+- Admin has opted to put updates to Office and other products on WSUS
+- Admin has also put 3rd party drivers on WSUS
+
+ [Learn about updates and servicing branches](waas-overview.md)  [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)  Build deployment rings for Windows 10 updates
+(this topic)  [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)  [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)  [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+
+### Configuration example \#2: Excluding drivers from Windows Quality Updates using Windows Update for Business
+
+**Configuration:**
+
+- Device is configured to defer Windows Quality Updates and to exclude drivers from Windows Update Quality Updates (**ExcludeWUDriversInQualityUpdate** = enabled)
+- Device is also configured to be managed by WSUS
+- Admin has opted to put Windows Update drivers on WSUS
+
+
+Content Metadata source Payload source Deferred?
+ Updates to Windows Windows Update Windows Update Yes  Updates to Office and other products WSUS WSUS No Third-party drivers WSUS WSUS No
+
+### Configuration example \#3: Device configured to receive Microsoft updates
+
+**Configuration:**
+
+- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS
+- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
+- Admin has also placed Microsoft Update, third-paprty, and locally-published update content on the WSUS server
+
+In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled.
+- In a non-WSUS case, these updates would be deferred just as any update to Windows would be.
+- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies are not applied.
+
+
+Content Metadata source Payload source Deferred?
+ Updates to Windows (excluding drivers) Windows Update Windows Update Yes  Updates to Office and other products WSUS WSUS No Drivers WSUS WSUS No
+
+>[!NOTE]
+> Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner.
+
+## Integrate Windows Update for Business with System Center Configuration Manager
+
+For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
+
diff --git a/windows/update/waas-manage-updates-configuration-manager.md b/windows/update/waas-manage-updates-configuration-manager.md
new file mode 100644
index 0000000000..10a6565a03
--- /dev/null
+++ b/windows/update/waas-manage-updates-configuration-manager.md
@@ -0,0 +1,410 @@
+---
+title: Manage Windows 10 updates using System Center Configuration Manager (Windows 10)
+description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Manage Windows 10 updates using System Center Configuration Manager
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
+
+You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation.
+
+>[!NOTE]
+>This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager).
+
+## Windows 10 servicing dashboard
+
+The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using System Center Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx).
+
+For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements:
+
+- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods.
+- **Windows Server Update Service (WSUS)**. System Center Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed.
+- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode.
+- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications.
+
+ **To configure Upgrade classification**
+
+ 1. Go to Administration\Overview\Site Configuration\Sites, and then select your site from the list.
+
+ 2. On the Ribbon, in the **Settings** section, click **Configure Site Components**, and then click **Software Update Point**.
+
+ 
+
+ 3. In the **Software Update Point Component Properties** dialog box, on the **Classifications** tab, click **Upgrades**.
+
+When you have met all these requirements and deployed a servicing plan to a collection, you’ll receive information on the Windows 10 servicing dashboard.
+
+## Enable CBB clients in Windows 10, version 1511
+
+When you use System Center Configuration Manager to manage Windows 10 servicing, you must first set the **Defer Updates or Upgrades** policy on the clients that should be on the Current Branch for Business (CBB) servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you don’t set this policy, Configuration Manager discovers all clients, as it would in Current Branch (CB) mode.
+
+**To use Group Policy to configure a client for the CBB servicing branch**
+
+>[!NOTE]
+>In this example, a specific organizational unit (OU) called **Windows 10 – Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied.
+
+1. On a PC running the Remote Server Administration Tools or on a domain controller, open Group Policy Management Console (GPMC).
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+4. Right-click the **Windows 10 – Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**.
+
+ 
+
+5. In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO.
+
+ >[!NOTE]
+ >In this example, you’re linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure.
+
+6. Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**.
+
+7. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
+
+8. Right-click the **Defer Upgrades and Updates** setting, and then click **Edit**.
+
+ 
+
+9. Enable the policy, and then click **OK**.
+
+ >[!NOTE]
+ >The additional options in this setting are only for Windows Update for Business, so be sure not to configure them when using System Center Configuration Manager for Windows 10 servicing.
+
+10. Close the Group Policy Management Editor.
+
+This policy will now be deployed to every device in the **Windows 10 – Current Branch for Business Machines** OU.
+
+
+## Enable CBB clients in Windows 10, version 1607
+
+When you use Configuration Manager to manage Windows 10 servicing, you must first set the **Select when Feature Updates** are received policy on the clients that should be on the CBB servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you don’t set this policy, Configuration Manager discovers all clients, as it would in CB mode.
+
+>[!NOTE]
+>System Center Configuration Manager version 1606 is required to manage devices running Windows 10, version 1607.
+
+**To use Group Policy to configure a client for the CBB servicing branch**
+
+>[!NOTE]
+>In this example, a specific organizational unit (OU) called **Windows 10 – Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied.
+
+1. On a PC running the Remote Server Administration Tools or on a domain controller, open GPMC.
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click the **Windows 10 – Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**.
+
+ 
+
+5. In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO.
+
+ >[!NOTE]
+ >In this example, you’re linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure.
+
+6. Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**.
+
+7. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Defer Windows Updates.
+
+8. Right-click the **Select when Feature Updates are received** setting, and then click **Edit**.
+
+9. Enable the policy, select the **CBB** branch readiness level, and then click **OK**.
+
+10. Close the Group Policy Management Editor.
+
+This policy will now be deployed to every device in the **Windows 10 – Current Branch for Business Machines** OU.
+
+## Create collections for deployment rings
+
+Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 – All Current Branch for Business** and **Ring 4 Broad business users**. You’ll use the **Windows 10 – All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. You’ll use the **Ring 4 Broad business users** collection as a deployment ring for the first CBB users.
+
+>[!NOTE]
+>The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
+
+**To create collections for deployment rings**
+
+1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
+
+2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
+
+3. In the Create Device Collection Wizard, in the **name** box, type **Windows 10 – All Current Branch for Business**.
+
+4. Click **Browse** to select the limiting collection, and then click **All Systems**.
+
+5. In **Membership rules**, click **Add Rule**, and then click **Query Rule**.
+
+6. Name the rule **CBB Detection**, and then click **Edit Query Statement**.
+
+7. On the **Criteria** tab, click the **New** icon.
+
+ 
+
+8. In the **Criterion Properties** dialog box, leave the type as **Simple Value**, and then click **Select**.
+
+9. In the **Select Attribute** dialog box, from the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **OSBranch**, and then click **OK**.
+
+ 
+
+ >[!NOTE]
+ >Configuration Manager discovers clients’ servicing branch and stores that value in the **OSBranch** attribute, which you will use to create collections based on servicing branch. The values in this attribute can be **0 (Current Branch)**, **1 (Current Branch for Business)**, or **2 (Long-Term Servicing Branch)**.
+
+10. Leave **Operator** set to **is equal to**; in the **Value** box, type **1**. Click **OK**.
+
+ 
+
+11. Now that the **OSBranch** attribute is correct, verify the operating system version.
+
+12. On the **Criteria** tab, click the **New** icon again to add criteria.
+
+13. In the **Criterion Properties** dialog box, click **Select**.
+
+14. From the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **Operating System Name and Version**, and then click **OK**.
+
+ 
+
+15. In the **Value** box, type **Microsoft Windows NT Workstation 10.0**, and then click **OK**.
+
+ 
+
+16. In the **Query Statement Properties** dialog box, you see two values. Click **OK**, and then click **OK** again to continue to the Create Device Collection Wizard.
+
+17. Click **Summary**, and then click **Next**.
+
+18. Close the wizard.
+
+>[!IMPORTANT]
+>Windows Insider PCs are discovered the same way as CB or CBB devices. If you have Windows Insider PCs that you use Configuration Manager to manage, then you should create a collection of those PCs and exclude them from this collection. You can create the membership for the Windows Insider collection either manually or by using a query where the operating system build doesn’t equal any of the current CB or CBB build numbers. You would have to update each periodically to include new devices or new operating system builds.
+
+After you have updated the membership, this new collection will contain all managed clients on the CBB servicing branch. You will use this collection as a limiting collection for future CBB-based collections and the **Ring 4 Broad broad business users** collection. Complete the following steps to create the **Ring 4 Broad business users** device collection, which you’ll use as a CBB deployment ring for servicing plans or task sequences.
+
+1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
+
+2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
+
+3. In the Create Device Collection Wizard, in the **name** box, type **Ring 4 Broad business users**.
+
+4. Click **Browse** to select the limiting collection, and then click **Windows 10 – All Current Branch for Business**.
+
+5. In **Membership rules**, click **Add Rule**, and then click **Direct Rule**.
+
+6. In the **Create Direct Membership Rule Wizard** dialog box, click **Next**.
+
+7. In the **Value** field, type all or part of the name of a device to add, and then click **Next**.
+
+8. Select the computer that will be part of the **Ring 4 Broad business users** deployment ring, and then click **Next**.
+
+9. Click **Next**, and then click **Close**.
+
+10. In the **Create Device Collection Wizard** dialog box, click **Summary**.
+
+11. Click **Next**, and then click **Close**.
+
+
+## Use Windows 10 servicing plans to deploy Windows 10 feature updates
+
+There are two ways to deploy Windows 10 feature updates with System Center Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates.
+
+**To configure Windows feature updates for CBB clients in the Ring 4 Broad business users deployment ring using a servicing plan**
+
+1. In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click **Servicing Plans**.
+
+2. On the Ribbon, in the **Create** group, click **Create Servicing Plan**.
+
+3. Name the plan **Ring 4 Broad business users Servicing Plan**, and then click **Next**.
+
+4. On the **Servicing Plan page**, click **Browse**. Select the **Ring 4 Broad business users** collection, which you created in the [Create collections for deployment rings](#create-collections-for-deployment-rings) section, click **OK**, and then click **Next**.
+
+ >[!IMPORTANT]
+ >Microsoft added a new protection feature to Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (All Systems in this example) that has a site system in it, you may receive the following message.
+ >
+ >
+ >
+ >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for System Center Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx).
+
+5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**.
+
+ Doing so deploys CBB feature updates to the broad business users deployment ring immediately after they are released to CBB.
+
+ On the Upgrades page, you specify filters for the feature updates to which this servicing plan is applicable. For example, if you wanted this plan to be only for Windows 10 Enterprise, you could select **Title**, and then type **Enterprise**.
+
+6. For this example, on the **Upgrades** page, click **Next** to leave the criterion blank.
+
+7. On the **Deployment Schedule** page, click **Next** to keep the default values of making the content available immediately and requiring installation by the 7-day deadline.
+
+8. On the **User Experience** page, from the **Deadline behavior** list, select **Software Installation and System restart (if necessary)**. From the **Device restart behavior** list, select **Workstations**, and then click **Next**.
+
+ Doing so allows installation and restarts after the 7-day deadline on workstations only.
+
+9. On the **Deployment Package** page, select **Create a new deployment package**. In **Name**, type **CBB Upgrades**, select a share for your package source location, and then click **Next**.
+
+ In this example, \\contoso-cm01\Sources\Windows 10 Feature Upgrades is a share on the Configuration Manager server that contains all the Windows 10 feature updates.
+
+ 
+
+10. On the **Distribution Points** page, from the **Add** list, select **Distribution Point**.
+
+ 
+
+ Select the distribution points that serve the clients to which you’re deploying this servicing plan, and then click **OK**.
+
+11. Click **Summary**, click **Next** to complete the servicing plan, and then click **Close**.
+
+
+You have now created a servicing plan for the **Ring 4 Broad business users** deployment ring. By default, this rule is evaluated each time the software update point is synchronized, but you can modify this schedule by viewing the service plan’s properties on the **Evaluation Schedule** tab.
+
+
+
+
+## Use a task sequence to deploy Windows 10 updates
+
+There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example:
+
+- **LTSB feature updates**. With the LTSB servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
+- **Additional required tasks**. When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you must use task sequences to orchestrate the additional steps. Servicing plans do not have the ability to add steps to their deployments.
+
+Each time Microsoft releases a new Windows 10 build, it releases a new .iso file containing the latest build, as well. Regardless of the scenario that requires a task sequence to deploy the Windows 10 upgrade, the base process is the same. Start by creating an Operating System Upgrade Package in the Configuration Manager console:
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages.
+
+2. On the Ribbon, in the **Create** group, click **Add Operating System Upgrade Package**.
+
+3. On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 you’re deploying, and then click **Next**.
+
+ In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607.
+
+ >[!NOTE]
+ >System Center Configuration Manager version 1606 is required to manage machines running Windows 10, version 1607.
+
+4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**.
+
+5. On the **Summary** page, click **Next** to create the package.
+
+6. On the **Completion** page, click **Close**.
+
+Now that the operating system upgrade package has been created, the content in that package must be distributed to the correct distribution points so that the clients can access the content. Complete the following steps to distribute the package content to distribution points:
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages, and then select the **Windows 10 Enterprise – Version 1607** software upgrade package.
+
+2. On the Ribbon, in the **Deployment group**, click **Distribute Content**.
+
+3. In the Distribute Content Wizard, on the **General** page, click **Next**.
+
+4. On the **Content Destination** page, click **Add**, and then click **Distribution Point**.
+
+5. In the **Add Distribution Points** dialog box, select the distribution point that will serve the clients receiving this package, and then click **OK**.
+
+6. On the **Content Destination** page, click **Next**.
+
+7. On the **Summary** page, click **Next** to distribute the content to the selected distribution point.
+
+8. On the **Completion** page, click **Close**.
+
+Now that the upgrade package has been created and its contents distributed, create the task sequence that will use it. Complete the following steps to create the task sequence, using the previously created deployment package:
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences.
+
+2. On the Ribbon, in the **Create** group, click **Create Task Sequence**.
+
+3. In the Create Task Sequence Wizard, on the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**.
+
+4. On the **Task Sequence Information** page, in **Task sequence name**, type **Upgrade Windows 10 Enterprise – Version 1607**, and then click **Next**.
+
+5. On the **Upgrade the Windows Operating system** page, click **Browse**, select the deployment package you created in the previous steps, and then click **OK**.
+
+6. Click **Next**.
+
+7. On the **Include Updates** page, select **Available for installation – All software updates**, and then click **Next**.
+
+8. On the **Install Applications** page, click **Next**.
+
+9. On the **Summary** page, click **Next** to create the task sequence.
+
+10. On the **Completion** page, click **Close**.
+
+With the task sequence created, you’re ready to deploy it. If you’re using this method to deploy most of your Windows 10 feature updates, you may want to create deployment rings to stage the deployment of this task sequence, with delays appropriate for the respective deployment ring. In this example, you deploy the task sequence to the **Ring 4 Broad business users collection**.
+
+>[!IMPORTANT]
+>This process deploys a Windows 10 operating system feature update to the affected devices. If you’re testing, be sure to select the collection to which you deploy this task sequence carefully.
+
+**To deploy your task sequence**
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences, and then select the **Upgrade Windows 10 Enterprise – Version 1607** task sequence.
+
+2. On the Ribbon, in the **Deployment** group, click **Deploy**.
+
+3. In the Deploy Software Wizard, on the **General** page, click **Browse**. Select the target collection, click **OK**, and then click **Next**.
+
+4. On the **Deployment Settings** page, for **purpose**, select **Required**, and then click **Next**.
+
+5. On the **Scheduling** page, select the **Schedule when this deployment will become available** check box (it sets the current time by default). For **Assignment schedule**, click **New**.
+
+6. In the **Assignment Schedule** dialog box, click **Schedule**.
+
+7. In the **Custom Schedule** dialog box, select the desired deadline, and then click **OK**.
+
+8. In the **Assignment Schedule** dialog box, click **OK**, and then click **Next**.
+
+9. On the **User Experience** page, in the **When the scheduled assignment time is reached, allow the following activities to be performed outside of the maintenance window** section, select **Software Installation** and **System restart** (if required to complete the installation), and then click **Next**.
+
+10. Use the defaults for the remaining settings.
+
+11. Click **Summary**, and then click **Next** to deploy the task sequence.
+
+12. Click **Close**.
+
+
+
+
+
+
+## Steps to manage updates for Windows 10
+
+Content Metadata source Payload source Deferred?
+ Updates to Windows (excluding drivers) Microsoft Update Microsoft Update Yes  Updates to Office and other products Microsoft Update Microsoft Update No Drivers, third-party applications WSUS WSUS No
+
+
+
+## See also
+
+[Manage Windows as a service using System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/manage-windows-as-a-service)
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/update/waas-manage-updates-wsus.md b/windows/update/waas-manage-updates-wsus.md
new file mode 100644
index 0000000000..6fee51df69
--- /dev/null
+++ b/windows/update/waas-manage-updates-wsus.md
@@ -0,0 +1,353 @@
+---
+title: Manage Windows 10 updates using Windows Server Update Services (Windows 10)
+description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Manage Windows 10 updates using Windows Server Update Services (WSUS)
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
+
+When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10.
+
+
+
+## Requirements for Windows 10 servicing with WSUS
+
+To be able to use WSUS to manage and deploy Windows 10 feature updates, you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the [KB3095113](https://support.microsoft.com/kb/3095113) and [KB3159706](https://support.microsoft.com/kb/3159706) patches on the WSUS server.
+
+## WSUS scalability
+
+To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](https://technet.microsoft.com/library/cc720448%28v=ws.10%29.aspx).
+
+
+## Express Installation Files
+
+With Windows 10, quality updates will be larger than traditional Windows Updates because they’re cumulative. To manage the bandwidth clients downloading large updates like these will need, WSUS has a feature called *Express Installation Files*.
+
+ At a binary level, files associated with updates may not change a lot. In fact, with cumulative quality updates, most of the content will be from previous updates. Rather than downloading the entire update when only a small percentage of the payload is actually different, Express Installation Files analyze the differences between the new files associated with an update and the existing files on the client. This approach significantly reduces the amount of bandwidth used because only a fraction of the update content is actually delivered.
+
+ **To configure WSUS to download Express Update Files**
+
+1. Open the WSUS Administration Console.
+
+2. In the navigation pane, go to *Your_Server*\\**Options**.
+
+3. In the **Options** section, click **Update Files and Languages**.
+
+ 
+
+4. In the **Update Files and Languages** dialog box, select **Download express installation files**.
+
+ 
+
+ >[!NOTE]
+ >Because Windows 10 updates are cumulative, enabling Express Installation Files when WSUS is configured to download Windows 10 updates will significantly increase the amount of disk space that WSUS requires. Alternatively, when using Express Installation Files for previous versions of Windows, the feature’s positive effects aren’t noticeable because the updates aren’t cumulative.
+
+## Configure automatic updates and update service location
+
+When using WSUS to manage updates on Windows client devices, start by configuring the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings for your environment. Doing so forces the affected clients to contact the WSUS server so that it can manage them. The following process describes how to specify these settings and deploy them to all devices in the domain.
+
+**To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment**
+
+1. Open GPMC.
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+ 
+
+ >[!NOTE]
+ >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
+
+4. In the **New GPO** dialog box, name the new GPO **WSUS – Auto Updates and Intranet Update Service Location**.
+
+5. Right-click the **WSUS – Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**.
+
+6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
+
+7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
+
+ 
+
+8. In the **Configure Automatic Updates** dialog box, select **Enable**.
+
+9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
+
+ 
+
+ >[!NOTE]
+ ?There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
+
+9. Right-click the **Specify intranet Microsoft update service location** setting, and then click **Edit**.
+
+9. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**.
+
+12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type **http://Your_WSUS_Server_FQDN:PortNumber**, and then click **OK**.
+
+ >[!NOTE]
+ >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
+
+ 
+
+ >[!NOTE]
+ >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. If you’re unsure which port WSUS is using for client communication, right-click the WSUS Administration site in IIS Manager, and then click **Edit Bindings**.
+
+As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings.
+
+## Create computer groups in the WSUS Administration Console
+
+>[!NOTE]
+>The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
+
+You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console.
+
+**To create computer groups in the WSUS Administration Console**
+
+1. Open the WSUS Administration Console.
+
+2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**.
+
+ 
+
+3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
+
+4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you’re finished, there should be three deployment ring groups.
+
+Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin).
+
+
+## Use the WSUS Administration Console to populate deployment rings
+
+Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*.
+
+In this example, you add computers to computer groups in two different ways: by manually assigning unassigned computers and by searching for multiple computers.
+
+### Manually assign unassigned computers to groups
+
+When new computers communicate with WSUS, they appear in the **Unassigned Computers** group. From there, you can use the following procedure to add computers to their correct groups. For these examples, you use two Windows 10 PCs (WIN10-PC1 and WIN10-PC2) to add to the computer groups.
+
+**To assign computers manually**
+
+1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers\Unassigned Computers.
+
+ Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here.
+
+2. Select both computers, right-click the selection, and then click **Change Membership**.
+
+ 
+
+3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
+
+ Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you will see both computers there.
+
+### Search for multiple computers to add to groups
+
+Another way to add multiple computers to a deployment ring in the WSUS Administration Console is to use the search feature.
+
+**To search for multiple computers**
+
+1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then click **Search**.
+
+2. In the search box, type **WIN10**.
+
+3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
+
+ 
+
+4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
+
+You can now see these computers in the **Ring 3 Broad IT** computer group.
+
+
+
+## Use Group Policy to populate deployment rings
+
+The WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called *client-side targeting*. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment.
+
+**To configure WSUS to allow client-side targeting from Group Policy**
+
+1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
+
+ 
+
+2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
+
+ >[!NOTE]
+ >This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back.
+
+Now that WSUS is ready for client-side targeting, complete the following steps to use Group Policy to configure client-side targeting:
+
+**To configure client-side targeting**
+
+>[!TIP]
+>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings.
+
+1. Open GPMC.
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+4. In the **New GPO** dialog box, type **WSUS – Client Targeting – Ring 4 Broad Business Users** for the name of the new GPO.
+
+5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**.
+
+ 
+
+6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
+
+7. Right-click **Enable client-side targeting**, and then click **Edit**.
+
+8. In the **Enable client-side targeting** dialog box, select **Enable**.
+
+9. In the **Target group name for this computer** box, type **Ring 4 Broad Business Users**. This is the name of the deployment ring in WSUS to which these computers will be added.
+
+ 
+
+10. Close the Group Policy Management Editor.
+
+Now you’re ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
+
+**To scope the GPO to a group**
+
+1. In GPMC, select the **WSUS – Client Targeting – Ring 4 Broad Business Users** policy.
+
+2. Click the **Scope** tab.
+
+3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
+
+ 
+
+The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring.
+
+## Automatically approve and deploy feature updates
+
+For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
+
+>[!NOTE]
+>WSUS respects the client’s servicing branch. If you approve a feature update while it is still Current Branch (CB), WSUS will install the update only on PCs that are in the CB servicing branch. When Microsoft releases the build for Current Branch for Business (CBB), the PCs in the CBB servicing branch will install it.
+
+**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring**
+
+1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**.
+
+2. On the **Update Rules** tab, click **New Rule**.
+
+3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
+
+ 
+
+4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
+
+5. In the **Edit the properties area**, click the **any product** link. Clear all check boxes except **Windows 10**, and then click **OK**.
+
+ Windows 10 is under All Products\Microsoft\Windows.
+
+6. In the **Edit the properties** area, click the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then click **OK**.
+
+7. Leave the deadline set for **7 days after the approval at 3:00 AM**.
+
+8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
+
+ 
+
+9. In the **Automatic Approvals** dialog box, click **OK**.
+
+ >[!NOTE]
+ >WSUS does not honor any existing month/week/day deferral settings for CB or CBB. That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
+
+Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
+
+## Manually approve and deploy feature updates
+
+You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
+
+**To approve and deploy feature updates manually**
+
+1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**.
+
+2. In the **Add Update View** dialog box, select **Updates are in a specific classification** and **Updates are for a specific product**.
+
+3. Under **Step 2: Edit the properties**, click **any classification**. Clear all check boxes except **Upgrades**, and then click **OK**.
+
+4. Under **Step 2: Edit the properties**, click **any product**. Clear all check boxes except **Windows 10**, and then click **OK**.
+
+ Windows 10 is under All Products\Microsoft\Windows.
+
+5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
+
+ 
+
+Now that you have the All Windows 10 Upgrades view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
+
+1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades.
+
+2. Right-click the feature update you want to deploy, and then click **Approve**.
+
+ 
+
+3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**.
+
+ 
+
+4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**.
+
+ 
+
+5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
+
+ If the deployment is successful, you should receive a successful progress report.
+
+ 
+
+6. In the **Approval Progress** dialog box, click **Close**.
+
+
+
+## Steps to manage updates for Windows 10
+
+ [Learn about updates and servicing branches](waas-overview.md)  [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)  [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)  [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)  [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)  [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+or Manage Windows 10 updates using System Center Configuration Manager (this topic)
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
diff --git a/windows/update/waas-manage-updates-wufb.md b/windows/update/waas-manage-updates-wufb.md
new file mode 100644
index 0000000000..790cb61972
--- /dev/null
+++ b/windows/update/waas-manage-updates-wufb.md
@@ -0,0 +1,142 @@
+---
+title: Manage updates using Windows Update for Business (Windows 10)
+description: Windows Update for Business lets you manage when devices received updates from Windows Update.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Manage updates using Windows Update for Business
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines.
+
+Specifically, Windows Update for Business allows for:
+
+- The creation of deployment rings, where administrators can specify which devices go first in an update wave, and which ones will come later (to ensure any quality bars are met).
+- Selectively including or excluding drivers as part of Microsoft-provided updates
+- Integration with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune.
+- Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution.
+
+Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education.
+
+>[!NOTE]
+>See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10.
+
+## Update types
+
+Windows Update for Business provides three types of updates to Windows 10 devices:
+
+- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released at a slower cadence, every 4 to 8 months.
+- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates.
+- **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.
+
+Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business.
+
+ [Learn about updates and servicing branches](waas-overview.md)  [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)  [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)  [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)  [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)  [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+or Manage Windows 10 updates using Windows Server Update Services (this topic)
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+
+
+>[!NOTE]
+>For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/en-us/library/ff357803.aspx).
+
+## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607
+
+Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.
+
+>[!NOTE]
+>For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](introduction-to-windows-10-servicing.md).
+
+
+
+Category
+Maximum deferral
+Deferral increments
+Example
+Classification GUID
+
+
+Feature Updates
+180 days
+Days
+From Windows 10, version 1511 to version 1607
+3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
+
+
+Quality Updates
+30 days
+Days
+Security updates
+0FA1201D-4330-4FA8-8AE9-B877473B6441
+
+
+Drivers (optional)
+EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
+
+ Non-security updates
+CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
+Microsoft updates (Office, Visual Studio, etc.) varies
+
+Non-deferrable
+No deferral
+No deferral
+Definition updates
+E0789628-CE08-4437-BE74-2495B842F43B
+
+
+
+
+
+## Steps to manage updates for Windows 10
+
+Capability Windows 10, version 1511 Windows 10, version 1607
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
+
+
diff --git a/windows/update/waas-mobile-updates.md b/windows/update/waas-mobile-updates.md
new file mode 100644
index 0000000000..1352624cc9
--- /dev/null
+++ b/windows/update/waas-mobile-updates.md
@@ -0,0 +1,84 @@
+---
+title: Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile
+
+
+**Applies to**
+
+- Windows 10 Mobile
+- [Windows 10 IoT Mobile](https://www.microsoft.com/en-us/WindowsForBusiness/windows-iot)
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+>[!TIP]
+>If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first.
+
+Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Current Branch (CB) unless you [enroll the device in the Windows Insider Program](waas-servicing-branches-windows-10-updates.md#enroll-devices-in-the-windows-insider-program) or assign the device to Current Branch for Business (CBB). Only devices running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile can be assigned to CBB.
+
+[Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)
+
+
+
+| Windows 10 edition | CB | CBB | Insider Program |
+| --- | --- | --- | --- | --- |
+| Mobile |  |  |  |
+| Mobile Enterprise |  |  |  |
+| IoT Mobile |  |  |  |
+
+
+
+Configuration of Windows 10 Mobile and Windows 10 IoT Mobile devices is limited to the feature set pertaining to Quality Updates only. That is, Windows Mobile Feature Updates are categorized the same as Quality Updates, and can only be deferred by setting the Quality Update deferral period, for a maximum period of 30 days. You can use mobile device management (MDM) to manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. Updates cannot be managed for Windows 10 Mobile.
+
+## Windows 10, version 1511
+
+Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile:
+
+- ../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade
+- ../Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod
+- ../Vendor/MSFT/Policy/Config/Update/PauseDeferrals
+
+To defer the update period or pause deferrals, the device must be configured for CBB servicing branch by applying the **RequireDeferredUpgrade** policy.
+
+## Windows 10, version 1607
+
+Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile:
+
+- ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
+- ../Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesInDays
+- ../Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates
+
+In version 1607, you can defer and pause updates for devices on both the CB and CBB servicing branches.
+
+If a device running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile, version 1511, has Windows Update for Business policies applied and is then updated to version 1607, version 1511 policies continue to apply until version 1607 policies are applied.
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
+
+
+
diff --git a/windows/update/waas-optimize-windows-10-updates.md b/windows/update/waas-optimize-windows-10-updates.md
new file mode 100644
index 0000000000..08251d8c02
--- /dev/null
+++ b/windows/update/waas-optimize-windows-10-updates.md
@@ -0,0 +1,105 @@
+---
+title: Optimize update delivery for Windows 10 updates (Windows 10)
+description: Two methods of peer-to-peer content distribution are available in Windows 10, Delivery Optimization and BranchCache.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Optimize update delivery for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10.
+
+Two methods of peer-to-peer content distribution are available in Windows 10.
+
+- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests.
+
+ Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
+
+- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
+
+ >[!NOTE]
+ >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
+
+ Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
+
+
+
+| Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager |
+| --- | --- | --- | --- | --- |
+| Delivery Optimization |  |  |  |  |
+| BranchCache |  |  | |  |
+
+>[!NOTE]
+>Starting with preview version 1604, System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage in the same Configuration Manager boundary group. This is expected to be available in later Configuration Manager current branch releases.
+>
+>In addition to client content sharing, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt613173.aspx).
+
+## Express update delivery
+
+Windows 10 update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
+
+### How Microsoft supports Express
+- **Express on WSUS Standalone**
+
+ Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).
+- **Express on devices directly connected to Windows Update**
+- **Enterprise devices managed using [Windows Update for Business](waas-manage-updates-wufb.md)** also get the benefit of Express update delivery support without any change in configuration.
+
+### How Express download works
+
+For OS updates that support Express, there are two versions of the file payload stored on the service:
+1. **Full-file version** - essentially replacing the local versions of the update binaries.
+2. **Express version** - containing the deltas needed to patch the existing binaries on the device.
+
+Both the full-file version and the Express version are referenced in the udpate's metadata, which has been downloaded to the client as part of the scan phase.
+
+**Express download works as follows:**
+
+The Windows Update client will try to download Express first, and under certain situations fall back to full-file if needed (for example, if going through a proxy that doesn't support byte range requests).
+
+1. When the Windows Update client initiates an Express download, **Windows Update first downloads a stub**, which is part of the Express package.
+2. **The Windows Update client passes this stub to the Windows installer**, which uses the stub to do a local inventory, comparing the deltas of the file on the device with what is needed to get to the latest version of the file being offered.
+3. **The Windows installer then requests the Windows Update client to download the ranges**, which have been determined to be required.
+4. **The client downloads these ranges and passes them to the Windows Installer**, which applies the ranges and then determines if additional ranges are needed. This repeats until the Windows installer tells the Windows Update client that all necessary ranges have been downloaded.
+
+At this point, the download is complete and the update is ready to be installed.
+
+## Steps to manage updates for Windows 10
+
+ [Learn about updates and servicing branches](waas-overview.md)  [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)  [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)  [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)  [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)  Manage updates using Windows Update for Business (this topic)
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage device restarts after updates](waas-restart.md)
+
+
diff --git a/windows/update/waas-overview.md b/windows/update/waas-overview.md
new file mode 100644
index 0000000000..d597a74145
--- /dev/null
+++ b/windows/update/waas-overview.md
@@ -0,0 +1,193 @@
+---
+title: Overview of Windows as a service (Windows 10)
+description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Overview of Windows as a service
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+- Windows 10 IoT Mobile
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
+
+## Building
+
+Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn’t work in today’s rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two to three times per year to help address these issues.
+
+In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features will be delivered to the [Windows Insider community](https://insider.windows.com/) as soon as possible — during the development cycle, through a process called *flighting* — so that organizations can see exactly what Microsoft is developing and start their testing as soon as possible.
+
+Microsoft also depends on receiving feedback from organizations throughout the development process so that it can make adjustments as quickly as possible rather than waiting until after release. For more information about the Windows Insider Program and how to sign up, see the section [Windows Insider](#windows-insider).
+
+Of course Microsoft also performs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program.
+
+## Deploying
+
+Deploying Windows 10 is simpler than with previous versions of Windows. When migrating from earlier versions of Windows, an easy in-place upgrade process can be used to automatically preserve all apps, settings, and data. And once running Windows 10, deployment of Windows 10 feature updates will be equally simple.
+
+One of the biggest challenges for organizations when it comes to deploying a new version of Windows is compatibility testing. Whereas compatibility was previously a concern for organizations upgrading to a new version of Windows, Windows 10 is compatible with most hardware and software capable of running on Windows 7 or later. Because of this high level of compatibility, the app compatibility testing process can be greatly simplified.
+
+### Application compatibility
+
+Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. With Windows 10, application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously. Microsoft understands the challenges organizations experienced when they migrated from the Windows XP operating system to Windows 7 and has been working to make Windows 10 upgrades a much better experience.
+
+Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and telemetry data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10.
+
+For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. If it’s unclear whether an application is compatible with Windows 10, IT pros can either consult with the ISV or check the supported software directory at [http://www.readyforwindows.com](http://www.readyforwindows.com).
+
+### Device compatibility
+
+Device compatibility in Windows 10 is also very strong; new hardware is not needed for Windows 10 as any device capable of running Windows 7 or later can run Windows 10. In fact, the minimum hardware requirements to run Windows 10 are the same as those required for Windows 7. Most hardware drivers that functioned in Windows 8.1, Windows 8, or Windows 7 will continue to function in Windows 10.
+
+## Servicing
+
+Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
+
+With Windows 10, organizations will need to change the way they approach deploying updates. Servicing branches are the first way to separate users into deployment groups for feature and quality updates. With the introduction of servicing branches comes the concept of a [deployment ring](waas-deployment-rings-windows-10-updates.md), which is simply a way to categorize the combination of a deployment group and a servicing branch to group devices for successive waves of deployment. For more information about developing a deployment strategy that leverages servicing branches and deployment rings, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
+
+For information about each servicing tool available for Windows 10, see [Servicing tools](#servicing-tools).
+
+To align with this new update delivery model, Windows 10 has three servicing branches, each of which provides different levels of flexibility over when these updates are delivered to client computers. For information about the servicing branches available in Windows 10, see [Servicing branches](#servicing-branches).
+
+
+### Feature updates
+
+With Windows 10, Microsoft will package new features into feature updates that can be deployed using existing management tools. Because feature updates are delivered more frequently than with previous Windows releases — two to three times per year rather than every 3–5 years — changes will be in bite-sized chunks rather than all at once and end user readiness time much shorter.
+
+### Quality updates
+
+Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of nonsecurity fixes.
+
+In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and nonsecurity fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment PCs contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
+
+**Figure 1**
+
+
+
+
+
+## Servicing branches
+
+To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). In addition, the Windows Insider Program provides IT pros and other interested parties with prerelease Windows builds that they can test and ultimately provide feedback on to Microsoft. For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
+
+The concept of servicing branches is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
+
+>[!NOTE]
+>Servicing branches are not the only way to separate groups of devices when consuming updates. Each branch can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing branches, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
+
+
+### Current Branch
+
+In the CB servicing model, feature updates are available as soon as Microsoft releases them. Windows 10 version 1511 had few servicing tool options to delay CB feature updates, limiting the use of the CB servicing branch. Windows 10 version 1607, however, includes more servicing tools that can delay CB feature updates for up to 180 days. The CB servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately.
+
+When Microsoft officially releases a feature update for Windows 10, that update is marked for CB, making it available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer CB feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for CB will be available but not necessarily immediately mandatory, depending on the policy of the management system. Only one CB build of Windows is supported at a time, so those clients not on the most current build will not receive quality updates (after a 60 day grace period) until the most current feature update has been installed. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
+
+
+### Current Branch for Business
+
+Organizations typically prefer to have a testing cycle before broadly deploying new features to business users. For Windows 10, most pilot testing will be done using the CB servicing branch. In contrast, the CBB servicing branch is typically used for broad deployment. Windows 10 clients in the CBB servicing branch receive the same build of Windows 10 as those in the CB servicing branch, just at a later time. CB releases are transitioned to CBB after about 4 months, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Therefore, CB and CBB have an inherent “staging” effect. Both of these branches have a purpose in the overall deployment process for an enterprise, providing another layer of testing capabilities in addition to the traditional phased deployment methods to specific groups of machines. Microsoft will support two CBB builds at a time, plus a 60 day grace period. Each feature update release will be supported and updated for a minimum of 18 months.
+
+
+>[!NOTE]
+>Organizations can electively delay CB and CBB updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools.
+
+Basically, CBB is a configuration state, meaning that if a computer has the **Defer Updates and Upgrades** flag enabled—either through Group Policy, a mobile device management product like Microsoft Intune, or manually on the client—it’s considered to be in the CBB servicing branch. The benefit of tying this servicing model and CB to a configuration state rather than a SKU is that they are easily interchangeable. If an organization accidentally selects CBB on a machine that doesn’t need delayed updates, it’s simple to change it back.
+
+### Long-term Servicing Branch
+
+Specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSB servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
+
+>[!NOTE]
+>LTSB is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the CB or CBB servicing branch.
+
+Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSB releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
+
+>[!NOTE]
+>Windows 10 LTSB will support the currently released silicon at the time of release of the LTSB. As future silicon generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
+
+LTSB is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, it’s important to remember that Microsoft has positioned the LTSB model primarily for specialized devices.
+
+>[!NOTE]
+>If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the CB or CBB servicing branch, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports CB and CBB.
+
+### Windows Insider
+
+For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation.
+
+Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about how to sign up for the Windows Insider Program and enroll test devices, go to [https://insider.windows.com](https://insider.windows.com).
+
+>[!NOTE]
+>Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app.
+>
+>The Windows Insider Program isn’t intended to replace CB deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
+
+
+
+## Servicing tools
+
+There are many tools with which IT pros can service Windows as a service. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage Windows as a service updates:
+
+- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the CBB servicing branch. Organizations can control which devices defer updates and stay in the CBB servicing branch or remain in CB by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 client.
+- **Windows Update for Business** is the second option for servicing Windows as a service. This servicing tool includes a little more control over update deferment and provides centralized management using Group Policy. In Windows 10 version 1511, Windows Update for Business can be used to defer feature updates for up to 8 months and quality updates for up to 4 weeks. Also, these deferment options were available only to clients in the CBB servicing branch. In Windows 10 version 1607 and later, Windows Update for Business can be used to defer feature updates for up to 180 days and quality updates for up to 30 days. These deployment options are available to clients in either the CB or CBB servicing branch. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune.
+- **Windows Server Update Services (WSUS)** provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready.
+- **System Center Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
+
+With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses System Center Configuration Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1.
+
+**Table 1**
+
+| Servicing tool | Can updates be deferred? | Ability to approve updates | Peer-to-peer option | Additional features |
+| --- | --- | --- | --- | --- |
+| Windows Update | Yes (manual) | No | Delivery Optimization | None|
+| Windows Update for Business | Yes | No | Delivery Optimization | Other Group Policy objects |
+| WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability |
+| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache | Distribution points, multiple deployment options |
+
+
+
+## Steps to manage updates for Windows 10
+
+ [Learn about updates and servicing branches](waas-overview.md)  [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)  [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)  [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)  Optimize update delivery for Windows 10 updates (this topic)  [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Quick guide to Windows as a service](waas-quick-start.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage device restarts after updates](waas-restart.md)
+
+
+
+
+
+
+
+
diff --git a/windows/update/waas-quick-start.md b/windows/update/waas-quick-start.md
new file mode 100644
index 0000000000..eef6aed2a3
--- /dev/null
+++ b/windows/update/waas-quick-start.md
@@ -0,0 +1,82 @@
+---
+title: Quick guide to Windows as a service (Windows 10)
+description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Quick guide to Windows as a service
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+- Windows 10 IoT Mobile
+
+Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](waas-update-windows-10.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts.
+
+## Definitions
+
+Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
+- **Feature updates** will be released two to three times per year. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
+- **Quality updates** are released monthly, delivering both security and non-security fixes. These are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update.
+- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
+- **Servicing branches** allow organizations to choose when to deploy new features. Current Branch (CB) deploys the fastest, soon after a feature update is released. Current Branch for Business (CBB) defers the installation of the same feature update by about four months, until that feature update is considered ready for broad deployment. Long Term Servicing Branch (LTSB) is different, used only for specialized devices (which typically don’t run Office) such as those that control medical equipment or ATM machines that need to be kept stable and secure.
+- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
+
+See [Overview of Windows as a service](waas-overview.md) for more information.
+
+## Key Concepts
+
+New feature update releases are initially considered **Current Branch (CB) releases**; organizations will use these for pilot deployments to ensure compatibility with existing apps and infrastructure. After about four months, the feature update will be declared as **Current Branch for Business (CBB)**, indicating that it is ready for broad deployment.
+
+Each Windows 10 feature update (which initially begins as CB and then is declared as CBB) will be serviced with quality updates for a minimum of 18 months after it is released. The total length of time can be longer, as there will be two CBB releases serviced at all times. There will be a minimum of 60 days advanced notice (a grace period) after a CBB declaration occurs before an older feature update is no longer serviced.
+
+Windows 10 Enterprise LTSB is a separate **Long Term Servicing Branch (LTSB)** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
+
+See [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) for more information.
+
+## Staying up to date
+
+The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Upgrade Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
+
+Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps and CBB has been declared, broad deployment can begin.
+
+This process repeats with each new feature update, two to three times per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles.
+
+Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files.
+
+See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) and [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) for more information.
+
+## Video: An overview of Windows as a service
+
+
+
+## Learn more
+
+[Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft)
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage device restarts after updates](waas-restart.md)
+
+
+
+
+
+
+
+
diff --git a/windows/update/waas-restart.md b/windows/update/waas-restart.md
new file mode 100644
index 0000000000..ffb43434aa
--- /dev/null
+++ b/windows/update/waas-restart.md
@@ -0,0 +1,151 @@
+---
+title: Manage device restarts after updates (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Manage device restarts after updates
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
+
+## Schedule update installation
+
+In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified instllation time.
+
+To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the instal**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installtion will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
+
+**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
+
+While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur.
+
+For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+
+## Delay automatic reboot
+
+When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installtion:
+
+- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
+- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
+
+You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting.
+
+For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+
+## Configure active hours
+
+*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours.
+
+By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually.
+
+Administrators can use multiple ways to set active hours for managed devices:
+
+- You can use Group Policy, as described in the procedure that follows.
+- You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm).
+- While not recommended, you can also configure active hours, as descrbied in [Configuring active hours through Registry](#configuring-active-hours-through-registry).
+
+### Configuring active hours with Group Policy
+
+To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
+
+
+
+### Configuring active hours with MDM
+
+MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours.
+
+### Configuring active hours through Registry
+
+This method is not recommended, and should only be used when neither Group Policy or MDM are available.
+Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
+
+You should set a combination of the following registry values, in order to configure active hours.
+Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours.
+
+For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+
+>[!NOTE]
+>To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
+>
+>
+
+## Limit restart delays
+
+After an update is installed, Windows 10 attemtps automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14.
+
+## Group Policy settings for restart
+
+In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
+
+| Policy | Applies to Windows 10 | Notes |
+| --- | --- | --- |
+| Turn off auto-restart for updates during active hours |  | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
+| Always automatically restart at the scheduled time |  | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
+| Specify deadline before auto-restart for update installation |  | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
+| No auto-restart with logged on users for scheduled automatic updates installations |  | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates.  Learn about updates and servicing branches (this topic)  [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)  [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)  [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)  [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)  [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
There is no equivalent MDM policy setting for Windows 10 Mobile. |
+| Re-prompt for restart with scheduled installations |  | |
+| Delay Restart for scheduled installations |  | |
+| Reschedule Automatic Updates scheduled installations |  | |
+
+>[!NOTE]
+>You can only choose one path for restart behavior.
+>
+>If you set conflicting restart policies, the actual restart behavior may not be what you expected.
+
+## Registry keys used to manage restart
+The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10.
+
+**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
+
+| Registry key | Key type | Value |
+| --- | --- | --- |
+| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
+| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
+| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours1: enable automatic restart after updates outside of active hours |
+
+**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**
+
+| Registry key | Key type | Value |
+| --- | --- | --- |
+| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time1: enable automatic reboot after update installation at ascheduled time |
+| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
+| AUOptions | REG_DWORD | 2: notify for download and automatically install updates3: automatically download and notify for instllation of updates4: Automatically download and schedule installation of updates5: allow the local admin to configure these settings**Note:** To configure restart behavior, set this value to **4** |
+| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on1: do not reboot after an update installation if a user is logged on**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restarts in 5 minutes to complete the installation |
+| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
+
+There are 3 different registry combinations for controlling restart behavior:
+
+- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range.
+- To schedule a specific instllation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
+- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**.
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+
+
+
+
+
+
+
+
diff --git a/windows/update/waas-servicing-branches-windows-10-updates.md b/windows/update/waas-servicing-branches-windows-10-updates.md
new file mode 100644
index 0000000000..322b7c07b2
--- /dev/null
+++ b/windows/update/waas-servicing-branches-windows-10-updates.md
@@ -0,0 +1,220 @@
+---
+title: Assign devices to servicing branches for Windows 10 updates (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Assign devices to servicing branches for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+>[!TIP]
+>If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first.
+
+Current Branch is the default servicing branch for all Windows 10 devices except those with the long-term servicing branch edition installed. The following table shows the servicing branches available to each edition of Windows 10.
+
+| Windows 10 edition | Current branch (CB) | Current branch for business (CBB) | Long-term servicing branch (LTSB) | Insider Program |
+| --- | --- | --- | --- | --- |
+| Home |  |  |  |  |
+| Pro |  |  |  |  |
+| Enterprise |  |  |  |  |
+| Enterprise LTSB |  |  |  |  |
+| Pro Education |  |  |  |  |
+| Education |  |  |  |  |
+| Mobile |  |  |  |  |
+| Mobile Enterprise |  |  |  |  |
+
+
+
+>[!NOTE]
+>The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+
+## Assign devices to Current Branch for Business
+
+**To assign a single PC locally to CBB**
+
+1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**.
+2. Select **Defer feature updates**.
+
+**To assign PCs to CBB using Group Policy**
+
+- In Windows 10, version 1511:
+
+ Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates**
+
+- In Windows 10, version 1607:
+
+ Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** - enable policy and set branch readiness level to CBB
+
+**To assign PCs to CBB using MDM**
+
+- In Windows 10, version 1511:
+
+ ../Vendor/MSFT/Policy/Config/Update/**RequireDeferredUpgrade**
+
+- In Windows 10, version 1607:
+
+ ../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel**
+
+**To assign Windows 10 Mobile Enterprise to CBB using MDM**
+
+- In Windows 10 Mobile Enterprise, version 1511:
+
+ ../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade
+
+- In Windows 10 Mobile Enterprise, version 1607:
+
+ ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
+
+## Enroll devices in the Windows Insider Program
+
+Enrolling devices in the Windows Insider Program is simple and requires only a Microsoft account. To enroll a device in the Windows Insider Program, complete the following steps on the device that you want to enroll:
+
+1. Go to **Start** > **Settings** > **Update & security** > **Windows Insider Program**.
+
+2. Select **Get started**.
+ >[!NOTE]
+ >If you didn’t use a Microsoft account to log in to the computer, you’ll be prompted to log in. If you don’t have a Microsoft account, you can create one now.
+
+3. Read the privacy statement and program terms, and then click **Next**.
+
+6. Click **Confirm**, and then select a time to restart the computer.
+
+## Install your first preview build from the Windows Insider Program
+
+After enrolling your devices, you are ready to install your first preview build. To do so, go to **Start** > **Settings** > **Update & security** > **Windows Insider Program** to select your Insider level. The device receives the most recent Windows Insider build for the Insider level you select.
+
+The options for Insider level are:
+- **Release Preview**: Insiders on this level receive builds of Windows just before Microsoft releases them for CB. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
+- **Slow**: The Slow Windows Insider level is for users who enjoy seeing new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build.
+- **Fast**: This level is best for Insiders who would like to be the first to experience new builds of Windows, participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality.
+
+>[!NOTE]
+>Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete.
+
+## Block access to Windows Insider Program
+
+To prevent devices in your enterprise from being enrolled in the Insider Program for early releases of Windows 10:
+
+- Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds**
+- MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview)
+
+## Switching branches
+
+During the life of a device, it may be necessary or desirable to switch between the available branches. Depending on the branch you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
+
+
+
+
+
+## Steps to manage updates for Windows 10
+
+
+
+
+
+From this branch
+To this branch
+You need to
+
+
+Windows Insider Program
+Current Branch
+Wait for the final Current Branch release.
+
+
+Current Branch for Business
+Not directly possible, because Windows Insider Program devices are automatically upgraded to the Current Branch release at the end of the development cycle.
+
+
+Long-Term Servicing Branch
+Not directly possible (requires wipe-and-load).
+
+
+Current Branch
+Insider
+Use the Settings app to enroll the device in the Windows Insider Program.
+
+
+Current Branch for Business
+Select the Defer upgrade setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Current Branch release.
+
+
+Long-Term Servicing Branch
+Not directly possible (requires wipe-and-load).
+
+
+Current Branch for Business
+Insider
+Use the Settings app to enroll the device in the Windows Insider Program.
+
+
+Current Branch
+Disable the Defer upgrade setting, or move the device to a target group or flight that will receive the latest Current Branch release.
+
+
+Long-Term Servicing Branch
+Not directly possible (requires wipe-and-load).
+
+
+Long-Term Servicing Branch
+Insider
+Use media to upgrade to the latest Windows Insider Program build.
+
+
+Current Branch
+Use media to upgrade to a later Current Branch build. (Note that the Current Branch build must be a later build.)
+
+
+
+Current Branch for Business
+Use media to upgrade to a later Current Branch for Business build (Current Branch build plus fixes). Note that it must be a later build.
+
+
+
+
+## Block user access to Windows Update settings
+
+In Windows 10, administrators can control user access to Windows Update.
+By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
+
+>[!NOTE]
+> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage device restarts after updates](waas-restart.md)
+
+
diff --git a/windows/update/waas-servicing-strategy-windows-10-updates.md b/windows/update/waas-servicing-strategy-windows-10-updates.md
new file mode 100644
index 0000000000..52c156bbeb
--- /dev/null
+++ b/windows/update/waas-servicing-strategy-windows-10-updates.md
@@ -0,0 +1,70 @@
+---
+title: Prepare servicing strategy for Windows 10 updates (Windows 10)
+description: A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Prepare servicing strategy for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. Figure 1 shows the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years.
+
+**Figure 1**
+
+
+
+Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like:
+
+- **Configure test devices.** Configure testing PCs in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Current Branch (CB) servicing branch. Typically, this would be a small number of test machines that IT staff members use to evaluate prereleased builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
+- **Identify excluded PCs.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than CB or Current Branch for Business (CBB) can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these PCs, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
+- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
+- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
+- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics).
+
+>[!NOTE]
+>This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](https://technet.microsoft.com/itpro/windows/plan/index).
+
+Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
+
+1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility.
+2. **Pilot and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have pilot groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your pilot groups running in the CB servicing branch that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it.
+3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department.
+
+
+## Steps to manage updates for Windows 10
+
+ [Learn about updates and servicing branches](waas-overview.md)  [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)  [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)  Assign devices to servicing branches for Windows 10 updates (this topic)  [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)  [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/update/waas-wufb-group-policy.md b/windows/update/waas-wufb-group-policy.md
new file mode 100644
index 0000000000..87d3b8ba3f
--- /dev/null
+++ b/windows/update/waas-wufb-group-policy.md
@@ -0,0 +1,352 @@
+---
+title: Walkthrough use Group Policy to configure Windows Update for Business (Windows 10)
+description: Configure Windows Update for Business settings using Group Policy.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Walkthrough: use Group Policy to configure Windows Update for Business
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+Using Group Policy to manage Windows Update for Business is simple and familiar: use the same Group Policy Management Console (GPMC) you use to manage other device and user policy settings in your environment. Before configuring the Windows Update for Business Group Policy settings, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
+
+In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch.
+
+>[!NOTE]
+>The terms *feature updates* and *quality updates* in Windows 10, version 1607, correspond to the terms *upgrades* and *updates* in version 1511.
+
+To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades.
+
+## Configure Windows Update for Business in Windows 10 version 1511
+
+In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).
+
+- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as they’re released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices.
+- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release.
+
+>[!NOTE]
+>Although the [sample deployment rings](waas-deployment-rings-windows-10-updates.md) specify a feature update deferral of 2 weeks for Ring 5, deferrals in Windows 10, version 1511 are in increments of months only.
+>
+>Windows 10 version 1511 does not support deferment of CB builds of Windows 10, so you can establish only one CB deployment ring. In version 1607 and later, CB builds can be delayed, making it possible to have multiple CB deployment rings.
+
+ Complete the following steps on a PC running the Remote Server Administration Tools or on a domain controller.
+
+ ### Configure the Ring 4 Broad business users deployment ring for CBB with no deferral
+
+1. Open GPMC (gpmc.msc).
+
+2. Expand **Forest** > **Domains** > *your domain*.
+
+3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
+
+ 
+
+4. In the **New GPO** dialog box, type **Windows Update for Business - CBB1** for the name of the new GPO.
+
+ >[!NOTE]
+ >In this example, you’re linking the GPO to the top-level domain. This is not a requirement: you can link the Windows Update for Business GPOs to any organizational unit (OU) that’s appropriate for your Active Directory Domain Services (AD DS) structure.
+
+5. Right-click the **Windows Update for Business - CBB1** GPO, and then click **Edit**.
+
+ 
+
+6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**.
+
+7. Right-click **Defer Upgrades and Updates**, and then click **Edit**.
+
+ 
+
+ In the **Defer Upgrades and Updates** Group Policy setting configuration, you see several options:
+ - **Enable/Disable Deferred Updates**. Enabling this policy setting sets the receiving client to the CBB servicing branch. Specifically disabling this policy forces the client into the CB servicing branch, making it impossible for users to change it.
+ - **Defer upgrades for the following**. This option allows you to delay feature updates up to 8 months, a number added to the default CBB delay (approximately 4 months from CB). By using Windows Update for Business, you can use this option to stagger CBB feature updates, making the total offset up to 12 months from CB.
+ - **Defer updates for the following**. This option allows you to delay the installation of quality updates on a Windows 10 device for up to 4 weeks, allowing for phased rollouts of updates in your enterprise, but not all quality updates are deferrable with this option. Table 1 shows the deferment capabilities by update type.
+ - **Pause Upgrades and Updates**. Should an issue arise with a feature update, this option allows a one-time skip of the current month’s quality and feature update. Quality updates will resume after 35 days, and feature updates will resume after 60 days. For example, deploy this setting as a stand-alone policy to the entire organization in an emergency.
+
+ Table 1 summarizes the category of update in Windows 10 and how long Windows Update for Business can defer its installation.
+
+ **Table 1**
+
+  [Learn about updates and servicing branches](waas-overview.md)  Prepare servicing strategy for Windows 10 updates (this topic)  [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)  [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)  [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)  [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+
+
+ Simply enabling the **Defer Upgrades and Updates** policy sets the receiving client to the CBB servicing branch, which is what you want for your first deployment ring, **Ring 4 Broad business users**.
+
+8. Enable the **Defer Updates and Upgrades** setting, and then click **OK**.
+
+9. Close the Group Policy Management Editor.
+
+Because the **Windows Update for Business - CBB1** GPO contains a computer policy and you only want to apply it to computers in the **Ring 4 Broad business users** group, use **Security Filtering** to scope the policy’s effect.
+
+### Scope the policy to the Ring 4 Broad business users group
+
+1. In the GPMC, select the **Windows Update for Business - CBB1** policy.
+
+2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 4 Broad business users** group.
+
+ 
+
+
+The **Ring 4 Broad business users** deployment ring has now been configured. Next, configure **Ring 5 Broad business users #2** to accommodate a 1-week delay for quality updates and a 2-week delay for feature updates.
+
+
+### Configure the Ring 5 Broad business users \#2 deployment ring for CBB with deferrals
+
+1. Open GPMC (gpmc.msc).
+
+2. Expand **Forest** > **Domains** > *your domain*.
+
+3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
+
+ 
+
+4. In the **New GPO** dialog box, type **Windows Update for Business - CBB2** for the name of the new GPO.
+
+5. Right-click the **Windows Update for Business - CBB2** GPO, and then click **Edit**.
+
+ 
+
+6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**.
+
+7. Right-click **Defer Upgrades and Updates**, and then click **Edit**.
+
+8. Enable the **Defer Updates and Upgrades** setting, configure the **Defer upgrades for the following** option for 1 month, and then configure the **Defer updates for the following** option for 1 week.
+
+ 
+
+9. Click **OK** and close the Group Policy Management Editor.
+
+
+### Scope the policy to the Ring 5 Broad business users \#2 group
+
+1. In the GPMC, select the **Windows Update for Business - CBB2** policy.
+
+2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 5 Broad business users \#2** group.
+
+## Configure Windows Update for Business in Windows 10 version 1607
+
+To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades.
+
+In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates:
+
+- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds 4 weeks after they are released.
+- **Ring 4 Broad business users** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch.
+- **Ring 5 Broad business users #2** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 14 days.
+
+In this example, you configure and scope the update schedules for all three groups.
+
+### Configure Ring 2 Pilot Business Users policy
+
+1. Open GPMC (gpmc.msc).
+
+2. Expand **Forest** > **Domains** > *your domain*.
+
+3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
+
+ 
+
+4. In the **New GPO** dialog box, type **Windows Update for Business - CB2** for the name of the new GPO.
+
+ >[!NOTE]
+ >In this example, you’re linking the GPO to the top-level domain. This is not a requirement: you can link the Windows Update for Business GPOs to any organizational unit (OU) that’s appropriate for your Active Directory Domain Services (AD DS) structure.
+
+5. Right-click the **Windows Update for Business - CB2** GPO, and then click **Edit**.
+
+ 
+
+6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**.
+
+7. Right-click **Select when Feature Updates are received**, and then click **Edit**.
+
+8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CB**, set the feature update delay to **28** days, and then click **OK**.
+
+ 
+
+ Table 3 summarizes the category of updates in Windows 10, version 1607, and how long Windows Update for Business can defer its installation.
+
+ **Table 3**
+
+
+
+ Category
+ Maximum deferral
+ Deferral increments
+ Classification type
+ Classification GUID
+
+
+ OS upgrades
+ 8 months
+ 1 month
+ Upgrade
+ 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
+
+
+ OS updates
+ 4 weeks
+ 1 week
+ Security updates
+ 0FA1201D-4330-4FA8-8AE9-B877473B6441
+
+
+ Drivers
+ EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
+
+
+ Updates
+ CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
+
+
+ Other/non-deferrable
+ No deferral
+ No deferral
+ Definition updates
+ E0789628-CE08-4437-BE74-2495B842F43B
+
+
+
+9. Close the Group Policy Management Editor.
+
+Because the **Windows Update for Business – CB2** GPO contains a computer policy and you only want to apply it to computers in the **Ring 2 Pilot Business Users** group, use **Security Filtering** to scope the policy’s effect.
+
+### Scope the policy to the Ring 2 Pilot Business Users group
+
+1. In the GPMC, select the **Windows Update for Business - CB2** policy.
+
+2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 2 Pilot Business Users** group.
+
+ 
+
+The **Ring 2 Pilot Business Users** deployment ring has now been configured. Next, configure **Ring 4 Broad business users** to set those clients into the CBB servicing branch so that they receive feature updates as soon as they’re made available for the CBB servicing branch.
+
+### Configure Ring 4 Broad business users policy
+
+1. Open GPMC (gpmc.msc).
+
+2. Expand **Forest** > **Domains** > *your domain*.
+
+3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
+
+4. In the **New GPO** dialog box, type **Windows Update for Business - CBB1** for the name of the new GPO.
+
+5. Right-click the **Windows Update for Business - CBB1** GPO, and then click **Edit**.
+
+6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**.
+
+7. Right-click **Select when Feature Updates are received**, and then click **Edit**.
+
+8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CBB**, and then click **OK**.
+
+ 
+
+9. Close the Group Policy Management Editor.
+
+
+
+### Scope the policy to the Ring 4 Broad business users group
+
+1. In the GPMC, select the **Windows Update for Business - CBB1** policy.
+
+2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 4 Broad business users** group.
+
+
+The **Ring 4 Broad business users** deployment ring has now been configured. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates
+
+### Configure Ring 5 Broad business users \#2 policy
+
+1. Open GPMC (gpmc.msc).
+
+2. Expand **Forest** > **Domains** > *your domain*.
+
+3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
+
+4. In the **New GPO** dialog box, type **Windows Update for Business - CBB2** for the name of the new GPO.
+
+5. Right-click the **Windows Update for Business - CBB2** GPO, and then click **Edit**.
+
+6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**.
+
+7. Right-click **Select when Feature Updates are received**, and then click **Edit**.
+
+8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CBB**, set the feature update delay to **14** days, and then click **OK**.
+
+ 
+
+9. Right-click **Select when Quality Updates are received**, and then click **Edit**.
+
+10. In the **Select when Quality Updates are received** policy, enable it, set the quality update delay to **7** days, and then click **OK**.
+
+ 
+
+11. Close the Group Policy Management Editor.
+
+
+
+### Scope the policy to the Ring 5 Broad business users \#2 group
+
+1. In the GPMC, select the **Windows Update for Business - CBB2** policy.
+
+2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 5 Broad business users #2** group.
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
diff --git a/windows/update/waas-wufb-intune.md b/windows/update/waas-wufb-intune.md
new file mode 100644
index 0000000000..c730a5edfd
--- /dev/null
+++ b/windows/update/waas-wufb-intune.md
@@ -0,0 +1,283 @@
+---
+title: Walkthrough use Intune to configure Windows Update for Business (Windows 10)
+description: Configure Windows Update for Business settings using Microsoft Intune.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Walkthrough: use Microsoft Intune to configure Windows Update for Business
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+You can use Intune to configure Windows Update for Business even if you don’t have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
+
+Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build.
+
+To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings.
+
+>[!NOTE]
+>Coming soon: [Intune Groups will be converted to Azure Active Directory-based Security Groups](https://docs.microsoft.com/en-us/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune)
+
+## Configure Windows Update for Business in Windows 10, version 1511
+
+In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).
+
+- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as they’re released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices.
+- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release.
+
+>[!NOTE]
+>Although the [sample deployment rings](waas-deployment-rings-windows-10-updates.md) specify a feature update deferral of 2 weeks for Ring 5, deferrals in Windows 10, version 1511 are in increments of months only.
+
+### Configure the Ring 4 Broad business users deployment ring for CBB with no deferral
+
+1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
+
+2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
+
+ 
+
+3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
+
+5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
+
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**.
+
+7. In the **Value** box, type **1**, and then click **OK**.
+
+ >[!NOTE]
+ >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
+
+ 
+
+8. For this deployment ring, you’re required to enable only CBB, so click **Save Policy**.
+
+9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**.
+
+ >[!NOTE]
+ >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
+
+10. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**.
+
+You have now configured the **Ring 4 Broad business users** deployment ring to enable the CBB servicing branch. Now, you must configure **Ring 5 Broad business users #2** to accommodate a 1-week delay for quality updates and a 1-month delay for feature updates.
+
+### Configure the Ring 5 Broad business users \#2 deployment ring for CBB with deferrals
+
+1. In the Policy workspace, click **Configuration Policies**, and then click **Add**.
+
+2. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+3. Name the policy **Windows Update for Business – CBB2**. Then, in the **OMA-URI Settings** section, click **Add**.
+ In this policy, you add two OMA-URI settings, one for each deferment type.
+
+4. In **Setting name**, type **Enable Clients for CBB**, and then in the **Data type** list, select **Integer**.
+
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**.
+
+7. Click **OK** to save the setting.
+
+8. In the **OMA-URI Settings** section, click **Add**.
+
+9. For this setting, in **Setting name**, type **Defer Updates for 1 Week**, and then in the **Data type** list, select **Integer**.
+
+11. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**.
+
+12. In the **Value** box, type **1**.
+
+13. Click **OK** to save the setting.
+
+14. In the **OMA-URI Settings** section, click **Add**.
+
+15. For this setting, in **Setting name**, type **Defer Upgrades for 1 Month**, and then in the **Data type** list, select **Integer**.
+
+17. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**.
+
+18. In the **Value** box, type **1**.
+
+19. Click **OK** to save the setting.
+
+ Three settings should appear in the **Windows Update for Business – CBB2** policy.
+
+ 
+
+20. Click **Save Policy**, and then click **Yes** at the **Deploy Policy** prompt.
+
+21. In the **Manage Deployment** dialog box, select the **Ring 5 Broad business users #2** computer group, click **Add**, and then click **OK**.
+
+## Configure Windows Update for Business in Windows 10 version 1607
+
+To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings.
+
+In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates:
+
+- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds 28 days after they are released.
+- **Ring 4 Broad business users** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch.
+- **Ring 5 Broad business users #2** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 14 days.
+
+### Configure Ring 2 Pilot Business Users policy
+
+1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
+
+2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
+
+ 
+
+3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+4. Name the policy **Windows Update for Business - CB2**. Then, in the **OMA-URI Settings** section, click **Add**.
+
+4. In **Setting name**, type **Enable Clients for CB**, and then select **Integer** from the **Data type** list.
+
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
+
+7. In the **Value** box, type **0**, and then click **OK**.
+
+ >[!NOTE]
+ >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
+
+ 
+
+8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 28 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
+
+8. In **Setting name**, type **Defer feature updates for 28 days**, and then select **Integer** from the **Data type** list.
+10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
+11. In the **Value** box, type **28**, and then click **OK**.
+
+ 
+
+9. Click **Save Policy**.
+
+9. In the **Deploy Policy: Windows Update for Business – CB2** dialog box, click **Yes**.
+
+ >[!NOTE]
+ >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
+
+10. In the **Manage Deployment: Windows Update for Business – CB2** dialog box, select the **Ring 2 Pilot Business Users** group, click **Add**, and then click **OK**.
+
+You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 4 Broad business users** to receive CBB features updates as soon as they’re available.
+
+### Configure Ring 4 Broad business users policy
+
+2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
+
+ 
+
+3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
+
+4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
+
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
+
+7. In the **Value** box, type **1**, and then click **OK**.
+
+ >[!NOTE]
+ >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
+
+
+8. Because the **Ring 4 Broad business users** deployment ring receives the CBB feature updates immediately, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
+
+8. In **Setting name**, type **Defer feature updates for 0 days**, and then select **Integer** from the **Data type** list.
+
+10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
+
+11. In the **Value** box, type **0**, and then click **OK**.
+
+ 
+
+9. Click **Save Policy**.
+
+9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**.
+
+ >[!NOTE]
+ >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
+
+10. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**.
+
+You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as they’re available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates.
+
+
+### Configure Ring 5 Broad business users \#2 policy
+
+2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
+
+ 
+
+3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+4. Name the policy **Windows Update for Business - CBB2**. Then, in the **OMA-URI Settings** section, click **Add**.
+
+4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
+
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
+
+7. In the **Value** box, type **1**, and then click **OK**.
+
+ >[!NOTE]
+ >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
+
+
+8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
+
+8. In **Setting name**, type **Defer quality updates for 7 days**, and then select **Integer** from the **Data type** list.
+
+10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays**.
+
+11. In the **Value** box, type **7**, and then click **OK**.
+
+8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
+
+8. In **Setting name**, type **Defer feature updates for 14 days**, and then select **Integer** from the **Data type** list.
+
+10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
+
+11. In the **Value** box, type **14**, and then click **OK**.
+
+ 
+
+9. Click **Save Policy**.
+
+9. In the **Deploy Policy: Windows Update for Business – CBB2** dialog box, click **Yes**.
+
+ >[!NOTE]
+ >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
+
+10. In the **Manage Deployment: Windows Update for Business – CBB2** dialog box, select the **Ring 5 Broad Business Users #2** group, click **Add**, and then click **OK**.
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
+
+
+
+
+
+
+
+
+
+ Category
+ Maximum deferral
+ Deferral increments
+ Example
+ Classification GUID
+
+
+ Feature Updates
+ 180 days
+ Days
+ From Windows 10, version 1511 to version 1607
+ 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
+
+
+ Quality Updates
+ 30 days
+ Days
+ Security updates
+ 0FA1201D-4330-4FA8-8AE9-B877473B6441
+
+
+ Drivers (optional)
+ EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
+
+ Non-security updates
+ CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
+ Microsoft updates (Office, Visual Studio, etc.) varies
+
+ Non-deferrable
+ No deferral
+ No deferral
+ Definition updates
+ E0789628-CE08-4437-BE74-2495B842F43B
+