reverting changes

README.md

@@ -8,7 +8,6 @@ Welcome! This repository houses the docs that are written for IT professionals f
 - [Surface](https://technet.microsoft.com/itpro/surface)
 - [Surface Hub](https://technet.microsoft.com/itpro/surface-hub)
 - [Windows 10 for Education](https://technet.microsoft.com/edu/windows)
-- [HoloLens](https://technet.microsoft.com/itpro/hololens)
 - [Microsoft Desktop Optimization Pack](https://technet.microsoft.com/itpro/mdop) 
 
 ## Contributing

browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md

@@ -10,6 +10,7 @@ title: Deprecated document modes and Internet Explorer 11 (Internet Explorer 11
 ms.sitesec: library
 ---
 
+
 # Deprecated document modes and Internet Explorer 11
 
 **Applies to:**
@@ -24,8 +25,8 @@ Windows Internet Explorer 8 introduced document modes as a way to move from the
 
 This means that while Internet Explorer 11 will continue to support document modes, Microsoft Edge won’t. And because of that, it also means that if you want to use Microsoft Edge, you’re going to have to update your legacy webpages and apps to support modern features, browsers, and devices.
 
->**Note**<br>
+**Note**<br>
->For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953).
+For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953).
 
 ## What is document mode?
 Each release after Internet Explorer 8 has helped with the transition by introducing additional document modes that emulated previously supported versions, while also introducing support for features defined by industry standards. During this time, numerous websites and apps were updated to the latest and greatest industry standards, while many other sites and apps continued to simply rely on document modes to work properly.
@@ -40,8 +41,7 @@ The compatibility improvements made in IE11 lets older websites just work in the
 ## Document mode selection flowchart
 This flowchart shows how IE11 works when document modes are used.
 
-![Flowchart detailing how document modes are chosen in IE11](images/docmode-decisions-sm.png)<br>
+![Flowchart detailing how document modes are chosen in IE11](images/docmodeflow2.png)
-[Click this link to enlarge image](img-ie11-docmode-lg.md)
 
 ## Known Issues with Internet Explorer 8 document mode in Enterprise Mode
 The default document mode for Enterprise Mode is Internet Explorer 8. While this mode provides a strong emulation of that browser, it isn’t an exact match. For example, Windows Internet Explorer 9 fundamentally changed how document modes work with iframes and document modes can’t undo architectural changes. It’s also a known issue that Windows 10 supports GDI font rendering while using Enterprise Mode, but uses natural metrics once outside of Enterprise Mode.

browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md

@@ -1,11 +0,0 @@
----
-description: A full-sized view of how document modes are chosen in IE11.
-title: Full-sized flowchart detailing how document modes are chosen in IE11
----
-
-Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)<br>
-
-<p style="overflow: auto;">
-	<img src="images/docmode-decisions-lg.png" alt="Full-sized flowchart detailing how document modes are chosen in IE11" width="1355" height="1625" style="max-width:none;">
-</p>
-

browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md

@@ -17,7 +17,7 @@ If you’re having problems launching your legacy apps while running Internet Ex
 
 1.  **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
 
-2.  **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
+2.  **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
 
 For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page.
 

browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md

@@ -41,8 +41,8 @@ In IE, press **ALT+V** to show the **View** menu, press **T** to enter the **Too
 ## Where did the search box go?
 IE11 uses the **One Box** feature, which lets users type search terms directly into the **Address bar**. Any text entered into the **Address bar** that doesn't appear to be a URL is automatically sent to the currently selected search provider.
 
->[!NOTE]
+**Note**<br>
->Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see  [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).
+Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see  [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).
 
  
 

devices/hololens/TOC.md

@@ -1,7 +1,7 @@
 # [Microsoft HoloLens](index.md)
 ## [HoloLens in the enterprise: requirements](hololens-requirements.md)
 ## [Set up HoloLens](hololens-setup.md)
-## [Unlock Windows Holographic Enterprise features](hololens-upgrade-enterprise.md) 
+## [Upgrade to Windows Holographic Enterprise](hololens-upgrade-enterprise.md) 
 ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
 ## [Set up HoloLens in kiosk mode](hololens-kiosk.md)
 ## [Configure HoloLens using a provisioning package](hololens-provisioning.md)

devices/hololens/hololens-enroll-mdm.md

@@ -6,7 +6,6 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
 ---
 
 # Enroll HoloLens in MDM

devices/hololens/hololens-install-apps.md

@@ -6,7 +6,6 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
 ---
 
 # Install apps on HoloLens

devices/hololens/hololens-kiosk.md

@@ -6,7 +6,6 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
 ---
 
 # Set up HoloLens in kiosk mode

devices/hololens/hololens-provisioning.md

@@ -6,7 +6,6 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
 ---
 
 # Configure HoloLens using a provisioning package
@@ -101,7 +100,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
 
 Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
 
-In Windows ICD, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens). The following table describes settings that you might want to configure for HoloLens.
+In Windows ICD, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.co/library/windows/hardware/dn920025.aspx#HoloLens). The following table describes settings that you might want to configure for HoloLens.
 
 ![Common runtime settings for HoloLens](images/icd-settings.png)
 

devices/hololens/hololens-requirements.md

@@ -6,7 +6,6 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
 ---
 
 # Microsoft HoloLens in the enterprise: requirements

devices/hololens/hololens-setup.md

@@ -6,7 +6,6 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
 ---
 
 # Set up HoloLens

devices/hololens/hololens-upgrade-enterprise.md

@@ -1,15 +1,14 @@
 ---
-title: Unlock Windows Holographic Enterprise features (HoloLens)
+title: Upgrade to Windows Holographic Enterprise (HoloLens)
 description: HoloLens provides extra features designed for business when you upgrade to Windows Holographic Enterprise.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
 ---
 
-# Unlock Windows Holographic Enterprise features
+# Upgrade to Windows Holographic Enterprise
 
 Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/holographic/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business. 
 

devices/hololens/index.md

@@ -6,7 +6,6 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
 ---
 
 # Microsoft HoloLens
@@ -22,7 +21,7 @@ localizationpriority: medium
 | --- | --- |
 | [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management |
 | [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time  |
-| [Unlock Windows Holographic Enterprise features](hololens-upgrade-enterprise.md)  | How to upgrade your Development Edition HoloLens to Windows Holographic Enterprise|
+| [Upgrade to Windows Holographic Enterprise](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic Enterprise|
 | [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft InTune |
 | [Set up HoloLens in kiosk mode](hololens-kiosk.md) | Enable kiosk mode for HoloLens, which limits the user's ability to launch new apps or change the running app  |
 | [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging |

devices/surface-hub/TOC.md

@@ -36,5 +36,4 @@
 ### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
 ### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)
 ## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
-## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
 ## [Change history for Surface Hub](change-history-surface-hub.md)

devices/surface-hub/accessibility-surface-hub.md

@@ -30,7 +30,7 @@ The full list of accessibility settings are available to IT admins in the **Sett
 | Mouse                 | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. |
 | Other options         | Defaults selected for **Visual options** and **Touch feedback**. |
 
-Additionally, these accessibility features and apps are returned to default settings when users press [I'm Done](i-am-done-finishing-your-surface-hub-meeting.md):
+Additionally, these accessibility features and apps are returned to default settings when users press [**I'm Done**](i-am-done-finishing-your-surface-hub-meeting.md):
 - Narrator
 - Magnifier
 - High contrast

devices/surface-hub/admin-group-management-for-surface-hub.md

@@ -74,7 +74,7 @@ If your organization is using AD or Azure AD, we recommend you either domain joi
 |---------------------------------------------------|-----------------------------------------|-------|
 | Create a local admin account                      | None                                    | The user name and password specified during first run |
 | Domain join to Active Directory (AD)              | Your organization uses AD               | Any AD user from a specific security group in your domain |
-| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic   | Global administrators only |
+| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic   | Global administators only |
 |                                              | Your organization uses Azure AD Premium or Enterprise Mobility Suite (EMS) | Global administrators and additional administrators |
 
 

devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md

@@ -1620,7 +1620,7 @@ In the following cmdlets, `$strPolicy` is the name of the ActiveSync policy, and
 
 Note that in order to run the cmdlets, you need to set up a remote PowerShell session and:
 
--   Your admin account must be remote-PowerShell-enabled. This allows the admin to use the PowerShell cmdlets that are needed by the script. (This permission can be set using `set-user $admin -RemotePowerShellEnabled $true`)
+-   Your admin account must be remote-PowerShell-enabled. This allows the admin to use the PowerShell cmdlets that are needed by the script. (This permission can be set using set-user `$admin -RemotePowerShellEnabled $true`)
 -   Your admin account must have the "Reset Password" role if you plan to run the creation scripts. This allows the admin to change the password of the account, which is needed for the script. The Reset Password Role can be enabled using the Exchange Admin Center.
 
 Create the policy.
@@ -1667,7 +1667,7 @@ This retrieves device information for every device that the account has been pro
 For a device account to automatically accept or decline meeting requests based on its availability, the **AutomateProcessing** attribute must be set to **AutoAccept**. This is recommended as to prevent overlapping meetings.
 
 ```PowerShell
-Set-CalendarProcessing $strRoomUpn -AutomateProcessing AutoAccept
+Set-CalendarProcessing $ strRoomUpn -AutomateProcessing AutoAccept
 ```
 
 ### <a href="" id="accept-ext-meetings-cmdlet"></a>Accepting external meeting requests

devices/surface-hub/change-history-surface-hub.md

@@ -14,19 +14,10 @@ localizationpriority: medium
 
 This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
 
-## January 2017
-
-| New or changed topic | Description |
-| --- | --- |
-| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | New |
-| [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) | Added graphics cards verified to work with 84" Surface Hubs and added information about the lengths of cables. |
-| [Online deployment](online-deployment-surface-hub-device-accounts.md) | Updated procedures for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. |
-
 ## December 2016
 
 | New or changed topic | Description|
 | --- | --- |
-| [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) | Added information about Bluetooth accessories. |
 | [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) | Updated example procedures to include screenshots. |
 
 ## November 2016

devices/surface-hub/connect-and-display-with-surface-hub.md

@@ -13,7 +13,7 @@ localizationpriority: medium
 # Connect other devices and display with Surface Hub
 
 
-You can connect other devices to your Microsoft Surface Hub to display content. This topic describes the Guest Mode, Replacement PC Mode, and Video Out functionality available through wired connections, and also lists accessories that you can connect to Surface Hub using [Bluetooth](#bluetooth-accessories).
+You can connect other devices to your Microsoft Surface Hub to display content. This topic describes the Guest Mode, Replacement PC Mode, and Video Out functionality available through wired connections.
 
 ## Which method should I choose?
 
@@ -251,7 +251,7 @@ In Replacement PC Mode, Surface Hub supports any graphics adapter that can produ
 
 **55" Surface Hubs** - For best experience, use a graphics card capable of 1080p resolution at 120Hz.
 
-**84" Surface Hubs** - For best experience, use a graphics card capable of outputting four DisplayPort 1.2 streams to produce 2160p at 120Hz (3840 x 2160 at 120Hz vertical refresh). We've verified that this works with the NVIDIA Quadro K2200, NVIDIA Quadro K4200, NVIDIA Quadro M6000, AMD FirePro W5100, AMD FirePro W7100, and AMD FirePro W9100. These are not the only graphics cards - others are available from other vendors. 
+**84" Surface Hubs** - For best experience, use a graphics card capable of outputting four DisplayPort 1.2 streams to produce 2160p at 120Hz (3840 x 2160 at 120Hz vertical refresh). We've verified that this works with the NVIDIA Quadro K2200, NVIDIA Quadro K4200, and NVIDIA Quadro M6000. These are not the only graphics cards - others are available from other vendors. 
 
 Check directly with graphics card vendors for the latest drivers.
 
@@ -273,7 +273,7 @@ Check directly with graphics card vendors for the latest drivers.
 </tr>
 <tr class="even">
 <td><p>AMD</p></td>
-<td><p>[http://support.amd.com/en-us/download](http://support.amd.com/en-us/download)</p></td>
+<td><p>[http://support.amd.com/download](http://support.amd.com/download)</p></td>
 </tr>
 <tr class="odd">
 <td><p>Intel</p></td>
@@ -470,19 +470,3 @@ Video Out port on the 84" Surface Hub
 </tbody>
 </table>
 
-## Cables
-
-Both the 55” and 84” Surface Hub devices have been tested to work with Certified DisplayPort and HDMI cables.  While vendors do sell longer cables that may work with the Surface Hub, only those cables that have been certified by testing labs are certain to work with the Hub. For example, DisplayPort cables are certified only up to 3 meters, however many vendors sell cables that are 3 times that length. If a long cable is necessary, we strongly suggest using HDMI.  HDMI has many cost-effective solutions for long-haul cables, including the use of repeaters. Nearly every DisplayPort source will automatically switch to HDMI signaling if a HDMI sink is detected.
-
-
-## Bluetooth accessories
-
-You can connect the following accessories to Surface Hub using Bluetooth:
-
-- Mice
-- Keyboards
-- Headsets
-- Speakers
-
->[!NOTE]
->After you connect a Bluetooth headset or speaker, you might need to change the [default microphone and speaker settings](local-management-surface-hub-settings.md).

devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md

@@ -53,7 +53,7 @@ Use this procedure if you use Exchange on-prem.
     ```ps1
     Set-ExecutionPolicy Unrestricted
     $cred=Get-Credential -Message "Please use your Office 365 admin credentials"
-    $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.outlook.com/powershell' -Credential $cred -Authentication Basic -AllowRedirection
+    $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://outlook.office365.com/ps1-liveid/' -Credential $cred -Authentication Basic -AllowRedirection
     Import-PSSession $sess
     ```
 

devices/surface-hub/index.md

@@ -34,8 +34,7 @@ Documents related to the Microsoft Surface Hub.
 <td align="left"><p>[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)</p></td>
 <td align="left"><p>This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.</p></td>
 </tr>
-<tr><td>[Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)</td><td>This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise.</td></tr>
+<tr><td>[Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)</td><td>This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise.</td></tr><tr>
-<tr><td>[How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)</td><td>This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. </td></tr>
+<td>[Change history for Surface Hub](change-history-surface-hub.md)</td><td>This topic lists new and updated topis in the Surface Hub documentation.</td></tr>
-<tr><td>[Change history for Surface Hub](change-history-surface-hub.md)</td><td>This topic lists new and updated topis in the Surface Hub documentation.</td></tr>
 </tbody>
 </table>

devices/surface-hub/manage-windows-updates-for-surface-hub.md

@@ -94,7 +94,7 @@ Once you've determined deployment rings for your Surface Hubs, configure update
 
 ## Use Windows Server Update Services
 
-You can connect Surface Hub to your Windows Server Update Services (WSUS) server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
+You can connect Surface Hub to your indows Server Update Services (WSUS) server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
 
 **To manually connect a Surface Hub to a WSUS server:**
 1. Open **Settings** on your Surface Hub.

devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md

@@ -99,7 +99,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013
 8.  OPTIONAL: You can also allow your Surface Hub to make and receive public switched telephone network (PSTN) phone calls by enabling Enterprise Voice for your account. Enterprise Voice isn't a requirement for Surface Hub, but if you want PSTN dialing functionality for the Surface Hub client, here's how to enable it:
 
     ```PowerShell
-    Set-CsMeetingRoom HUB01 -DomainController DC-ND-001.contoso.com
+    CsMeetingRoom HUB01 -DomainController DC-ND-001.contoso.com
      -LineURItel: +14255550555;ext=50555" Set-CsMeetingRoom -DomainController DC-ND-001.contoso.com
      -Identity HUB01 -EnterpriseVoiceEnabled $true
     ```

devices/surface-hub/online-deployment-surface-hub-device-accounts.md

@@ -54,10 +54,13 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
     $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
     ```
 
-    Once you have a compatible policy, then you will need to apply the policy to the device account.
+    Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
 
     ```PowerShell
+    Set-Mailbox 'HUB01@contoso.com' -Type Regular
     Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.Id
+    Set-Mailbox 'HUB01@contoso.com' -Type Room
+    Set-Mailbox 'HUB01@contoso.com' -RoomMailboxPassword (ConvertTo-SecureString -String <password> -AsPlainText -Force) -EnableRoomMailboxAccount $true
     ```
 
 4.  Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
@@ -81,10 +84,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
     Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true
     ```
 
-7.  Surface Hub requires a license for Skype for Business functionality.
+7.  The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
-    - Your Surface Hub account requires a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
-    - You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
-    - If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).    
 
     Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
 
@@ -98,6 +98,15 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
 
 8.  Enable the device account with Skype for Business.
 
+    In order to enable Skype for Business, your environment will need to meet the following prerequisites:
+
+    -   You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
+    -   If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
+    -   Your tenant users must have Exchange mailboxes.
+    -   Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
+
+    <!-- -->
+
     -   Start by creating a remote PowerShell session from a PC.
 
         ```PowerShell
@@ -106,25 +115,33 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
         Import-PSSession $cssess -AllowClobber
         ```
 
-   - Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, *alice@contoso.com*):
+    -   To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
+
+        ```PowerShell
+        Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool  
+        "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
+        ```
+
+        If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
 
         ```PowerShell
         Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool*
         ```
-        OR by setting a variable
-        ```PowerShell
-        $strRegistrarPool = (Get-CsOnlineUser -Identity ‘alice@contoso.com’).RegistrarPool
-        ```
 
-    - Enable the Surface Hub account with the following cmdlet:
+9.  Assign Skype for Business license to your Surface Hub account.
 
-        ```PowerShell
+    Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device.
-        Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool yourRegistrarPool -SipAddressType EmailAddress
-        OR using the $strRegistarPool variable from above
-        Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool $strRegistrarPool -SipAddressType EmailAddress
-        ```
 
-For validation, you should be able to use any Skype for Business client (PC, Android, etc) to sign in to this account.
+    -   Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app.
+    -   Click on **Users and Groups** and then **Add users, reset passwords, and more**.
+    -   Select the Surface Hub account, and then click or tap the pen icon, which means edit.
+    -   Click on the **Licenses** option.
+    -   In the **Assign licenses** section, you need to select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and what you've decided in terms of needing Enterprise Voice. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub.
+    -   Click **Save** and you're done.
+
+>**Note**: It's also possible to use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
+
+For validation, you should be able to use any Skype for Business client (PC, Android, etc) to log in to this account.
 
 
 

devices/surface-hub/save-bitlocker-key-surface-hub.md

@@ -24,7 +24,7 @@ There are several ways to manage your BitLocker key on the Surface Hub.
 
 2.  If you’ve joined the Surface Hub to Azure Active Directory (Azure AD), the BitLocker key will be stored under the account that was used to join the device.
 
-3.  If you’re using an admin account to manage the device, you can save the BitLocker key by going to the **Settings** app and navigating to **Update & security** > **Recovery**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive.
+3.  If you’re using a local admin account to manage the device, you can save the BitLocker key by going to the **Settings** app and navigating to **Update & security** > **Recovery**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive.
 
 
 ## Related topics

devices/surface-hub/surface-hub-wifi-direct.md

@@ -1,121 +0,0 @@
----
-title: How Surface Hub addresses Wi-Fi Direct security issues
-description: This topic provides guidance on Wi-Fi Direct security risks.
-keywords: change history
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: surfacehub
-author: jdeckerMS
-localizationpriority: medium
----
-
-# How Surface Hub addresses Wi-Fi Direct security issues
-
-Microsoft Surface Hub is an all-in-one productivity device that enables teams to better brainstorm, collaborate, and share ideas. Surface Hub relies on Miracast for wireless projection by using Wi-Fi Direct.
-
-This topic provides guidance on Wi-Fi Direct security vulnerabilities, how Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. This hardening information will help customers with high security requirements understand how best to protect their Surface Hub connected networks and data in transit.
-
-The intended audiences for this topic include IT and network administrators interested in deploying Microsoft Surface Hub in their corporate environment with optimal security settings.
-
-## Overview
-
-Microsoft Surface Hub's security depends extensively on Wi-Fi Direct / Miracast and the associated 802.11, Wi-Fi Protected Access (WPA2), and Wireless Protected Setup (WPS) standards. Since the device only supports WPS (as opposed to WPA2 Pre-Shared Key (PSK) or WPA2 Enterprise), issues traditionally associated with 802.11 encryption are simplified by design. 
-
-It is important to note Surface Hub operates on par with the field of Miracast receivers, meaning that it is protected from, and vulnerable to, a similar set of exploits as all WPS-based wireless network devices. But Surface Hub’s implementation of WPS has extra precautions built in, and its internal architecture helps prevent an attacker – even after compromising the Wi-Fi Direct / Miracast layer – to move past the network interface onto other attack surfaces and connected enterprise networks see [Wi-Fi Direct vulnerabilities and how Surface Hub addresses them](#vulnerabilities).  
-
-## Wi-Fi Direct background
-
-Miracast is part of the Wi-Fi Display standard, which itself is supported by the Wi-Fi Direct protocol. These standards are supported in modern mobile devices for screen sharing and collaboration.
-
-Wi-Fi Direct or Wi-Fi "Peer to Peer" (P2P) is a standard released by the Wi-Fi Alliance for "Ad-Hoc" networks. This allows supported devices to communicate directly and create groups of networks without requiring a traditional Wi-Fi Access Point or an Internet connection.
-
-Security for Wi-Fi Direct is provided by WPA2 using the WPS standard.  Authentication mechanism for devices can be a numerical pin (WPS-PIN), a physical or virtual Push Button (WPS-PBC), or an out-of-band message such as Near Field Communication (WPS-OOO). The Microsoft Surface Hub supports both Push Button (which is the default) and PIN methods.
-
-In Wi-Fi Direct, groups are created as either "persistent," allowing for automatic reconnection using stored key material, or "temporary," where devices cannot re-authenticate without user intervention or action. Wi-Fi Direct groups will typically determine a Group Owner (GO) through a negotiation protocol, which mimics the "station" or "Access Point" functionality for the established Wi-Fi Direct Group. This Wi-Fi Direct GO provides authentication (via an “Internal Registrar”), and facilitate upstream network connections. For Surface Hub, this GO negotiation does not take place, as the network only operates in "autonomous" mode, where Surface Hub is always the Group Owner. Finally, Surface Hub does not and will not join other Wi-Fi Direct networks itself as a client.
-
-<span id="vulnerabilities" />
-## Wi-Fi Direct vulnerabilities and how Surface Hub addresses them
-
-**Vulnerabilities and attacks in the Wi-Fi Direct invitation, broadcast, and discovery process**: Wi-Fi Direct / Miracast attacks may target weaknesses in the group establishment, peer discovery, device broadcast, or invitation processes.
-
-|Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
-| --- | --- |
-| The discovery process may remain active for an extended period of time, which could allow Invitations and connections to be established without the intent of the device owner.	| Surface Hub only operates as the Group Owner (GO), which does not perform the client Discovery or GO negotiation process. Broadcast can be turned off by fully disabling wireless projection. |
-| Invitation and discovery using PBC allows an unauthenticated attacker to perform repeated connection attempts or unauthenticated connections are automatically accepted.	| By requiring WPS PIN security, Administrators can reduce the potential for such unauthorized connections or "Invitation bombs" (where invitations are repeatedly sent until a user mistakenly accepts one). |
-
-**Wi-Fi Protected Setup (WPS) Push Button Connect (PBC) vs PIN Entry**: Public weaknesses have been demonstrated in WPS-PIN method design and implementation, other vulnerabilities exist within WPS-PBC involving active attacks against a protocol designed for one time use. 
-
-| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
-| --- | --- |
-| WPS-PBC is vulnerable to active attackers. As stated within the WPS specification: "The PBC method has zero bits of entropy and only protects against passive eavesdropping attacks. PBC protects against eavesdropping attacks and takes measures to prevent a device from joining a network that was not selected by the device owner. The absence of authentication, however, means that PBC does not protect against active attack". Attackers can use selective wireless jamming or other potential denial-of-service vulnerabilities in order to trigger an unintended Wi-Fi Direct GO or connection. Additionally, an active attacker, with only physical proximity, can repeatedly teardown any Wi-Fi Direct group and attempt the described attack until it is successful. |Enable WPS-PIN security within Surface Hub’s configuration. As discussed within the Wi-Fi WPS specification: "The PBC method should only be used if no PIN-capable Registrar is available and the WLAN user is willing to accept the risks associated with PBC". |
-| WPS-PIN implementations can be brute-forced using a Vulnerability within the WPS standard. Due to the design of split PIN verification, a number of implementation vulnerabilities occurred in the past several years across a wide range of Wi-Fi hardware manufacturers. In 2011 two researchers (Stefan Viehböck and Craig Heffner) released information on this vulnerability and tools such as "Reaver" as a proof of concept. |	The Microsoft implementation of WPS within Surface Hub changes the pin every 30 seconds. In order to crack the pin, an attacker must work through the entire exploit in less than 30 seconds. Given the current state of tools and research in this area, a brute-force pin-cracking attack through WPS is unlikely. |
-| WPS-PIN can be cracked using an offline attack due to weak initial key (E-S1,E S2) entropy. In 2014, Dominique Bongard discussed a "Pixie Dust" attack where poor initial randomness for the pseudo random number generator (PRNG) within the wireless device lead to the ability to perform an offline brute-force attack. | The Microsoft implementation of WPS within Surface Hub is not susceptible to this offline PIN brute-force attack. The WPS-PIN is randomized for each connection. |
-
-**Unintended exposure of network services**: Network daemons intended for Ethernet or WLAN services may be accidentally exposed due to misconfiguration (such as binding to “all”/0.0.0.0 interfaces), a poorly configured device firewall, or missing firewall rules altogether.
-
-| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
-| --- | --- |
-| Misconfiguration binds a vulnerable or unauthenticated network service to "all" interfaces, which includes the Wi-Fi Direct interface. This potentially exposes services not intended to be accessible to Wi-Fi Direct clients, which may be weakly or automatically authenticated. | Within Surface Hub, the default firewall rules only permit the required TCP and UDP network ports and by default deny all inbound connections. Strong authentication can be configured by enabling the WPS-PIN mode. |
-
-**Bridging Wi-Fi Direct and other wired or wireless networks**: While network bridging between WLAN or Ethernet networks is a violation of the Wi-Fi Direct specification, such a bridge or misconfiguration may effectively lower or remove wireless access controls for the internal corporate network.
-
-| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
-| --- | --- |
-| Wi-Fi Direct devices could allow unauthenticated or poorly authenticated access to bridged network connections. This may allow Wi-Fi Direct networks to route traffic to internal Ethernet LAN or other infrastructure or enterprise WLAN networks in violation of existing IT security protocols. |	Surface Hub cannot be configured to bridge Wireless interfaces or allow routing between disparate networks. The default firewall rules add defense in depth to any such routing or bridge connections. |
-
-**The use of Wi-Fi Direct “legacy” mode**: Exposure to unintended networks or devices when operating in “legacy” mode may present a risk. Device spoofing or unintended connections could occur if WPS-PIN is not enabled.
-
-
-| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
-| --- | --- |
-| By supporting both Wi-Fi Direct and 802.11 infrastructure clients, the system is operating in a "legacy" support mode. This may expose the connection setup phase indefinitely, allowing for groups to be joined or devices invited to connect well after their intended setup phase terminates. |	Surface Hub does not support Wi-Fi Direct legacy clients. Only Wi-Fi Direct connections can be made to Surface Hub even when WPS-PIN mode is enabled. |
-
-**Wi-Fi Direct GO negotiation during connection setup**: The Group Owner within Wi-Fi Direct is analogous to the “Access Point” in a traditional 802.11 wireless network. The negotiation can be gamed by a malicious device. 
-
-|Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
-| --- | --- |
-| If groups are dynamically established or if the Wi-Fi Direct device can be made to join new groups, the Group Owner (GO) negotiation can be won by a malicious device that always specifies the max Group Owner "intent" value of 15. (Unless such device is configured to always be a Group Owner, in which case the connection fails.)	| Surface Hub takes advantage of Wi-Fi Direct "Autonomous mode", which skips the GO negotiation phase of the connection setup. Surface Hub is always the Group Owner. |
-
-**Unintended or malicious Wi-Fi deauthentication**: Wi-Fi deauthentication is an age-old attack that can be used by a physically local attacker to expedite information leaks against the connection setup process, trigger new four-way handshakes, target Wi-Fi Direct WPS-PBC for active attack, or create denial-of-service attacks.
-
-| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
-| --- | --- |
-| Deauthentication packets can be sent by an unauthenticated attacker to cause the station to re-authenticate and sniff the resulting handshake. Cryptographic or brute-force attacks can be attempted on the resulting handshake. Mitigations for these attack include:  enforcing length and complexity policies for pre-shared keys; configuring the Access Point (if applicable) to detect malicious levels of deauthentication packets; and using WPS to automatically generate strong keys. In PBC mode the user is interacting with a physical or virtual button to allow arbitrary device association. This process should happen only at setup within a small window, once the button is automatically "pushed", the device will accept any station associating via a canonical PIN value (all zeros). Deauthentication can force a repeated setup process. |	The current Surface Hub design uses WPS in PIN or PBC mode. No PSK configuration is permitted, helping enforce the generation of strong keys. It is recommended to enable WPS-PIN. |
-| Beyond denial-of-service attacks, deauthentication packets can also be used to trigger a reconnect which re-opens the window of opportunity for active attacks against WPS-PBC. |	Enable WPS-PIN security within Surface Hub’s configuration. |
-
-**Basic wireless information disclosure**: Wireless networks, 802.11 or otherwise, are inherently sources of information disclosure. Although the information is largely connection or device metadata, it remains an accepted risk for any 802.11 administrator. Wi-Fi Direct with device authentication via WPS-PIN effectively reveals the same information as a PSK or Enterprise 802.11 network.
-
-| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
-| --- | --- |
-| During broadcast, connection setup, or even with already encrypted connections, basic information about the devices and packet sizes is wirelessly transmitted. At a basic level, a local attacker within wireless range can determine the names of wireless devices, the MAC addresses of communicating equipment, and possibly other details such as the version of the wireless stack, packet sizes, or the configured Access Point or Group Owner options by examining the relevant 802.11 Information Elements.	| The Wi-Fi Direct network employed by Surface Hub cannot be further protected from metadata leaks, in the same way 802.11 Enterprise or PSK wireless networks also leak such metadata. Physical security and removing potential threats from the wireless proximity can be used to reduce any potential information leaks. |
-
-**Wireless evil twin or spoofing attacks**:  Spoofing the wireless name is a trivial and known exploit for a physically local attacker in order to lure unsuspecting or mistaken users to connect.
-
-| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
-| --- | --- |
-| By spoofing or cloning the wireless name or "SSID" of the target network, an attacker may trick the user into connecting to fake malicious network. By supporting unauthenticated, auto-join Miracast an attacker could capture the intended display materials or attempt to perform network attacks on the connecting device. |	While no specific protections against joining a spoofed Surface Hub are in place, this attack is partially mitigated in two ways. First, any potential attack must be physically within Wi-Fi range. Second, this attack is only possible during the very first connection. Subsequent connections use a persistent Wi-Fi Direct group and Windows will remember and prioritize this prior connection during future Hub use. (Note: Spoofing the MAC address, Wi-Fi channel and SSID simultaneously was not considered for this report and may result in inconsistent Wi-Fi behavior.) Overall this weakness is a fundamental problem for any 802.11 wireless network not using Enterprise WPA2 protocols such as EAP-TLS or EAP-PWD, which are not supported in Wi-Fi Direct. |
-
-## Surface Hub hardening guidelines
-
-Surface Hub is designed to facilitate collaboration and allow users to start or join meetings quickly and efficiently. As such, the default Wi-Fi Direct settings for Surface Hub are optimized for this scenario.
-
-For users who require additional security around the wireless interface, we recommend Surface Hub users enable the WPS-PIN security setting. This disables WPS-PBC mode and offers client authentication, and provides the strongest level of protection by preventing any unauthorized connections to Surface Hub.
-
-If concerns remain around authentication and authorization of a Surface Hub, we recommend users connect the device to a separate network, either Wi-Fi (such as a "guest" Wi-Fi network) or using separate Ethernet network (preferably an entirely different physical network, but a VLAN can also provide some added security). Of course, this approach may preclude connections to internal network resources or services, and may require additional network configurations to regain access.
-
-Also recommended: 
-- [Install regular system updates.](manage-windows-updates-for-surface-hub.md) 
-- Update the Miracast settings to disable auto-present mode.
-
-## Learn more
-
-- [Wi-Fi Direct specifications](http://www.wi-fi.org/discover-wi-fi/wi-fi-direct)
-- [Wireless Protected Setup (WPS) specification](http://www.wi-fi.org/discover-wi-fi/wi-fi-protected-setup)
-
-
-
-
-
-
-

devices/surface-hub/use-room-control-system-with-surface-hub.md

@@ -184,7 +184,7 @@ In Replacement PC mode, the power states are only Ready and Off and only change
 </tr>
 <tr class="even">
 <td align="left"><p>5</p></td>
-<td align="left"><p>S0</p></td>
+<td align="left"><p>50</p></td>
 <td align="left"><p>Ready</p></td>
 </tr>
 </tbody>

devices/surface/change-history-for-surface.md

@@ -17,12 +17,6 @@ This topic lists new and updated topics in the Surface documentation library.
 | --- | --- |
 |[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | New |
 
-## December 2016
-
-|New or changed topic | Description |
-| --- | --- |
-|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)  | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)|
-
 ## November 2016
 
 |New or changed topic | Description |

devices/surface/considerations-for-surface-and-system-center-configuration-manager.md

@@ -65,7 +65,7 @@ However, issues may arise when organizations intend to use versions of Windows t
 
 ## Apply an asset tag during deployment
 
-Surface Studio, Surface Book, Surface Pro 4, Surface Pro 3, and Surface 3 devices all support the application of an asset tag in UEFI. This asset tag can be used to identify the device from UEFI even if the operating system fails, and it can also be queried from within the operating system. To read more about the Surface Asset Tag function, see the [Asset Tag Tool for Surface Pro 3](https://blogs.technet.microsoft.com/askcore/2014/10/20/asset-tag-tool-for-surface-pro-3/) blog post.
+Surface Book, Surface Pro 4, Surface Pro 3, and Surface 3 devices all support the application of an asset tag in UEFI. This asset tag can be used to identify the device from UEFI even if the operating system fails, and it can also be queried from within the operating system. To read more about the Surface Asset Tag function, see the [Asset Tag Tool for Surface Pro 3](https://blogs.technet.microsoft.com/askcore/2014/10/20/asset-tag-tool-for-surface-pro-3/) blog post.
 
 To apply an asset tag using the [Surface Asset Tag CLI Utility](https://www.microsoft.com/download/details.aspx?id=44076) during a Configuration Manager deployment task sequence, use the script and instructions found in the [Set Surface Asset Tag During a Configuration Manager Task Sequence](https://blogs.technet.microsoft.com/jchalfant/set-surface-pro-3-asset-tag-during-a-configuration-manager-task-sequence/) blog post.
 

devices/surface/customize-the-oobe-for-surface-deployments.md

@@ -18,17 +18,16 @@ This article walks you through the process of customizing the Surface out-of-box
 
 It is common practice in a Windows deployment to customize the user experience for the first startup of deployed computers — the out-of-box experience, or OOBE.
 
->[!NOTE]
+>**Note:**  OOBE is also often used to describe the phase, or configuration pass, of Windows setup during which the user experience is displayed. For more information about the OOBE phase of setup, see [How Configuration Passes Work](http://msdn.microsoft.com/library/windows/hardware/dn898581.aspx).
->OOBE is also often used to describe the phase, or configuration pass, of Windows setup during which the user experience is displayed. For more information about the OOBE phase of setup, see [How Configuration Passes Work](http://msdn.microsoft.com/library/windows/hardware/dn898581.aspx).
 
 In some scenarios, you may want to provide complete automation to ensure that at the end of a deployment, computers are ready for use without any interaction from the user. In other scenarios, you may want to leave key elements of the experience for users to perform necessary actions or select between important choices. For administrators deploying to Surface devices, each of these scenarios presents a unique challenge to overcome.
 
 This article provides a summary of the scenarios where a deployment might require additional steps. It also provides the required information to ensure that the desired experience is achieved on any newly deployed Surface device. This article is intended for administrators who are familiar with the deployment process, as well as concepts such as answer files and [reference images](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image).
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;Although the OOBE phase of setup is still run during a deployment with an automated deployment solution such as the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117) or System Center Configuration Manager Operating System Deployment (OSD), it is automated by the settings supplied in the Deployment Wizard and task sequence. For more information see:<br/>
->Although the OOBE phase of setup is still run during a deployment with an automated deployment solution such as the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117) or System Center Configuration Manager Operating System Deployment (OSD), it is automated by the settings supplied in the Deployment Wizard and task sequence. For more information see:<br/>
+- [Deploy Windows 10 with the Microsoft Deployment Toolkit](http://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit)
->- [Deploy Windows 10 with the Microsoft Deployment Toolkit](http://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit)
+<br/>
->- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](http://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager)
+- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](http://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager)
 
  
 
@@ -42,7 +41,7 @@ To ensure that an automated deployment is not stopped by this page, the page mus
 ## Scenario 2: Surface Pen pairing in OOBE
 
 
-When you first take a Surface Pro 3, Surface Pro 4, Surface Book, or Surface Studio out of the package and start it up, the first-run experience of the factory image includes a prompt that asks you to pair the included Surface Pen to the device. This prompt is only provided by the factory image that ships with the device and is not included in other images used for deployment, such as the Windows Enterprise installation media downloaded from the Volume Licensing Service Center. Because pairing the Bluetooth Surface Pen outside of this experience requires that you enter the Control Panel or PC Settings and manually pair a Bluetooth device, you may want to have users or a technician use this prompt to perform the pairing operation.
+When you first take a Surface Pro 3, Surface Pro 4, or Surface Book out of the package and start it up, the first-run experience of the factory image includes a prompt that asks you to pair the included Surface Pen to the device. This prompt is only provided by the factory image that ships with the device and is not included in other images used for deployment, such as the Windows Enterprise installation media downloaded from the Volume Licensing Service Center. Because pairing the Bluetooth Surface Pen outside of this experience requires that you enter the Control Panel or PC Settings and manually pair a Bluetooth device, you may want to have users or a technician use this prompt to perform the pairing operation.
 
 To provide the factory Surface Pen pairing experience in OOBE, you must copy four files from the factory Surface image into the reference image. You can copy these files into the reference environment before you capture the reference image, or you can add them later by using Deployment Image Servicing and Management (DISM) to mount the image. The four required files are:
 
@@ -51,8 +50,7 @@ To provide the factory Surface Pen pairing experience in OOBE, you must copy fou
 -   %windir%\\system32\\oobe\\info\\default\\1033\\PenError\_en-US.png
 -   %windir%\\system32\\oobe\\info\\default\\1033\\PenSuccess\_en-US.png
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;You should copy the files from a factory image for the same model Surface device that you intend to deploy to. For example, you should use the files from a Surface Pro 3 to deploy to Surface Pro 3, and the files from Surface Book to deploy Surface Book, but you should not use the files from a Surface Pro 3 to deploy Surface Book or Surface Pro 4.
->You should copy the files from a factory image for the same model Surface device that you intend to deploy to. For example, you should use the files from a Surface Pro 3 to deploy to Surface Pro 3, and the files from Surface Book to deploy Surface Book, but you should not use the files from a Surface Pro 3 to deploy Surface Book or Surface Pro 4.
 
  
 

devices/surface/deploy-surface-app-with-windows-store-for-business.md

@@ -11,14 +11,6 @@ author: miladCA
 
 #Deploy Surface app with Windows Store for Business
 
-**Applies to**
-* Surface Pro 4
-* Surface Book
-* Surface 3
-
->[!NOTE]
->The Surface app ships in Surface Studio.
-
 The Surface app is a lightweight Windows Store app that provides control of many Surface-specific settings and options, including: 
 
 * Enable or disable the Windows button on the Surface device 
@@ -33,7 +25,7 @@ The Surface app is a lightweight Windows Store app that provides control of many
 
 If your organization is preparing images that will be deployed to your Surface devices, you may want to include the Surface app (formerly called the Surface Hub) in your imaging and deployment process instead of requiring users of each individual device to download and install the app from the Windows Store or your Windows Store for Business. 
 
-##Surface app overview
+####Surface app overview
 
 The Surface app is available as a free download from the [Windows Store](https://www.microsoft.com/store/apps/Surface/9WZDNCRFJB8P). Users can download and install it from the Windows Store, but if your organization uses Windows Store for Business instead, you will need to add it to your store’s inventory and possibly include the app as part of your Windows deployment process. These processes are discussed throughout this article. For more information about Windows Store for Business, see [Windows Store for Business](https://technet.microsoft.com/windows/store-for-business) in the Windows TechCenter. 
 
@@ -81,8 +73,7 @@ After you add an app to the Windows Store for Business account in Offline mode,
 6. Click either the **Encoded license** or **Unencoded license** option. Use the Encoded license option with management tools like System Center Configuration Manager or when you use Windows Imaging and Configuration Designer (Windows ICD). Select the Unencoded license option when you use Deployment Image Servicing and Management (DISM) or deployment solutions based on imaging, including the Microsoft Deployment Toolkit (MDT).
 7. Click **Generate** to generate and download the license for the app. Make sure you note the path of the license file because you’ll need that later in this article.
 
->[!NOTE]
+>**Note:**  When you download an app for offline use, such as the Surface app, you may notice a section at the bottom of the page labeled **Required frameworks**. Your target computers must have the frameworks installed for the app to run, so you may need to repeat the download process for each of the required frameworks for your architecture (either x86 or x64) and also include them as part of your Windows deployment discussed later in this article.
->When you download an app for offline use, such as the Surface app, you may notice a section at the bottom of the page labeled **Required frameworks**. Your target computers must have the frameworks installed for the app to run, so you may need to repeat the download process for each of the required frameworks for your architecture (either x86 or x64) and also include them as part of your Windows deployment discussed later in this article.
 
 Figure 5 shows the required frameworks for the Surface app.
 
@@ -90,15 +81,13 @@ Figure 5 shows the required frameworks for the Surface app.
 
 *Figure 5. Required frameworks for the Surface app*
 
->[!NOTE]
+>**Note:**  The version numbers of the Surface app and required frameworks will change as the apps are updated. Check for the latest version of Surface app and each framework in Windows Store for Business. Always use the Surface app and recommended framework versions as provided by Windows Store for Business. Using outdated frameworks or the incorrect versions may result in errors or application crashes.
->The version numbers of the Surface app and required frameworks will change as the apps are updated. Check for the latest version of Surface app and each framework in Windows Store for Business. Always use the Surface app and recommended framework versions as provided by Windows Store for Business. Using outdated frameworks or the incorrect versions may result in errors or application crashes.
 
 To download the required frameworks for the Surface app, follow these steps:
 1.	Click the **Download** button under **Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe**. This downloads the Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe.Appx file to your specified folder.
 2.	Click the **Download** button under **Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe**. This downloads the Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe.Appx file to your specified folder.
 
->[!NOTE]
+>**Note:**  Only the 64-bit (x64) version of each framework is required for Surface devices. Surface devices are native 64-bit UEFI devices and are not compatible with 32-bit (x86) versions of Windows that would require 32-bit frameworks. 
->Only the 64-bit (x64) version of each framework is required for Surface devices. Surface devices are native 64-bit UEFI devices and are not compatible with 32-bit (x86) versions of Windows that would require 32-bit frameworks. 
 
 ##Install Surface app on your computer with PowerShell
 The following procedure provisions the Surface app onto your computer and makes it available for any user accounts created on the computer afterwards.

devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md

@@ -28,34 +28,21 @@ Driver and firmware updates for Surface devices are released in one of two ways:
 
 Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices and are detailed here in this article.
 
->[!NOTE]
+>**Note:**  To simplify the process of locating drivers for your device, downloads for Surface devices have been reorganized to separate pages for each model. Bookmark the Microsoft Download Center page for your device from the links provided on this page. Many of the filenames contain a placeholder denoted with *xxxxxx*, which identifies the current version number or date of the file.
->To simplify the process of locating drivers for your device, downloads for Surface devices have been reorganized to separate pages for each model. Bookmark the Microsoft Download Center page for your device from the links provided on this page. Many of the filenames contain a placeholder denoted with *xxxxxx*, which identifies the current version number or date of the file.
  
 
 Recent additions to the downloads for Surface devices provide you with options to install Windows 10 on your Surface devices and update LTE devices with the latest Windows 10 drivers and firmware.
 
+>**Note:**  A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://support.microsoft.com/en-us/kb/2909710) for more information.
 
-
+ 
->[!NOTE]
->A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information.
-
-
-
-## Surface Studio
-
-Download the following updates for [Surface Studio from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=54311).
-
-* SurfaceStudio_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
-
 
 ## Surface Book
 
 
 Download the following updates [for Surface Book from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49497).
 
--   SurfaceBook_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+-   SurfaceBook\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
-
--	SurfaceBook_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
@@ -64,9 +51,7 @@ Download the following updates [for Surface Book from the Microsoft Download Cen
 
 Download the following updates for [Surface Pro 4 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49498).
 
--   SurfacePro4_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+-   SurfacePro4\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
-
--	SurfacePro4_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
@@ -75,21 +60,25 @@ Download the following updates for [Surface Pro 4 from the Microsoft Download Ce
 
 Download the following updates [for Surface Pro 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=38826).
 
--   SurfacePro3_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+-   SurfacePro3\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
 
--   SurfacePro3_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
+-   SurfacePro3\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
 
--   SurfacePro3_Win8x_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro
+-   SurfacePro3\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro
 
--   SurfacePro3_Win8x_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
+-   SurfacePro3\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
 
 -   Surface Firmware Tool.msi – Firmware tools for UEFI management
 
+-   Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+-   Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
 -   Surface Pro 3 AssetTag.zip – UEFI Asset Tag management tool
 
--   Surface Pro 3 KB2978002.zip – Update for Quick Note-Taking Experience feature in Windows 8.1
+-   Surface Pro 3 Driver Set.ppkg – Deployment Asset Provisioning Package for Windows 10
 
--   Windows8.1-KB2969817-x64.msu – Fixes an issue that causes Surface devices to reboot twice after firmware updates are installed on all supported x64-based versions of Windows 8.1
+-   Surface Pro 3 KB2978002.zip – Update for Quick Note-Taking Experience feature in Windows 8.1
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
@@ -98,15 +87,15 @@ Download the following updates [for Surface Pro 3 from the Microsoft Download Ce
 
 Download the following updates [for Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49040).
 
--  Surface3_WiFi_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10  
+-   Surface3\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
 
--   Surface3_WiFi_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
+-   Surface3\_Win8x\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro
 
--   Surface3_WiFi_Win8x_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro
+-   Surface3\_Win8x\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
 
--   Surface3_WiFi_Win8x_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
+-   Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
 
--   Surface 3 AssetTag.zip – UEFI Asset Tag management tool
+-   Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
@@ -115,43 +104,49 @@ Download the following updates [for Surface 3 from the Microsoft Download Center
 
 Download the following updates [for AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49039).
 
--   Surface3_4GLTE-ATT_Win10_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10
+-   Surface3\_US1\_Win10\_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10
 
--   Surface3_4GLTE-ATT_Win10_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10
+-   Surface3\_US1\_Win10\_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10
 
--   Surface3_4GLTE-ATT_Win8x_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
+-   Surface3\_US1\_Win8x\_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
 
--   Surface3_4GLTE-ATT_Win8x_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
+-   Surface3\_US1\_Win8x\_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
 
--   Surface 3 AssetTag.zip – UEFI Asset Tag management tool
+-   Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+-   Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
 Download the following updates [for non-AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49037).
 
--   Surface3_4GLTE-NorthAmericaUnlocked_Win10_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10
+-   Surface3\_NAG\_Win10\_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10
 
--   Surface3_4GLTE-NorthAmericaUnlocked_Win10_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10
+-   Surface3\_NAG\_Win10\_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10
 
--   Surface3_4GLTE-NorthAmericaUnlocked_Win8x_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro
+-   Surface3\_NAG\_Win8x\_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro
 
--   Surface3_4GLTE-NorthAmericaUnlocked_Win8x_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro
+-   Surface3\_NAG\_Win8x\_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro
 
--   Surface 3 AssetTag.zip – UEFI Asset Tag management tool
+-   Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+-   Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
 Download the following updates [for 4G LTE Surface 3 versions for regions outside North America from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49041).
 
--   Surface3_4GLTE-RestOfTheWorld_Win10_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10
+-   Surface3\_ROW\_Win10\_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10
 
--   Surface3_4GLTE-RestOfTheWorld_Win10_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10
+-   Surface3\_ROW\_Win10\_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10
 
--   Surface3_4GLTE-RestOfTheWorld_Win8x_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro
+-   Surface3\_ROW\_Win8x\_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro
 
--   Surface3_4GLTE-RestOfTheWorld_Win8x_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro
+-   Surface3\_ROW\_Win8x\_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro
 
--   Surface 3 AssetTag.zip – UEFI Asset Tag management tool
+-   Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+-   Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 

devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md

@@ -11,8 +11,7 @@ author: Scottmca
 
 # Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit
 
-**Applies to**
+#### Applies to
-- Surface Studio
 * Surface Pro 4
 * Surface Book
 * Surface 3
@@ -48,19 +47,13 @@ You can download and find out more about the Windows ADK at [Download the Window
 
 Before you can perform a deployment with MDT, you must first supply a set of operating system installation files and an operating system image. These files and image can be found on the physical installation media (DVD) for Windows 10. You can also find these files in the disk image (ISO file) for Windows 10, which you can download from the [Volume Licensing Service Center (VLSC)](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
 
-
+>**Note:**  The installation media generated from the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT.
->[!NOTE]
->The installation media generated from the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT.
-
 
 #### Windows Server
 
 Although MDT can be installed on a Windows client, to take full advantage of Windows Deployment Services’ ability to network boot, a full Windows Server environment is recommended. To provide network boot for UEFI devices like Surface with WDS, you will need Windows Server 2008 R2 or later.
 
-
+>**Note:**  To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter).
->[!NOTE]
->To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter).
-
 
 #### Windows Deployment Services
 
@@ -70,15 +63,11 @@ Windows Deployment Services (WDS) is leveraged to facilitate network boot capabi
 
 The process of creating a reference image should always be performed in a virtual environment. When you use a virtual machine as the platform to build your reference image, you eliminate the need for installation of additional drivers. The drivers for a Hyper-V virtual machine are included by default in the factory Windows 10 image. When you avoid the installation of additional drivers – especially complex drivers that include application components like control panel applications – you ensure that the image created by your reference image process will be as universally compatible as possible.
 
->[!NOTE]
+>**Note:**  A Generation 1 virtual machine is recommended for the preparation of a reference image in a Hyper-V virtual environment.
->A Generation 1 virtual machine is recommended for the preparation of a reference image in a Hyper-V virtual environment.
 
 Because customizations are performed by MDT at the time of deployment, the goal of reference image creation is not to perform customization but to increase performance during deployment by reducing the number of actions that need to occur on each deployed device. The biggest action that can slow down an MDT deployment is the installation of Windows updates. When MDT performs this step during the deployment process, it downloads the updates on each deployed device and installs them. By installing Windows updates in your reference image, the updates are already installed when the image is deployed to the device and the MDT update process only needs to install updates that are new since the image was created or are applicable to products other than Windows (for example, Microsoft Office updates).
 
-
+>**Note:**  Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library.  Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center.
->[!NOTE]
->Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library.  Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center.
-
 
 #### Surface firmware and drivers
 
@@ -89,15 +78,13 @@ When you browse to the specific Microsoft Download Center page for your device,
 
 In addition to the driver files that help Windows communicate with the hardware components of the Surface device, the .zip file you download will also contain firmware updates. These firmware updates will update the instructions used by the device hardware to communicate between components and Windows. The firmware of Surface device components is updated by installation of specific driver files and thus is installed along with the other drivers during deployment. The firmware of an out-of-date Surface device is thus updated when the device reboots during and after the Windows deployment process.
 
->[!NOTE]
+>**Note:**  Beginning in Windows 10, the drivers for Surface devices are included in the Windows Preinstallation Environment (WinPE). In earlier versions of Windows, specific drivers (like network drivers) had to be imported and configured in MDT for use in WinPE to successfully deploy to Surface devices.
->Beginning in Windows 10, the drivers for Surface devices are included in the Windows Preinstallation Environment (WinPE). In earlier versions of Windows, specific drivers (like network drivers) had to be imported and configured in MDT for use in WinPE to successfully deploy to Surface devices.
 
 #### Application installation files
 
 In addition to the drivers that are used by Windows to communicate with the Surface device’s hardware and components, you will also need to provide the installation files for any applications that you want to install on your deployed Surface devices. To automate the deployment of an application, you will also need to determine the command-line instructions for that application to perform a silent installation. In this article, the Surface app and Microsoft Office 365 will be installed as examples of application installation. The application installation process can be used with any application with installation files that can be launched from command line.
 
->[!NOTE]
+>**Note:**  If the application files for your application are stored on your organization’s network and will be accessible from your Surface devices during the deployment process, you can deploy that application directly from that network location. To use installation files from a network location, use the **Install Application Without Source Files or Elsewhere on the Network** option in the MDT New Application Wizard, which is described in the [Import applications](#import-applications) section later in this article.
->If the application files for your application are stored on your organization’s network and will be accessible from your Surface devices during the deployment process, you can deploy that application directly from that network location. To use installation files from a network location, use the **Install Application Without Source Files or Elsewhere on the Network** option in the MDT New Application Wizard, which is described in the [Import applications](#import-applications) section later in this article.
 
 #### Microsoft Surface Deployment Accelerator
 
@@ -109,8 +96,7 @@ Before you can configure the deployment environment with Windows images, drivers
 
 To boot from the network with either your reference virtual machines or your Surface devices, your deployment environment must include a Windows Server environment. The Windows Server environment is required to install WDS and the WDS PXE server. Without PXE support, you will be required to create physical boot media, such as a USB stick to perform your deployment – MDT and Windows ADK will still be required, but Windows Server is not required. Both MDT and Windows ADK can be installed on a Windows client and perform a Windows deployment.
 
->[!NOTE]
+>**Note:**  To download deployment tools directly to Windows Server, you must disable [Internet Explorer Enhanced Security Configuration](https://technet.microsoft.com/library/dd883248). On Windows Server 2012 R2, this can be performed directly through the **Server Manager** option on the **Local Server** tab. In the **Properties** section, **IE Enhanced Security Configuration** can be found on the right side. You may also need to enable the **File Download** option for the **Internet** zone through the **Security** tab of **Internet Options**.
->To download deployment tools directly to Windows Server, you must disable [Internet Explorer Enhanced Security Configuration](https://technet.microsoft.com/library/dd883248). On Windows Server 2012 R2, this can be performed directly through the **Server Manager** option on the **Local Server** tab. In the **Properties** section, **IE Enhanced Security Configuration** can be found on the right side. You may also need to enable the **File Download** option for the **Internet** zone through the **Security** tab of **Internet Options**.
 
 #### Install Windows Deployment Services
 
@@ -126,20 +112,17 @@ After the WDS role is installed, you need to configure WDS. You can begin the co
 
 *Figure 2. Configure PXE response for Windows Deployment Services*
 
->[!NOTE]
+>**Note:**  Before you configure WDS make sure you have a local NTFS volume that is not your system drive (C:) available for use with WDS. This volume is used to store WDS boot images, deployment images, and configuration.
->Before you configure WDS make sure you have a local NTFS volume that is not your system drive (C:) available for use with WDS. This volume is used to store WDS boot images, deployment images, and configuration.
 
 Using the Windows Deployment Services Configuration Wizard, configure WDS to fit the needs of your organization. You can find detailed instructions for the installation and configuration of WDS at [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426). On the **PXE Server Initial Settings** page, be sure to configure WDS so that it will respond to your Surface devices when they attempt to boot from the network. If you have already installed WDS or need to change your PXE server response settings, you can do so on the **PXE Response** tab of the **Properties** of your server in the Windows Deployment Services Management Console.
 
->[!NOTE]
+>**Note:**  You will add boot images to WDS when you update your boot images in MDT. You do not need to add boot images or Windows images to WDS when you configure the role.
->You will add boot images to WDS when you update your boot images in MDT. You do not need to add boot images or Windows images to WDS when you configure the role.
 
 #### Install Windows Assessment and Deployment Kit
 
 To install Windows ADK, run the Adksetup.exe file that you downloaded from [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#adkwin10). Windows ADK must be installed before MDT. You should always download and use the most recent version of Windows ADK. A new version is usually released corresponding with each new version of Windows.
 
->[!NOTE]
+>**Note:**  You can also use the Adksetup.exe file to download the Windows ADK installation files locally for use on other devices.
->You can also use the Adksetup.exe file to download the Windows ADK installation files locally for use on other devices.
 
 When you get to the **Select the features you want to install** page, you only need to select the **Deployment Tools** and **Windows Preinstallation Environment (Windows PE)** check boxes to deploy Windows 10 using MDT, as shown in Figure 3. 
 
@@ -187,16 +170,13 @@ To create the deployment share, follow these steps:
 
   * **Path** – Specify a local folder where the deployment share will reside, and then click **Next**.
 
-      >[!NOTE]
+      >**Note:**  Like the WDS remote installation folder, it is recommended that you put this folder on an NTFS volume that is not your system volume.
-      >Like the WDS remote installation folder, it is recommended that you put this folder on an NTFS volume that is not your system volume.
 
   * **Share** – Specify a name for the network share under which the local folder specified on the **Path** page will be shared, and then click **Next**.
 
-      >[!NOTE]
+      >**Note:**  The share name cannot contain spaces.
-      >The share name cannot contain spaces.
 
-      >[!NOTE]
+      >**Note:**  You can use a Dollar Sign (**$**) to hide your network share so that it will not be displayed when users browse the available network shares on the server in File Explorer.
-      >You can use a Dollar Sign (**$**) to hide your network share so that it will not be displayed when users browse the available network shares on the server in File Explorer.
 
   * **Descriptive Name** – Enter a descriptive name for the network share (this descriptive name can contain spaces), and then click **Next**. The descriptive name will be the name of the folder as it appears in the Deployment Workbench.
   * **Options** – You can accept the default options on this page. Click **Next**.
@@ -209,8 +189,7 @@ To create the deployment share, follow these steps:
 
 To secure the deployment share and prevent unauthorized access to the deployment resources, you can create a local user on the deployment share host and configure permissions for that user to have read-only access to the deployment share only. It is especially important to secure access to the deployment share if you intend to automate the logon to the deployment share during the deployment boot process. By automating the logon to the deployment share during the boot of deployment media, the credentials for that logon are stored in plaintext in the bootstrap.ini file on the boot media.
 
->[!NOTE]
+>**Note:**  If you intend to capture images (such as the reference image) with this user, the user must also have write permission on the Captures folder in the MDT deployment share.
->If you intend to capture images (such as the reference image) with this user, the user must also have write permission on the Captures folder in the MDT deployment share.
 
 You now have an empty deployment share that is ready for you to add the resources that will be required for reference image creation and deployment to Surface devices.
 
@@ -218,8 +197,7 @@ You now have an empty deployment share that is ready for you to add the resource
 
 The first resources that are required to perform a deployment of Windows are the installation files from Windows 10 installation media. Even if you have an already prepared reference image, you still need to supply the unaltered installation files from your installation media. The source of these files can be a physical disk, or it can be an ISO file like the download from the Volume Licensing Service Center (VLSC).
 
->[!NOTE]
+>**Note:**  A 64-bit operating system is required for compatibility with Surface Pro 4, Surface Book, Surface Pro 3, and Surface 3.
->A 64-bit operating system is required for compatibility with Surface Studio, Surface Pro 4, Surface Book, Surface Pro 3, and Surface 3.
 
 To import Windows 10 installation files, follow these steps:
 
@@ -256,8 +234,7 @@ Now that you’ve imported the installation files from the installation media, y
 
 As described in the [Deployment tools](#deployment-tools) section of this article, the goal of creating a reference image is to keep the Windows environment as simple as possible while performing tasks that would be common to all devices being deployed. You should now have a basic MDT deployment share configured with default options and a set of unaltered, factory installation files for Windows 10. This simple configuration is perfect for reference image creation because the deployment share contains no applications or drivers to interfere with the process.
 
->[!NOTE]
+>**Note:**  For some organizations keeping a simple deployment share without applications or drivers is the simplest solution for creation of reference images. You can easily connect to more than one deployment share from a single Deployment Workbench and copy images from a simple, reference-image-only deployment share to a production deployment share complete with drivers and applications.
->For some organizations keeping a simple deployment share without applications or drivers is the simplest solution for creation of reference images. You can easily connect to more than one deployment share from a single Deployment Workbench and copy images from a simple, reference-image-only deployment share to a production deployment share complete with drivers and applications.
 
 To create the reference image task sequence, follow these steps:
 
@@ -269,15 +246,13 @@ To create the reference image task sequence, follow these steps:
 
 2. The New Task Sequence Wizard presents a series of steps, as follows:
   * **General Settings** – Enter an identifier for the reference image task sequence in the **Task Sequence ID** field, a name for the reference image task sequence in the **Task Sequence Name** field, and any comments for the reference image task sequence in the **Task Sequence Comments** field, and then click **Next**.
-  >[!NOTE]
+  >**Note:**  The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
-  >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
   * **Select Template** – Select **Standard Client Task Sequence** from the drop-down menu, and then click **Next**.
   * **Select OS** – Navigate to and select the Windows 10 image you imported with the Windows 10 installation files, and then click **Next**.
   * **Specify Product Key** – Click **Do Not Specify a Product Key at This Time**, and then click **Next**.
   * **OS Settings** – Enter a name, organization, and home page URL in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
   * **Admin Password** – Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**.
-  >[!NOTE]
+  >**Note:**  During creation of a reference image, any specified Administrator password will be automatically removed when the image is prepared for capture with Sysprep. During reference image creation, a password is not necessary, but is recommended to remain in line with best practices for production deployment environments.
-  >During creation of a reference image, any specified Administrator password will be automatically removed when the image is prepared for capture with Sysprep. During reference image creation, a password is not necessary, but is recommended to remain in line with best practices for production deployment environments.
   * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
   * **Progress** – While the task sequence is created, a progress bar is displayed on this page.
   * **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard.
@@ -307,8 +282,7 @@ To update the MDT boot media, follow these steps:
 
 2. Use the Update Deployment Share Wizard to create boot images with the following process:
   * **Options** – Click **Completely Regenerate the Boot Images**, and then click **Next**.
-  >[!NOTE]
+  >**Note:**  Because this is the first time the newly created deployment share has been updated, new boot images will be generated regardless of which option you select on the **Options** page.
-  >Because this is the first time the newly created deployment share has been updated, new boot images will be generated regardless of which option you select on the **Options** page.
   * **Summary** – Review the specified options on this page before you click **Next** to begin generation of boot images.
   * **Progress** – While the boot images are being generated, a progress bar is displayed on this page.
   * **Confirmation** – When the boot images have been generated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard.
@@ -345,20 +319,17 @@ To import the MDT boot media into WDS for PXE boot, follow these steps:
   * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**.
   * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard.
 
->[!NOTE]
+>**Note:**  Only the 32-bit boot image, LiteTouchPE_x86.wim, is required to boot from BIOS devices, including Generation 1 Hyper-V virtual machines like the reference virtual machine.
->Only the 32-bit boot image, LiteTouchPE_x86.wim, is required to boot from BIOS devices, including Generation 1 Hyper-V virtual machines like the reference virtual machine.
 
 If your WDS configuration is properly set up to respond to PXE clients, you should now be able to boot from the network with any device with a network adapter properly configured for network boot (PXE).
 
->[!NOTE]
+>**Note:**  If your WDS server resides on the same server as DHCP or in a different subnet than the devices you are attempting to boot, additional configuration may be required. For more information, see [Managing Network Boot Programs](https://technet.microsoft.com/library/cc732351).
->If your WDS server resides on the same server as DHCP or in a different subnet than the devices you are attempting to boot, additional configuration may be required. For more information, see [Managing Network Boot Programs](https://technet.microsoft.com/library/cc732351).
 
 ### Deploy and capture a reference image
 
 Your deployment environment is now set up to create a reference image for Windows 10 complete with Windows Updates.
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;You cannot install version updates (such as Windows 10, Version 1511) in a reference image. To create a reference image with a new version of Windows, you must use installation files from that version of Windows. When  you install a version update in Windows, it effectively performs an upgrade to a new version of Windows, and upgraded installations of Windows cannot be prepared for deployment with Sysprep.<br/><br/>
->You cannot install version updates (such as Windows 10, Version 1511) in a reference image. To create a reference image with a new version of Windows, you must use installation files from that version of Windows. When  you install a version update in Windows, it effectively performs an upgrade to a new version of Windows, and upgraded installations of Windows cannot be prepared for deployment with Sysprep.<br/><br/>
 By using a fully automated task sequence in an MDT deployment share dedicated to reference image creation, you can greatly reduce the time and effort required to create new reference images and it is the best way to ensure that your organization is ready for feature updates and new versions of Windows 10.
 
 You can now boot from the network with a virtual machine to run the prepared task sequence and generate a reference image. When you prepare your virtual machine in Hyper-V for reference image creation, consider the following:
@@ -405,8 +376,7 @@ As the task sequence processes the deployment, it will automatically perform the
 * Reboot into WinPE
 * Capture an image of the Windows 10 environment and store it in the Captures folder in the MDT deployment share
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;The Windows Update process can take some time to complete as it searches the Internet for updates, downloads those updates, and then installs them. By performing this process now, in the reference environment, you eliminate the need to perform these tasks on each deployed device and significantly reduce the amount of time and bandwidth required to perform your deployment. 
->The Windows Update process can take some time to complete as it searches the Internet for updates, downloads those updates, and then installs them. By performing this process now, in the reference environment, you eliminate the need to perform these tasks on each deployed device and significantly reduce the amount of time and bandwidth required to perform your deployment. 
 
 When the task sequence completes, your virtual machine will be off and a new reference image complete with updates will be ready in your MDT deployment share for you to import it and prepare your deployment environment for deployment to Surface devices.
 
@@ -431,8 +401,7 @@ To import the reference image for deployment, use the following steps:
   * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Operating System Wizard.
 3.	Expand the folder in which you imported the image to verify that the import completed successfully.
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;You can import the reference image into the same deployment share that you used to create your reference image, or you could import the reference image into a new deployment share for deployment to your Surface devices. If you chose to create a new deployment share for deployment of your reference image, remember that you still need to import a full set of installation files from installation media.
->You can import the reference image into the same deployment share that you used to create your reference image, or you could import the reference image into a new deployment share for deployment to your Surface devices. If you chose to create a new deployment share for deployment of your reference image, remember that you still need to import a full set of installation files from installation media.
 
 Now that your updated reference image is imported, it is time to prepare your deployment environment for deployment to Surface devices complete with drivers, applications, and automation.
 
@@ -547,8 +516,7 @@ To create the deployment task sequence, follow these steps:
 1. In the Deployment Workbench, under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard.
 2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard:
   * **General Settings** – Enter an identifier for the deployment task sequence in the **Task Sequence ID** field, a name for the deployment task sequence in the **Task Sequence Name** field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, then click **Next**.
-  >[!NOTE]
+  >**Note:**&nbsp;&nbsp;The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
-  >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
   * **Select Template** – Click **Standard Client Task Sequence** from the drop-down menu, and then click **Next**.
   * **Select OS** – Navigate to and select the reference image that you imported, and then click **Next**.
   * **Specify Product Key** – Select the product key entry that fits your organization's licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**.
@@ -585,7 +553,7 @@ After the task sequence is created it can be modified for increased automation,
 
    ![Configure a new Set Task Sequence Variable step in the deployment task sequence](images\surface-deploymdt-fig22.png "Configure a new Set Task Sequence Variable step in the deployment task sequence")
 
-   *Figure 22. Configure a new Set Task Sequence Variable step in the deployment task sequence*
+   Figure 22. Configure a new Set Task Sequence Variable step in the deployment task sequence
 
 15.	Select the **Inject Drivers** step, the next step in the task sequence.
 16.	On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 23), configure the following options:
@@ -759,15 +727,13 @@ To import the updated MDT boot media into WDS for PXE boot, follow these steps:
   * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**.
   * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard.
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;Although it is a best practice to replace and update the boot images in WDS whenever the MDT deployment share is updated, for deployment to Surface devices the 32-bit boot image, LiteTouchPE_x86.wim, is not required. Only the 64-bit boot image is required for 64-bit UEFI devices.
->Although it is a best practice to replace and update the boot images in WDS whenever the MDT deployment share is updated, for deployment to Surface devices the 32-bit boot image, LiteTouchPE_x86.wim, is not required. Only the 64-bit boot image is required for 64-bit UEFI devices.
 
 ### Deploy Windows to Surface
 
 With all of the automation provided by the deployment share rules and task sequence, performing the deployment on each Surface device becomes as easy as a single touch.
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;For the deployment to require only a single touch, the Surface devices must be connected to a keyboard, connected to the network with a Microsoft Surface USB Ethernet Adapter or Surface Dock, and configured with PXE boot as the first boot option, as shown in Figure 25.
->For the deployment to require only a single touch, the Surface devices must be connected to a keyboard, connected to the network with a Microsoft Surface USB Ethernet Adapter or Surface Dock, and configured with PXE boot as the first boot option, as shown in Figure 25.
 
 ![Set boot priority for PXE boot](images\surface-deploymdt-fig25.png "Set boot priority for PXE boot")
 
@@ -784,8 +750,7 @@ On a properly configured Surface device, simply turn on the device and press Ent
 * Windows Update will run, installing any new Windows Updates or updates for installed applications, like Microsoft Office
 * The task sequence will complete silently and log out of the device
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;For Surface devices not configured to boot to the network as the first boot option, you can hold Volume Down and press Power to boot the system immediately to a USB or network device.
->For Surface devices not configured to boot to the network as the first boot option, you can hold Volume Down and press Power to boot the system immediately to a USB or network device.
 
 The resulting configuration is a Surface device that is logged out and ready for an end user to enter their credentials, log on, and get right to work. The applications and drivers they need are already installed and up to date.
 

devices/surface/enroll-and-configure-surface-devices-with-semm.md

@@ -19,8 +19,7 @@ For a more high-level overview of SEMM, see [Microsoft Surface Enterprise Manage
 The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
 Run the Microsoft Surface UEFI Configurator Windows Installer (.msi) file to start the installation of the tool. When the installer completes, find Microsoft Surface UEFI Configurator in the All Apps section of your Start menu.
 
->[!NOTE]
+>**Note**:  Microsoft Surface UEFI Configurator is supported only on Windows 10.
->Microsoft Surface UEFI Configurator is supported only on Windows 10.
 
 ## Create a Surface UEFI configuration package
 
@@ -68,8 +67,7 @@ To create a Surface UEFI configuration package, follow these steps:
 13.	In the **Save As** dialog box, specify a name for the Surface UEFI configuration package, browse to the location where you would like to save the file, and then click **Save**.
 14.	When the package is created and saved, the **Successful** page is displayed.
 
->[!NOTE]
+>**Note**:  Record the certificate thumbprint characters that are displayed on this page, as shown in Figure 6. You will need these characters to confirm enrollment of new Surface devices in SEMM. Click **End** to complete package creation and close Microsoft Surface UEFI Configurator.
->Record the certificate thumbprint characters that are displayed on this page, as shown in Figure 6. You will need these characters to confirm enrollment of new Surface devices in SEMM. Click **End** to complete package creation and close Microsoft Surface UEFI Configurator.
 
 ![Display of certificate thumbprint characters](images\surface-semm-enroll-fig6.png "Display of certificate thumbprint characters")
 
@@ -77,8 +75,7 @@ To create a Surface UEFI configuration package, follow these steps:
 
 Now that you have created your Surface UEFI configuration package, you can enroll or configure Surface devices.
 
->[!NOTE]
+>**Note**:  When a Surface UEFI configuration package is created, a log file is created on the desktop with details of the configuration package settings and options.
->When a Surface UEFI configuration package is created, a log file is created on the desktop with details of the configuration package settings and options.
 
 ## Enroll a Surface device in SEMM
 When the Surface UEFI configuration package is executed, the SEMM certificate and Surface UEFI configuration files are staged in the firmware storage of the Surface device. When the Surface device reboots, Surface UEFI processes these files and begins the process of applying the Surface UEFI configuration or enrolling the Surface device in SEMM, as shown in Figure 7.

devices/surface/ethernet-adapters-and-surface-device-deployment.md

@@ -55,8 +55,7 @@ To boot a Surface device from an alternative boot device, follow these steps:
 3.  Press and release the **Power** button.
 4.  After the system begins to boot from the USB stick or Ethernet adapter, release the **Volume Down** button.
 
->[!NOTE]
+>**Note:**  In addition to an Ethernet adapter, a keyboard must also be connected to the Surface device to enter the preinstallation environment and navigate the deployment wizard.
->In addition to an Ethernet adapter, a keyboard must also be connected to the Surface device to enter the preinstallation environment and navigate the deployment wizard.
 
  
 For Windows 10, version 1511 and later – including the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10, version 1511 – the drivers for Microsoft Surface Ethernet Adapters are present by default. If you are using a deployment solution that uses Windows Preinstallation Environment (WinPE), like the Microsoft Deployment Toolkit, and booting from the network with PXE, ensure that your deployment solution is using the latest version of the Windows ADK.

devices/surface/index.md

@@ -33,9 +33,7 @@ For more information on planning for, deploying, and managing Surface devices in
 | [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. |
 
 
-## Learn more
 
-[Certifying Surface Pro 4 and Surface Book as standard devices at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/849/Certifying-Surface-Pro-4-and-Surface-Book-as-standard-devices-at-Microsoft)
 
 
 

devices/surface/manage-surface-dock-firmware-updates.md

@@ -20,12 +20,9 @@ The Surface Dock provides external connectivity to Surface devices through a sin
 
 Like the firmware for Surface devices, firmware for Surface Dock is also contained within a downloaded driver that is visible in Device Manager. This driver stages the firmware update files on the Surface device. When a Surface Dock is connected and the driver is loaded, the newer version of the firmware staged by the driver is detected and firmware files are copied to the Surface Dock. The Surface Dock then begins a two-phase process to apply the firmware internally. Each phase requires the Surface Dock to be disconnected from the Surface device before the firmware is applied. The driver copies the firmware into the dock, but only applies it when the user disconnects the Surface device from the Surface Dock. This ensures that there are no disruptions because the firmware is only applied when the user leaves their desk with the device.
 
-
+>**Note:**&nbsp;&nbsp;You can learn more about the firmware update process for Surface devices and how firmware is updated through driver installation at the following links:<br/>
->[!NOTE]
+- [How to manage and update Surface drivers and firmware](https://technet.microsoft.com/mt697551) from Microsoft Mechanics
->You can learn more about the firmware update process for Surface devices and how firmware is updated through driver installation at the following links:
+- [Windows Update Makes Surface Better](https://blogs.windows.com/devices/2014/04/15/windows-update-makes-surface-better/#0MqzmYgshCDaJpvK.97) on the Microsoft Devices Blog
->- [How to manage and update Surface drivers and firmware](https://technet.microsoft.com/mt697551) from Microsoft Mechanics
->- [Windows Update Makes Surface Better](https://go.microsoft.com/fwlink/p/?LinkId=785354) on the Microsoft Devices Blog
-
 
  
 
@@ -73,8 +70,7 @@ There are three methods you can use to update the firmware of the Surface Dock:
 
 Windows Update is the method that most users will use. The drivers for the Surface Dock are downloaded automatically from Windows Update and the dock update process is initiated without additional user interaction. The two-phase dock update process described earlier occurs in the background as the user connects and disconnects the Surface Dock during normal use.
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;The driver version that is displayed in Device Manager may be different from the firmware version that the Surface Dock is using.
->The driver version that is displayed in Device Manager may be different from the firmware version that the Surface Dock is using.
 
  
 
@@ -85,9 +81,8 @@ This method is used mostly in environments where Surface device drivers and firm
 
 For more information about how to deploy MSI packages see [Create and deploy an application with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/get-started/create-and-deploy-an-application).
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;When drivers are installed through Windows Update or the MSI package, registry keys are added that indicate the version of firmware installed on the Surface Dock and contained within the Surface Dock driver. These registry keys can be found in:<br/><br/>
->When drivers are installed through Windows Update or the MSI package, registry keys are added that indicate the version of firmware installed on the Surface Dock and contained within the Surface Dock driver. These registry keys can be found in:
+  **HLKM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WUDF\\Services\\SurfaceDockFwUpdate\\Parameters**
-> **HLKM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WUDF\\Services\\SurfaceDockFwUpdate\\Parameters**
 
 Firmware status is displayed for both the main chipset (displayed as **Component10**) and the DisplayPort chipset (displayed as **Component20**). For each chipset there are four keys, where *xx* is **10** or **20** corresponding to each chipset:
 
@@ -99,8 +94,7 @@ Firmware status is displayed for both the main chipset (displayed as **Component
 
 -   **Component*xx*FirmwareUpdateStatusRejectReason** – This key changes as the firmware update is processed. It should result in 0 after the successful installation of Surface Dock firmware.
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;These registry keys are not present unless you have installed updated Surface Dock drivers through Windows Update or MSI deployment.
->These registry keys are not present unless you have installed updated Surface Dock drivers through Windows Update or MSI deployment.
 
  
 

devices/surface/manage-surface-uefi-settings.md

@@ -12,7 +12,7 @@ author: miladCA
 
 #Manage Surface UEFI settings
 
-Current and future generations of Surface devices, including Surface Pro 4, Surface Book, and Surface Studio, use a unique UEFI firmware engineered by Microsoft specifically for these devices. This firmware allows for significantly greater control of the device’s operation over firmware versions in earlier generation Surface devices, including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings you can easily enable or disable internal devices or components, configure security to protect UEFI settings from being changed, and adjust the Surface device boot settings. 
+Current and future generations of Surface devices, including Surface Pro 4 and Surface Book, use a unique UEFI firmware engineered by Microsoft specifically for these devices. This firmware allows for significantly greater control of the device’s operation over firmware versions in earlier generation Surface devices, including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings you can easily enable or disable internal devices or components, configure security to protect UEFI settings from being changed, and adjust the Surface device boot settings. 
 
 >[!NOTE]
 >Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI.

devices/surface/microsoft-surface-data-eraser.md

@@ -20,19 +20,17 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d
 
 Compatible Surface devices include:
 
-- Surface Studio
+-   Surface Book
 
-- Surface Book
+-   Surface Pro 4
 
-- Surface Pro 4
+-   Surface Pro3
 
-- Surface Pro3
+-   Surface 3
 
-- Surface 3
+-   Surface 3 LTE
 
-- Surface 3 LTE
+-   Surface Pro 2
-
-- Surface Pro 2
 
 Some scenarios where Microsoft Surface Data Eraser can be helpful include:
 
@@ -44,11 +42,9 @@ Some scenarios where Microsoft Surface Data Eraser can be helpful include:
 
 -   Standard practice when performing reimaging for devices used with sensitive data
 
->[!NOTE]
+>**Note:**  Third-party devices, Surface devices running Windows RT (including Surface and Surface 2), and Surface Pro are not compatible with Microsoft Surface Data Eraser.
->Third-party devices, Surface devices running Windows RT (including Surface and Surface 2), and Surface Pro are not compatible with Microsoft Surface Data Eraser.
 
->[!NOTE]
+>**Note:**  Because the ability to boot to USB is required to run Microsoft Surface Data Eraser, if the device is not configured to boot from USB or if the device is unable to boot or POST successfully, the Microsoft Surface Data Eraser tool will not function.
->Because the ability to boot to USB is required to run Microsoft Surface Data Eraser, if the device is not configured to boot from USB or if the device is unable to boot or POST successfully, the Microsoft Surface Data Eraser tool will not function.
 
 
 ## How to create a Microsoft Surface Data Eraser USB stick
@@ -75,9 +71,7 @@ After the creation tool is installed, follow these steps to create a Microsoft S
     *Figure 1. Start the Microsoft Surface Data Eraser tool*
 
 4.  Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 2, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost.
-
+  >**Note:**  If the Start button is disabled, check that your removable drive has a total capacity of at least 4 GB.
-  >[!NOTE]
-  >If the Start button is disabled, check that your removable drive has a total capacity of at least 4 GB.
   
     ![USB thumb drive selection](images/dataeraser-usb-selection.png "USB thumb drive selection")
 

devices/surface/microsoft-surface-deployment-accelerator.md

@@ -62,8 +62,7 @@ When the SDA completes, you can use the deployment share to deploy over the netw
 
 You can modify the task sequence in the MDT Deployment Workbench to [include your own apps](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt#sec04), or to [pause the automated installation routine](https://blogs.technet.microsoft.com/mniehaus/2009/06/26/mdt-2010-new-feature-3-suspend-and-resume-a-lite-touch-task-sequence/). While the installation is paused, you can make changes to customize your reference image. After the image is captured, you can configure a deployment task sequence and distribute this custom configuration by using the same network boot capabilities as before.
 
->[!NOTE]
+>**Note:**  With SDA v1.9.0258, Surface Pro 3, Surface Pro 4, and Surface Book are supported for Windows 10 deployment, and Surface Pro 3 is supported for Windows 8.1 deployment.
->With SDA v1.9.0258, Surface Pro 3, Surface Pro 4, and Surface Book are supported for Windows 10 deployment, and Surface Pro 3 is supported for Windows 8.1 deployment.
 
  
 
@@ -78,18 +77,15 @@ For environments where the SDA server will not be able to connect to the Interne
 
 You can find a full list of available driver downloads at [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
 
->[!NOTE]
+>**Note:**  Downloaded files do not need to be extracted. The downloaded files can be left as .zip files as long as they are stored in one folder.
->Downloaded files do not need to be extracted. The downloaded files can be left as .zip files as long as they are stored in one folder.
 
->[!NOTE]
+>**Note:**  Using files from a local directory is not supported when including Office 365 in your deployment share. To include Office 365 in your deployment share, select the **Download from the Internet** check box. 
->Using files from a local directory is not supported when including Office 365 in your deployment share. To include Office 365 in your deployment share, select the **Download from the Internet** check box. 
 
 ## Changes and updates
 
 SDA is periodically updated by Microsoft. For instructions on how these features are used, see [Step-by-Step: Microsoft Surface Deployment Accelerator](https://technet.microsoft.com/itpro/surface/step-by-step-surface-deployment-accelerator).
 
->[!NOTE]
+>**Note:**  To install a newer version of SDA on a server with a previous version of SDA installed, you only need to run the installation file for the new version of SDA. The installer will handle the upgrade process automatically. If you used SDA to create a deployment share prior to the upgrade and want to use new features of the new version of SDA, you will need to create a new deployment share. SDA does not support upgrades of an existing deployment share.
->To install a newer version of SDA on a server with a previous version of SDA installed, you only need to run the installation file for the new version of SDA. The installer will handle the upgrade process automatically. If you used SDA to create a deployment share prior to the upgrade and want to use new features of the new version of SDA, you will need to create a new deployment share. SDA does not support upgrades of an existing deployment share.
  
 ### Version 1.96.0405
 This version of SDA adds support for the following:

devices/surface/step-by-step-surface-deployment-accelerator.md

@@ -39,8 +39,7 @@ The tool installs in the SDA program group, as shown in Figure 2.
 
 *Figure 2. The SDA program group and icon*
 
->[!NOTE]
+>**Note:**  At this point the tool has not yet prepared any deployment environment or downloaded any materials from the Internet.
->At this point, the tool has not yet prepared any deployment environment or downloaded any materials from the Internet.
 
  
 
@@ -49,8 +48,7 @@ The tool installs in the SDA program group, as shown in Figure 2.
 
 The following steps show you how to create a deployment share for Windows 10 that supports Surface 3, Surface Pro 3, Surface Pro 4, Surface Book, the Surface Firmware Tool, the Surface Asset Tag Tool, and Office 365. As you follow the steps below, make the selections that are applicable for your organization. For example, you could choose to deploy Windows 10 to Surface Book only, without any of the Surface apps.
 
->[!NOTE]
+>**Note:**  SDA lets you create deployment shares for both Windows 8.1 and Windows 10 deployments, but you can only create a single deployment share at a time. Therefore, to create both Windows 8.1 and Windows 10 deployment shares, you will need to run the tool twice.
->SDA lets you create deployment shares for both Windows 8.1 and Windows 10 deployments, but you can only create a single deployment share at a time. Therefore, to create both Windows 8.1 and Windows 10 deployment shares, you will need to run the tool twice.
 
  
 
@@ -60,14 +58,12 @@ The following steps show you how to create a deployment share for Windows 10 th
 
 3.  On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 2. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue.
 
-  >[!NOTE]
+  >**Note:**  As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows:
-  >As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows:
+    * Deployment tools
-  > * Deployment tools
+    * User State Migration Tool (USMT)
-  >  * User State Migration Tool (USMT)
+    * Windows Preinstallation Environment (WinPE)</br></br>
-  >  * Windows Preinstallation Environment (WinPE)</br></br>
 
-  >[!NOTE]
+  >**Note:**&nbsp;&nbsp;As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1.
-  >As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1.
 
 4.  On the **Windows 8.1** page, to create a Windows 10 deployment share, do not select the **Would you like to support Windows 8.1** check box. Click **Next** to continue.
 
@@ -97,8 +93,7 @@ The following steps show you how to create a deployment share for Windows 10 th
 
     *Figure 4. Selecting Surface Firmware Tool requires Surface Pro 3 drivers*
 
-    >[!NOTE]
+    >**Note:**&nbsp;&nbsp;You cannot select both Surface 3 and Surface 3 LTE models at the same time.
-    >You cannot select both Surface 3 and Surface 3 LTE models at the same time.
 
 7.  On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes:
 
@@ -130,21 +125,17 @@ The following steps show you how to create a deployment share for Windows 10 th
 
 If you are unable to connect to the Internet with your deployment server, or if you want to download the Surface drivers and apps separately, you can specify a local source for the driver an app files at the time of deployment share creation. On the **Configure** page of the SDA wizard, select the **Copy from a Local Directory** check box, as shown in Figure 6. The **Download from the Internet** check box will be automatically deselected. Enter the folder location where you have placed the driver and app files in the **Local Path** field, as shown in Figure 6.
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;All of the downloaded driver and applications files must be located in the same folder. If a required driver or application file is missing from the selected folder when you click **Next**, a warning is displayed and the wizard will not proceed to the next step.
->All of the downloaded driver and applications files must be located in the same folder. If a required driver or application file is missing from the selected folder when you click **Next**, a warning is displayed and the wizard will not proceed to the next step.
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;The driver and app files do not need to be extracted from the downloaded .zip files.
->The driver and app files do not need to be extracted from the downloaded .zip files.
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;Including Office 365 in your deployment share requires an Internet connection and cannot be performed if you use local files.
->Including Office 365 in your deployment share requires an Internet connection and cannot be performed if you use local files.
 
 ![Specify Surface driver and app files](images/sdasteps-fig6-specify-driver-app-files.png "Specify Surface driver and app files")
 
 *Figure 6. Specify the Surface driver and app files from a local path*
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;The **Copy from a Local Directory** check box is only available in SDA version 1.90.0221 or later.
->The **Copy from a Local Directory** check box is only available in SDA version 1.90.0221 or later.
 
  
 
@@ -152,8 +143,7 @@ If you are unable to connect to the Internet with your deployment server, or if
 
 You can use USB media to perform an SDA deployment if your Surface device is unable to boot from the network. For example, if you do not have a Microsoft Surface Ethernet Adapter or Microsoft Surface dock to facilitate network boot (PXE boot). The USB drive produced by following these steps includes a complete copy of the SDA deployment share and can be run on a Surface device without a network connection.
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;The offline media files for the complete SDA deployment share are approximately 9 GB in size. Your USB drive must be at least 9 GB in size. A 16 GB USB drive is recommended.
->The offline media files for the complete SDA deployment share are approximately 9 GB in size. Your USB drive must be at least 9 GB in size. A 16 GB USB drive is recommended.
 
  
 
@@ -167,8 +157,9 @@ Before you can create bootable media files within the MDT Deployment Workbench o
 
 4.  **clean** – Removes all configuration from your USB drive.
 
-    >[!WARNING]
+    >**Warning:**&nbsp;&nbsp;This step will remove all information from your drive. Verify that your USB drive does not contain any needed data before you perform the **clean** command.
-    >This step will remove all information from your drive. Verify that your USB drive does not contain any needed data before you perform the **clean** command.
+
+     
 
 5.  **create part pri** – Creates a primary partition on the USB drive.
 
@@ -184,8 +175,7 @@ Before you can create bootable media files within the MDT Deployment Workbench o
 
     *Figure 7. Use DiskPart to prepare a USB drive for boot*
 
-    >[!NOTE]
+    >**Note:**&nbsp;&nbsp;You can format your USB drive with FAT32 from Disk Management, but you must still use DiskPart to set the partition as active for the drive to boot properly.
-    >You can format your USB drive with FAT32 from Disk Management, but you must still use DiskPart to set the partition as active for the drive to boot properly.
 
      
 
@@ -294,8 +284,9 @@ When you run the task sequence, you will be prompted to provide the following in
 
 -   A product key, if one is required
 
-    >[!NOTE]
+    >**Note:**&nbsp;&nbsp;If you are deploying the same version of Windows as the version that came on your device, no product key is required.
-    >If you are deploying the same version of Windows as the version that came on your device, no product key is required.
+
+     
 
 -   A time zone
 
@@ -309,9 +300,9 @@ The **2 – Create Windows Reference Image** task sequence is used to perform a
 
 Like the **1 – Deploy Microsoft Surface** task sequence, the **2 – Create Windows Reference Image** task sequence performs a deployment of the unaltered Windows image directly from the installation media. Creation of a reference image should always be performed on a virtual machine. Using a virtual machine as your reference system helps to ensure that the resulting image is compatible with different hardware configurations.
 
->[!NOTE]
+>**Note:**&nbsp;&nbsp;Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and System Center Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](http://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt).
->Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and System Center Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](http://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt).
 
+ 
 
 In addition to the information required by the **1 – Deploy Microsoft Surface** task sequence, you will also be prompted to capture an image when you run this task sequence on your reference virtual machine. The **Location** and **File name** fields are automatically populated with the proper information for your deployment share. All that you need to do is select the **Capture an image of this reference computer** option when you are prompted on the **Capture Image** page of the Windows Deployment Wizard.
 

devices/surface/surface-diagnostic-toolkit.md

@@ -18,19 +18,23 @@ Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the ha
 
 The [Microsoft Surface Diagnostic Toolkit](https://www.microsoft.com/download/details.aspx?id=46703) is a small, portable diagnostic tool that runs through a suite of tests to diagnose the hardware of Surface devices. The Microsoft Surface Diagnostic Toolkit executable file is less than 3 MB, which allows it to be distributed through email. It does not require installation, so it can be run directly from a USB stick or over the network. The Microsoft Surface Diagnostic Toolkit walks you through several tests of individual components including the touchscreen, cameras, and sensors.
 
->[!NOTE]
+>**Note:**  A Surface device must boot into Windows to run the Microsoft Surface Diagnostic Toolkit. The Microsoft Surface Diagnostic Toolkit will run only on the following Surface devices:
->A Surface device must boot into Windows to run the Microsoft Surface Diagnostic Toolkit. The Microsoft Surface Diagnostic Toolkit will run only on the following Surface devices:
->- Surface Studio
->- Surface Book
->- Surface Pro 4
->- Surface 3 LTE
->- Surface 3
->- Surface Pro 3
->- Surface Pro 2
->- Surface Pro
 
->[!NOTE]
+- Surface Book
->Security software and built-in security measures in many email applications and services will block executable files that are transferred through email. To email the Surface Diagnostic Toolkit, attach the archive file (.zip) as downloaded from the Surface Tools for IT page without extracting it first. You can also create a custom .zip archive that contains the .exe file. (For example, if you want to localize the text as described in the [Localization](#localization) section of this article.)
+
+- Surface Pro 4
+
+- Surface 3 LTE
+
+- Surface 3
+
+- Surface Pro 3
+
+- Surface Pro 2
+
+- Surface Pro
+
+>**Note:**  Security software and built-in security measures in many email applications and services will block executable files that are transferred through email. To email the Surface Diagnostic Toolkit, attach the archive file (.zip) as downloaded from the Surface Tools for IT page without extracting it first. You can also create a custom .zip archive that contains the .exe file. (For example, if you want to localize the text as described in the [Localization](#localization) section of this article.)
 
 Running the Microsoft Surface Diagnostic Toolkit is a hands-on activity. The test sequence includes several tests that require you to perform actions or observe the outcome of the test, and then click the applicable **Pass** or **Fail** button. Some tests require connectivity to external devices, like an external display. Other tests use the built in Windows troubleshooters. At the end of testing, a visual report of the test results is displayed and you are given the option to save a log file or copy the results to the clipboard.
 
@@ -50,8 +54,7 @@ To run a full set of tests with the Microsoft Surface Diagnostic Toolkit, you sh
 
 - A power adapter for your Surface device
 
->[!NOTE]
+>**Note:**  The Microsoft Surface Diagnostic Toolkit tests verify only the hardware of a Surface device and do not resolve issues with the operating system or software.
->The Microsoft Surface Diagnostic Toolkit tests verify only the hardware of a Surface device and do not resolve issues with the operating system or software.
 
 ## Configure test options
 
@@ -61,8 +64,7 @@ Before you select the tests you want to run, you can click the Tools ![images\su
 
 *Figure 1. The Tools button highlighted in upper right corner of window*  
 
->[!NOTE]
+>**Note:**  Any options you want to select must be specified before you run the tests. You cannot change the test options after the testing sequence has started.
->Any options you want to select must be specified before you run the tests. You cannot change the test options after the testing sequence has started.
 
 ####Test depth
 You can quickly select among three modes for testing and diagnostics by using the **Test Depth** page. The **Test Depth** page displays a slider with three possible positions, as shown in Figure 2. These positions determine which tests are run and what information is recorded without requiring you to select specific tests with the **Run Specific Tests** button. The three modes allow you to focus the tests of the Microsoft Surface Diagnostic Toolkit on hardware, software, or both hardware and software.
@@ -171,40 +173,34 @@ These files and logs are stored in a .zip file saved by the Microsoft Surface Di
 
 #### Type Cover test
 
->[!NOTE]
+>**Note:**  A Surface Type Cover is required for this test.
->A Surface Type Cover is required for this test.
 
 
 If a Surface Type Cover is not detected, the test prompts you to connect the Type Cover. When a Type Cover is detected the test prompts you to use the keyboard and touchpad. The cursor should move while you swipe the touchpad, and the keyboard Windows key should bring up the Start menu or Start screen to successfully pass this test. You can skip this test if a Type Cover is not used with the Surface device.
 
 #### Integrated keyboard test
 
->[!NOTE]
+>**Note:**  This test is only applicable to Surface Book and requires that the Surface Book be docked to the keyboard.
->This test is only applicable to Surface Book and requires that the Surface Book be docked to the keyboard.
 
 This test is essentially the same as the Type Cover test, except the integrated keyboard in the Surface Book base is tested rather than the Type Cover. During the first stage of this test a diagram of the keyboard is displayed. When you press a key, the corresponding key will be marked on the diagram. The test will proceed when every key in the diagram is marked. In the second stage of this test, you are prompted to make several gestures on the keypad. As you perform each gesture (for example, a three finger tap), the gesture will be marked on the screen. When you have performed all gestures, the test will automatically complete.
 
->[!NOTE]
+>**Note:**  The F-keys on the diagram require that you press the Function (FN) key simultaneously to activate them. By default, these keys perform other actions. For the Home and End keys, you must press the same keys as F8 and F9, but without the Function (FN) key pressed.
->The F-keys on the diagram require that you press the Function (FN) key simultaneously to activate them. By default, these keys perform other actions. For the Home and End keys, you must press the same keys as F8 and F9, but without the Function (FN) key pressed.
 
 #### Canvas mode battery test
 
->[!NOTE]
+>**Note:**  This test is only applicable to Surface Book.
->This test is only applicable to Surface Book.
 
 Depending on which mode Surface Book is in, different batteries are used to power the device. When Surface Book is in clipboard mode (detached form the keyboard) it uses an internal battery, and when it is connected in either laptop mode or canvas mode it uses different connections to the battery in the keyboard. In canvas mode, the screen is connected to the keyboard so that when the device is closed, the screen remains face-up and visible. Connect the Surface Book to the keyboard in this manner for the test to automatically proceed.
 
 #### Clipboard mode battery test
 
->[!NOTE]
+>**Note:**  This test is only applicable to Surface Book.
->This test is only applicable to Surface Book.
 
 Disconnect the Surface Book from the keyboard to work in clipboard mode. In clipboard mode the Surface Book operates from an internal battery that is tested when the Surface Book is disconnected from the keyboard. Disconnecting the Surface Book from the keyboard will also disconnect the Surface Book from power and will automatically begin this test.
 
 #### Laptop mode battery test
 
->[!NOTE]
+>**Note:**  This test is only applicable to Surface Book.
->This test is only applicable to Surface Book.
 
 Connect the Surface Book to the keyboard in the opposite fashion to canvas mode in laptop mode. In laptop mode the screen will face you when the device is open and the device can be used in the same way as any other laptop. Disconnect AC Power from the laptop base when prompted for this test to check the battery status.
 
@@ -214,29 +210,25 @@ In this test the battery is discharged for a few seconds and tested for health a
 
 #### Discrete graphics (dGPU) test
 
->[!NOTE]
+>**Note:**  This test is only applicable to Surface Book models with a discrete graphics processor.
->This test is only applicable to Surface Book models with a discrete graphics processor.
 
 This test will query the device information of current hardware to check for the presence of both the Intel integrated graphics processor in the Surface Book and the NVIDIA discrete graphics processor in the Surface Book keyboard. The keyboard must be attached for this test to function.
 
 #### Discrete graphics (dGPU) fan test
 
->[!NOTE]
+>**Note:**  This test is only applicable to Surface Book models with a discrete graphics processor.
->This test is only applicable to Surface Book models with a discrete graphics processor.
 
 The discrete graphics processor in the Surface Book includes a separate cooling fan. The fan is turned on automatically by the test for 5 seconds. Listen for the sound of the fan in the keyboard and report if the fan is working correctly when prompted.
 
 #### Muscle wire test
 
->[!NOTE]
+>**Note:**  This test is only applicable to Surface Book.
->This test is only applicable to Surface Book.
 
 To disconnect the Surface Book from the keyboard, software must instruct the muscle wire latch mechanism to open. This is typically accomplished by pressing and holding the undock key on the keyboard. This test sends the same signal to the latch, which unlocks the Surface Book from the Surface Book keyboard. Remove the Surface Book from the keyboard when you are prompted to do so.
 
 #### Dead pixel and display artifacts tests
 
->[!NOTE]
+>**Note:**  Before you run this test, be sure to clean the screen of dust or smudges.
->Before you run this test, be sure to clean the screen of dust or smudges.
 
 This test prompts you to view the display in search of malfunctioning pixels. The test displays full-screen, single-color images including black, white, red, green, and blue. Pixels that remain bright or dark when the screen displays an image of a different color indicate a failed test. You should also look for distortion or variance in the color of the screen.
 
@@ -254,8 +246,7 @@ The Surface touchscreen should detect input across the entire screen of the devi
 
 #### Digitizer pen test
 
->[!NOTE]
+>**Note:**  A Microsoft Surface Pen is required for this test.
->A Microsoft Surface Pen is required for this test.
 
 This test displays the same lines as those that are displayed during the Digitizer Touch test, but your input is performed with a Surface Pen instead of your finger. The lines should remain unbroken for as long as the Pen is pressed to the screen. Trace all of the lines in the image to look for unresponsive areas across the entire screen of the Surface device.
 
@@ -273,8 +264,7 @@ This test prompts you to use the volume rocker to turn the volume all the way up
 
 #### Micro SD or SD slot test
 
->[!NOTE]
+>**Note:**  This test requires a micro SD or SD card that is compatible with the slot in your Surface device.
->This test requires a micro SD or SD card that is compatible with the slot in your Surface device.
 
 Insert a micro SD or SD card when you are prompted. When the SD card is detected, the test prompts you to remove the SD card to ensure that the card is not left in the device. During this test a small file is written to the SD card and then verified. Detection and verification of the SD card automatically passes this test without additional input.
 
@@ -284,15 +274,13 @@ This test displays a meter that shows the microphone sound level and records aud
 
 #### Video out test
 
->[!NOTE]
+>**Note:**  This test requires an external display with the applicable connection for your Surface device.
->This test requires an external display with the applicable connection for your Surface device.
 
 Surface devices provide a Mini DisplayPort connection for connecting to an external display. Connect your display through the Mini DisplayPort on the device when prompted. The display should be detected automatically and an image should appear on the external display.
 
 #### Bluetooth test
 
->[!NOTE]
+>**Note:**  This test requires a Bluetooth device. The device must be set to pairing mode or made discoverable to perform this test.
->This test requires a Bluetooth device. The device must be set to pairing mode or made discoverable to perform this test.
 
 After you receive a prompt to put the device in pairing mode, the test opens the **Add a device** window and begins to search for discoverable Bluetooth devices. Watch the **Add a device** window to verify that your Bluetooth device is detected. Select your Bluetooth device from the list and connect to the device to complete the test.
 
@@ -300,20 +288,17 @@ After you receive a prompt to put the device in pairing mode, the test opens the
 
 Use this test to verify that the cameras on your Surface device are operating properly. Images will be displayed from both the front and rear cameras, and the infrared camera on a Surface Pro 4. Continuous autofocus can be enabled on the rear camera. Move the device closer and farther away from an object to verify the operation of continuous autofocus.
 
->[!NOTE]
+>**Note:**  You can also use the **Snapshot to Logs** option to save a snapshot of the video output to the log files.
->You can also use the **Snapshot to Logs** option to save a snapshot of the video output to the log files.
 
 #### Speaker test
 
->[!NOTE]
+>**Note:**  Headphones or external speakers are required to test the headphone jack in this test.
->Headphones or external speakers are required to test the headphone jack in this test.
 
 This test plays audio over left and right channels respectively, both for the internal speakers and for speakers or headphones connected through the headphone jack. Plug in your headphones or speakers to the 3.5mm stereo jack when prompted. The test will automatically detect that a sound playback device has been connected. Mark each channel as a pass or fail as you hear the audio play through the speakers or headphones.
 
 #### Network test
 
->[!NOTE]
+>**Note:**  Connect the Surface device to a Wi-Fi network before you run this test. Connections that are made during the test are removed when the test is completed.
->Connect the Surface device to a Wi-Fi network before you run this test. Connections that are made during the test are removed when the test is completed.
 
 This test uses the Windows Network Diagnostics built in troubleshooter to diagnose potential issues with network connectivity, including proxy configuration, DNS problems, and IP address conflicts. An event log is saved by this test in Windows logs and is visible in the Windows Event Viewer. The Event ID is 6100.
 
@@ -341,13 +326,11 @@ The compass detects which direction the Surface device is facing relative to nor
 
 The ambient light sensor is used to automatically adjust screen brightness relative to the ambient lighting in the environment. Turn the device toward or away from a light source to cause the screen to dim or brighten in response increased or decreased light. The test automatically passes when the screen brightness automatically changes.
 
->[!NOTE]
+>**Note:**  You can also block the ambient light from the sensor by holding your hand slightly in front of the light sensor, which is located directly next to the camera. Use the provided meter to determine if you are blocking light from the sensor.
->You can also block the ambient light from the sensor by holding your hand slightly in front of the light sensor, which is located directly next to the camera. Use the provided meter to determine if you are blocking light from the sensor.
 
 #### Device orientation test
 
->[!NOTE]
+>**Note:**  Before you run this test, disable rotation lock from the Action Center if enabled.
->Before you run this test, disable rotation lock from the Action Center if enabled.
 
 The device orientation sensor determines what the angle of the Surface device is, relative to the ground. Rotate the display 90 degrees or 180 degrees to cause the screen orientation to switch between portrait and landscape mode. If you have a Surface Type Cover or the Surface Book keyboard connected, you will be prompted to disconnect the Surface from the keyboard to allow screen rotation. The test automatically passes when the screen orientation switches.
 
@@ -361,8 +344,7 @@ The Microsoft Surface Diagnostic Toolkit uses this test only if a Surface Dock i
 
 #### System assessment
 
->[!NOTE]
+>**Note:**  The Surface device must be connected to AC power before you can run this test.
->The Surface device must be connected to AC power before you can run this test.
 
 The Windows System Assessment Tool (WinSAT) runs a series of benchmarks against the processor, memory, video adapter, and storage devices. The results include the processing speed of various algorithms, read and write performance of memory and storage, and performance in several Direct3D graphical tests.
 
@@ -376,15 +358,13 @@ If your Surface device has encountered an error that caused the device to fail o
 
 #### Connected standby text
 
->[!NOTE]
+>**Note:**  This test is only available on Surface devices running Windows 8 or Windows 8.1.
->This test is only available on Surface devices running Windows 8 or Windows 8.1.
 
 If connected standby is enabled on the Surface device, this test passes automatically. If connected standby is not enabled, a failure is recorded for this test. Find out more about Connected Standby and Modern Standby at [Modern Standby](https://msdn.microsoft.com/library/windows/hardware/mt282515) on MSDN.
 
 #### Modern standby test
 
->[!NOTE]
+>**Note:**  This test is only available on Surface devices running Windows 10.
->This test is only available on Surface devices running Windows 10.
 
 This test records log files of the power configuration for the Surface device using the **powercfg.exe /a** command. The test completes automatically and a failure is only recorded if the command does not run.
 
@@ -393,8 +373,7 @@ This test records log files of the power configuration for the Surface device us
 
 You can run the Microsoft Surface Diagnostic Toolkit from the command line or as part of a script. The tool supports the following arguments:
 
->[!NOTE]
+>**Note:**  Many of the tests performed by the Microsoft Surface Diagnostic Toolkit require technician interaction. The Microsoft Surface Diagnostic Toolkit cannot run unattended.
->Many of the tests performed by the Microsoft Surface Diagnostic Toolkit require technician interaction. The Microsoft Surface Diagnostic Toolkit cannot run unattended.
 
 #### exclude
 
@@ -547,8 +526,7 @@ If a localization file with the same name and in the same folder as the executab
 
 A custom localization file selected through this process does not need a specific name. After you select the custom localization file, the Microsoft Surface Diagnostic Toolkit will import the contents and write them to a .locale file with the same name as the .exe file, just like if you click the **Generate** button to create a new .locale file.
 
->[!NOTE]
+>**Note:**  If you import a localization file by clicking the **Browse** button, an existing localization file will be overwritten without prompting if that file has the same name as the Microsoft Surface Diagnostic Toolkit executable file.
->If you import a localization file by clicking the **Browse** button, an existing localization file will be overwritten without prompting if that file has the same name as the Microsoft Surface Diagnostic Toolkit executable file.
 
 
  

devices/surface/surface-dock-updater.md

@@ -20,8 +20,7 @@ The [Microsoft Surface Dock Updater](https://www.microsoft.com/download/details.
 
 When you run the Microsoft Surface Dock Updater installer you will be prompted to accept an End User License Agreement (EULA).
 
->[!NOTE]
+>**Note:**  Updating Surface Dock firmware requires connectivity to the Surface Dock, available only on Surface Pro 3, Surface Pro 4, and Surface Book devices. A Surface Pro 3, Surface Pro 4, or Surface Book is required to successfully install Microsoft Surface Dock Updater.
->Updating Surface Dock firmware requires connectivity to the Surface Dock, available only on Surface Pro 3, Surface Pro 4, and Surface Book devices. A Surface Pro 3, Surface Pro 4, or Surface Book is required to successfully install Microsoft Surface Dock Updater.
 
 ## Update a Surface Dock with Microsoft Surface Dock Updater
 
@@ -76,8 +75,7 @@ To update a Surface Dock with Microsoft Surface Dock Updater, follow these steps
 
 9.  If you want to update multiple Surface Docks in one sitting, you can click the **Update another Surface Dock** button to begin the process on the next Surface Dock.
 
-    >[!NOTE]
+    >**Note:**  The LED in the Ethernet port of the dock will blink while the update is in progress. Please wait until the LED stops blinking before you unplug your Surface Dock from power.
-    >The LED in the Ethernet port of the dock will blink while the update is in progress. Please wait until the LED stops blinking before you unplug your Surface Dock from power.
 
      
 

devices/surface/surface-enterprise-management-mode.md

@@ -14,7 +14,7 @@ author: jobotto
 Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal.
 
 >[!NOTE]
->SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
+>SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4 and Surface Book. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
 
 When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM.
 

devices/surface/unenroll-surface-devices-from-semm.md

@@ -13,8 +13,7 @@ author: jobotto
 
 When a Surface device is enrolled in Surface Enterprise Management Mode (SEMM), a certificate is stored in the firmware of that device. The presence of that certificate and the enrollment in SEMM prevent any unauthorized changes to Surface UEFI settings or options while the device is enrolled in SEMM. To restore control of Surface UEFI settings to the user, the Surface device must be unenrolled from SEMM, a process sometimes described as reset or recovery. There are two methods you can use to unenroll a device from SEMM—a Surface UEFI reset package and a Recovery Request.
 
->[!WARNING]
+>**Warning:**  To unenroll a device from SEMM and restore user control of Surface UEFI settings, you must have the SEMM certificate that was used to enroll the device in SEMM. If this certificate becomes lost or corrupted, it is not possible to unenroll from SEMM. Back up and protect your SEMM certificate accordingly.
->To unenroll a device from SEMM and restore user control of Surface UEFI settings, you must have the SEMM certificate that was used to enroll the device in SEMM. If this certificate becomes lost or corrupted, it is not possible to unenroll from SEMM. Back up and protect your SEMM certificate accordingly.
 
 For more information about SEMM, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/itpro/surface/surface-enterprise-management-mode).
 
@@ -28,8 +27,7 @@ Reset packages are created specifically for an individual Surface device. To beg
 
 *Figure 1. The serial number of the Surface device is displayed on the Surface UEFI PC information page*
 
->[!NOTE]
+>**Note:**  To boot to Surface UEFI, press **Volume Up** and **Power** simultaneously while the device is off. Hold **Volume Up** until the Surface logo is displayed and the device begins to boot.
->To boot to Surface UEFI, press **Volume Up** and **Power** simultaneously while the device is off. Hold **Volume Up** until the Surface logo is displayed and the device begins to boot.
 
 To create a Surface UEFI reset package, follow these steps:
 
@@ -81,8 +79,7 @@ To initiate a Recovery Request, follow these steps:
 
 4. Click or press **Get Started**.
 5. Click or press **Next** to begin the Recovery Request process.
-   >[!NOTE]
+   >**Note:**  A Recovery Request expires two hours after it is created. If a Recovery Request is not completed in this time, you will have to restart the Recovery Request process.
-   >A Recovery Request expires two hours after it is created. If a Recovery Request is not completed in this time, you will have to restart the Recovery Request process.
 6. Select **SEMM Certificate** from the list of certificates displayed on the **Choose a SEMM reset key** page (shown in Figure 7), and then click or press **Next**.
 
    ![Select SEMM certificate for your Recovery Request](images\surface-semm-unenroll-fig7.png "Select SEMM certificate for your Recovery Request")
@@ -104,8 +101,7 @@ To initiate a Recovery Request, follow these steps:
    * To use the Recovery Request (Reset Request) as text, simply type the text directly into Microsoft Surface UEFI Configurator.
 
 8. Open Microsoft Surface UEFI Configurator from the Start menu on another computer.
-    >[!NOTE]
+>**Note:**  Microsoft Surface UEFI Configurator must run in an environment that is able to authenticate the certificate chain for the SEMM certificate.
-    >Microsoft Surface UEFI Configurator must run in an environment that is able to authenticate the certificate chain for the SEMM certificate.
 9. Click **Start**.
 10. Click **Recovery Request**, as shown in Figure 10.
 

devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md

@@ -45,11 +45,8 @@ Performing an upgrade deployment of Windows 10 requires the same tools and resou
 You will also need to have available the following resources:
 
 * Windows 10 installation files, such as the installation media downloaded from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx)
-
+   >**Note:**  Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT.
-   >[!NOTE]
+* [Surface firmware and drivers](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) for Windows 10
-   >Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT.
-* [Surface firmware and drivers](https://technet.microsoft.com/en-us/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) for Windows 10
-
 * Application installation files for any applications you want to install, such as the Surface app
 
 ## Prepare the upgrade deployment
@@ -105,8 +102,7 @@ Create the upgrade task sequence with the following process:
 1. In the Deployment Workbench under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard.
 2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard:
   - **General Settings** – Enter an identifier for the deployment task sequence in the Task Sequence ID field, a name for the deployment task sequence in the Task Sequence Name field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, and then click **Next**.
-  >[!NOTE]
+  >**Note:**  The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
-  >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
   - **Select Template** – Select **Standard Client Upgrade Task Sequence** from the drop-down menu, and then click **Next**.
   - **Select OS** – Navigate to and select the Windows image that you imported, and then click **Next**.
   - **Specify Product Key** – Select the product key entry that fits your organization’s licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**.

education/windows/TOC.md

@@ -17,6 +17,5 @@
 ## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
 ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
 ## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
-## [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
 ## [Chromebook migration guide](chromebook-migration-guide.md)
 ## [Change history for Windows 10 for Education](change-history-edu.md)

education/windows/change-history-edu.md

@@ -12,16 +12,6 @@ author: jdeckerMS
 
 This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
 
-## January 2017
-| New or changed topic | Description |
-| --- | --- |
-| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md) | Updates. Learn how schools can use invoices to pay for Minecraft: Education Edition. |
-
-## December 2016
-| New or changed topic | Description |
-| --- | --- |
-| [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md) | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. |
-
 ## November 2016
 
 | New or changed topic | Description|

education/windows/deploy-windows-10-in-a-school-district.md

@@ -627,7 +627,7 @@ Now that you have created your new Office 365 Education subscription, add the do
 
 To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
 
->**Note**  By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush).
+>**Note**  By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush).
 
 Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
 

education/windows/education-scenarios-store-for-business.md

@@ -91,9 +91,9 @@ Find apps for your school using Windows Store for Business. Admins in an educati
 **To acquire apps**
 - For info on how to acquire apps, see [Acquire apps in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business#acquire-apps) 
 
-**To add a payment method - debit or credit card**
+**To add a payment method**
 
-If the app you purchase has a price, you’ll need to provide a payment method. 
+If you the app you purchase has a price, you’ll need to provide a payment method. 
 - Click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card.
  
 For more information on payment options, see [payment options](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business#payment-options). 

education/windows/index.md

@@ -42,13 +42,6 @@ author: CelesteDG
  <b>[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)</b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p></div>
    </div></div>
 
- ## ![Deploy Windows 10 for education](images/windows.png) Upgrade
-
- <div class="side-by-side"> <div class="side-by-side-content">
- <div class="side-by-side-content-left"><p><b>[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)</b><br />If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.</p></div>
- </div>
-
-
 ## Related topics
 
 - [Try it out: virtual labs and how-to videos for Windows 10 Education](https://technet.microsoft.com/en-us/windows/dn610356)

education/windows/school-get-minecraft.md

@@ -58,51 +58,6 @@ Qualified education institutions can purchase Minecraft: Education Edition licen
 - You’ll receive an email with a link to Windows Store for Business. 
 - Sign in to [Windows Store for Business](https://www.microsoft.com/business-store) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft)
 
-## Minecraft: Education Edition payment options
-You can pay for Minecraft: Education Edition with a debit or credit card, or with an invoice. 
-
-
-### Debit or credit cards
-
-During the purchase, click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card.
-
-### Invoices
-
-Invoices are now a supported payment method for Minecraft: Education Edition. There are a few requirements:
-- Admins only (not supported for Teachers)
-- $500 invoice minimum for your initial purchase
-- $15,000 invoice maximum (for all invoices within your organization)
-
-**To pay with an invoice**
-
-1. During the purchase, click **Get started! Add a way to pay.**  
-
-    ![Buy page for an app, showing the link for Get started! Add a way to pay.](images/mcee-add-payment-method.png)
-
-2. Select the Invoice option, and provide the info needed for an invoice. The **PO number** item allows you to add a tracking number or info that is meaningful to your organization.
-
-    ![Invoice Details page showing items that need to be completed for an invoice. PO number is highlighted.](images/mcee-invoice-info.png)
-
-### Find your invoice
-
-After you've finished the purchase, you can find your invoice by checking **Minecraft: Education Edition** in your **Inventory**. 
-
-> **Note**: After you complete a purchase, it can take up to twenty-four hours for the app to appear in **Inventory**.
-
-**To view your invoice**
-1. In Windows Store for Business, click **Manage** and then click **Inventory**. 
-2. Click **Minecraft: Education Edition** in the list of apps. 
-3. On **Minecraft: Education Edition**, click **View Bills**.
-
-    ![Minecraft: Education Edition app details page with view bills link highlighted](images/mcee-view-bills.png) 
-
-4. On **Invoice Bills**, click the invoice number to view and download your invoice. It downloads as a .pdf.
-
-  ![Minecraft: Education Edition app details page with view bills link highlighted](images/mcee-invoice-bills.png)
-
-The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check. 
-
-
 ## <a href="" id="distribute-minecraft"></a>Distribute Minecraft
 
 After Minecraft: Education Edition is added to your Windows Store for Business inventory, you have three options:

education/windows/take-a-test-multiple-pcs.md

@@ -17,8 +17,8 @@ author: jdeckerMS
 
 Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
 
-- Take a Test shows just the test and nothing else.
+- A Microsoft Edge browser window opens, showing just the test and nothing else.
-- Take a Test clears the clipboard.
+- The clipboard is cleared.
 - Students aren’t able to go to other websites.
 - Students can’t open or access other apps.
 - Students can't share, print, or record their screens.

education/windows/take-a-test-single-pc.md

@@ -17,8 +17,8 @@ author: jdeckerMS
 
 The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
 
-- Take a Test shows just the test and nothing else.
+- A Microsoft Edge browser window opens, showing just the test and nothing else.
-- Take a Test clears the clipboard.
+- The clipboard is cleared.
 - Students aren’t able to go to other websites.
 - Students can’t open or access other apps.
 - Students can't share, print, or record their screens.
@@ -28,7 +28,6 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme
 > [!TIP]  
 > To exit **Take a Test**, press Ctrl+Alt+Delete. 
 
-
 ## How you use Take a Test
 
 ![Use test account or test url in Take a Test](images/take-a-test-flow.png)
@@ -80,3 +79,9 @@ ms-edu-secureassessment:<URL>!enforceLockdown
 [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
 
 [Take a Test app technical reference](take-a-test-app-technical.md)
+
+
+
+
+
+

education/windows/windows-10-pro-to-pro-edu-upgrade.md

@@ -1,259 +0,0 @@
----
-title: Windows 10 Pro to Pro Education upgrade
-description: Describes how IT Pros can opt into a Windows 10 Pro Education upgrade from the Windows Store for Business.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: edu
-author: CelesteDG
----
-
-# Upgrade Windows 10 Pro to Pro Education from Windows Store for Business
-
-Windows 10 Pro Education is a new offering in Windows 10 Anniversary Update (Windows 10, version 1607). This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings.
-
-If you have an education tenant and use Windows 10 Pro in your schools now, global administrators can opt-in to a free upgrade to Windows 10 Pro Education through the Windows Store for Business. To take advantage of this offering, make sure you meet the [requirements for upgrade](#requirements-for-upgrade).
-
-Starting with Windows 10, version 1607, academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Education—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Pro Education license, the operating system turns from Windows 10 Pro to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. When a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro.
-
-Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have a Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features.
-
-When you upgrade to Windows 10 Pro Education, you get the following benefits:
-
--   **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB).
--   **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have.
--   **Roll back to Windows 10 Pro at any time**. When a user leaves the domain or you turn off the setting to automatic upgrade to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days).
-
-In summary, the Windows 10 Pro Education free upgrade through the Windows Store for Business is an upgrade offering that provides organizations easier, more flexible access to the benefits of Windows 10 Pro Education edition.
-
-## Compare Windows 10 Pro and Pro Education editions
-
-In Windows 10, version 1607, the Windows 10 Pro Education edition contains the same features as the Windows 10 Pro edition except for the following differences:
-
-- Cortana is removed from Windows 10 Pro Education
-- Options to manage Windows 10 tips and tricks and Windows Store suggestions
-
-See [Windows 10 editions for education customers](windows-editions-for-education-customers.md) for more info about Windows 10 Pro Education and you can also [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10.
-
-## Requirements for upgrade
-
-Before you upgrade from Windows 10 Pro to Windows 10 Pro Education, make sure you meet these requirements:
-- Devices must be:
-  - Running Windows 10 Pro, version 1607
-  - Must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices).
-
-    If you haven't domain joined your devices already, [prepare for deployment of Windows 10 Pro Education licenses](#preparing-for-deployment-of-windows-10-pro-education-licenses).
-- The user making the changes must be a member of the Azure AD global administrator group.
-- The Azure AD tenant must be recognized as an education approved tenant.
-- You must have a Windows Store for Business account.
-
-## Upgrade from Windows 10 Pro to Windows 10 Pro Education
-Once you enable the setting to upgrade Windows 10 Pro to Windows 10 Pro Education, the upgrade will begin only after a user signs in to their device. The setting applies to the entire organization so you cannot select which users will receive the upgrade.
-
-**To turn on the automatic upgrade from Windows 10 Pro to Windows 10 Pro Education**
-1. Sign in to [Windows Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your work or school account.
-
-  If this is the first time you're signing into the Store, you'll be prompted to accept the Windows Store for Business Terms of Use.
-2. Go to **Manage > Account information**.
-3. In the **Account information** page, look for the **Automatic Windows 10 Pro Education upgrade** section and follow the link.
-
-  You will see the following page informing you that your school is eligible for a free automatic upgrade from Windows 10 Pro to Windows 10 Pro Education.
-
-  ![Eligible for free Windows 10 Pro to Windows 10 Pro Education upgrade](images/wsfb_win10_pro_to proedu_upgrade_eligibility_page.png)
-
-  **Figure 1** - Upgrade Windows 10 Pro to Windows 10 Pro Education
-
-4. Select **I understand enabling this setting will impact all devices running Windows 10 Pro in my organization**.
-5. Click **Send me email with a link to enable this upgrade** to receive an email with a link to the upgrade.
-
-  ![Email with Windows 10 Pro to Pro Education upgrade link](images/wsfb_win10_pro_to_proedu_email_upgrade_link.png)
-
-  **Figure 2** - Email notification with a link to enable the upgrade
-
-6. Click **Enable the automatic upgrade now** to turn on automatic upgrades.
-
-    ![Enable the automatic upgrade](images/wsfb_win10_pro_to proedu_upgrade_enable.png).
-
-    **Figure 3** - Enable the automatic upgrade
-
-    Enabling the automatic upgrade also triggers an email message notifying all global administrators in your organization about the upgrade. It also contains a link that enables any global administrators to cancel the upgrade, if they choose. For more info about rolling back or canceling the upgrade, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).
-
-    ![Email informing other global admins about the upgrade](images/wsfb_win10_pro_to proedu_upgrade_email_global_admins.png).
-
-    **Figure 4** - Notification email sent to all global administrators
-
-7. Click **Close** in the **Success** page.
-
-  In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see a message informing you when the upgrade was enabled and the name of the admin who enabled the upgrade.
-
-  ![Summary page about the upgrade](images/wsfb_win10_pro_to proedu_upgrade_summary.png)
-
-  **Figure 5** - Details about the automatic upgrade
-
-
-## Explore the upgrade experience
-
-So what will the users experience? How will they upgrade their devices?
-
-### For existing Azure AD domain joined devices
-Existing Azure AD domain joined devices will be upgraded from Windows 10 Pro to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed.
-
-### For new devices that are not Azure AD domain joined
-Now that you've turned on the setting to automatically upgrade Windows 10 Pro to Windows 10 Pro Education, the users are ready to upgrade their devices running Windows 10 Pro, version 1607 edition to Windows 10 Pro Education edition.
-
-#### Step 1: Join users’ devices to Azure AD
-
-Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607.
-
-**To join a device to Azure AD the first time the device is started**
-
-1.  During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 6**.
-
-    <img src="images/windows-who-owns.png" alt="Who owns this PC? page in Windows 10 setup" width="624" height="351" />
-
-    **Figure 6** - The “Who owns this PC?” page in initial Windows 10 setup
-
-2.  On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 7**.
-
-    <img src="images/windows-choose-how.png" alt="Choose how you'll connect - page in Windows 10 setup" width="624" height="351" />
-
-    **Figure 7** - The “Choose how you’ll connect” page in initial Windows 10 setup
-
-3.  On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 8**.
-
-    <img src="images/windows-lets-get.png" alt="Let's get you signed in - page in Windows 10 setup" width="624" height="351" />
-
-    **Figure 8** - The “Let’s get you signed in” page in initial Windows 10 setup
-
-Now the device is Azure AD joined to the company’s subscription.
-
-**To join a device to Azure AD when the device already has Windows 10 Pro, version 1607 installed and set up**
-
-1.  Go to **Settings &gt; Accounts &gt; Access work or school**, as illustrated in **Figure 9**.
-
-    <img src="images/win10-connect-to-work-or-school.png" alt="Connect to work or school configuration" />
-
-    **Figure 9** - Connect to work or school configuration in Settings
-
-2.  In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 10**.
-
-    <img src="images/win10-set-up-work-or-school.png" alt="Set up a work or school account" />
-
-    **Figure 10** - Set up a work or school account
-
-3.  On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 11**.
-
-    <img src="images/win10-lets-get-2.png" alt="Let's get you signed in - dialog box" />
-
-    **Figure 11** - The “Let’s get you signed in” dialog box
-
-Now the device is Azure AD joined to the company’s subscription.
-
-#### Step 2: Sign in using Azure AD account
-
-Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 12**. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device.
-
-<img src="images/windows-sign-in.png" alt="Sign in, Windows 10" width="624" height="351" />
-
-**Figure 12** - Sign in by using Azure AD account
-
-#### Step 3: Verify that Pro Education edition is enabled
-
-You can verify the Windows 10 Pro Education in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 13**.
-
-<span id="win-10-activated-subscription-active"/>
-
-**Figure 13** - Windows 10 Pro Education in Settings
-
-<img src="images/win-10-pro-edu-activated-subscription-active.png" alt="Windows 10 activated and subscription active" />
-
-If there are any problems with the Windows 10 Pro Education license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-
-## Troubleshoot the user experience
-
-In some instances, users may experience problems with the Windows 10 Pro Education upgrade. The most common problems that users may experience are as follows:
-
--   The existing Windows 10 Pro, version 1607 operating system is not activated.
-
--   The Windows 10 Pro Education upgrade has lapsed or has been removed.
-
-Use the following figures to help you troubleshoot when users experience these common problems:
-
-<span id="win-10-activated-subscription-active"/>
-
-**Figure 13** - Illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Pro Education upgrade is active.
-
-<img src="images/win-10-pro-edu-activated-subscription-active.png" alt="Windows 10 activated and subscription active" />
-
-<span id="win-10-not-activated"/>
-
-**Figure 14** - Illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Pro Education upgrade is active.
-
-<img src="images/win-10-pro-edu-not-activated-subscription-active.png" alt="Windows 10 not activated and subscription active" /><br><br>
-
-
-### Review requirements on devices
-
-Devices must be running Windows 10 Pro, version 1607, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
-
-**To determine if a device is Azure Active Directory joined**
-
-1.  Open a command prompt and type **dsregcmd /status**.
-
-2.  Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
-
-**To determine the version of Windows 10**
-
--   At a command prompt, type:
-    **winver**
-
-    A popup window will display the Windows 10 version number and detailed OS build information.
-
-    If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license.
-
-## Roll back Windows 10 Pro Education to Windows 10 Pro
-
-If your organization has the Windows 10 Pro to Windows 10 Pro Education upgrade enabled, and you decide to roll back to Windows 10 Pro or to cancel the upgrade, you can do this by:
-- Logging into Windows Store for Business page and turning off the automatic upgrade.
-- Selecting the link to turn off the automatic upgrade from the notification email sent to all global administrators.
-
-Once the automatic upgrade to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were upgraded will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was upgraded may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that an upgrade was enabled and then turned off will never see their device change from Windows 10 Pro.
-
-**To roll back Windows 10 Pro Education to Windows 10 Pro**
-1. Log in to [Windows Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic upgrade.
-2. Select **Manage > Account information** and locate the section **Automatic Windows 10 Pro Education upgrade** and follow the link.
-3. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, select **Turn off the automatic upgrade to Windows 10 Pro Education**.
-
-  ![Turn off automatic upgrade to Windows 10 Pro Education](images/wsfb_win10_pro_to proedu_upgrade_disable.png)
-
-  **Figure 15** - Link to turn off the automatic upgrade
-
-4. You will be asked if you're sure that you want to turn off automatic upgrades to Windows 10 Pro Education. Click **Yes**.
-5. Click **Close** in the **Success** page.
-6. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see information on when the upgrade was disabled.
-
-  If you decide later that you want to turn on automatic upgrades again, you can do this from the **Upgrade Windows 10 Pro to Windows 10 Pro Education**.
-
-## Preparing for deployment of Windows 10 Pro Education licenses
-
-If you have on-premises Active Directory Domain Services (AD DS) domains, users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Pro Education to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD.
-
-You need to synchronize these identities so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Pro Education). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
-
-**Figure 16** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
-
-![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png)
-
-**Figure 16** - On-premises AD DS integrated with Azure AD
-
-For more information about integrating on-premises AD DS domains with Azure AD, see these resources:
--   [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/)
--   [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
-
-## Related topics
-
-[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
-
-[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
-
-[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)

windows/deploy/TOC.md

@@ -11,9 +11,6 @@
 #### [Deploy Windows](upgrade-analytics-deploy-windows.md)
 #### [Review site discovery](upgrade-analytics-review-site-discovery.md)
 ### [Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)
-## [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
-### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
 ## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
 ### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
 #### [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
@@ -53,17 +50,8 @@
 ## [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
 ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
 ## [Provisioning packages for Windows 10](provisioning-packages.md)
-### [How provisioning works in Windows 10](provisioning-how-it-works.md)
+### [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md)
-### [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+### [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md)
-### [Create a provisioning package](provisioning-create-package.md)
-### [Apply a provisioning package](provisioning-apply-package.md)
-### [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-### [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-### [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
-### [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-### [NFC-based device provisioning](provisioning-nfc.md)
-### [Windows ICD command-line interface (reference)](provisioning-command-line.md)
-### [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
 ## [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
 ## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md)
 ## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md)

windows/deploy/assign-applications-using-roles-in-mdt-2013.md

@@ -122,11 +122,11 @@ Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe
 ## Related topics
 
 [Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
-<BR>[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-<BR>[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
-<BR>[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-<BR>[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-<BR>[Use web services in MDT](use-web-services-in-mdt-2013.md)
+[Use web services in MDT](use-web-services-in-mdt-2013.md)
-<BR>[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
  
  

windows/deploy/change-history-for-deploy-windows-10.md

@@ -11,26 +11,6 @@ author: greg-lindsay
 # Change history for Deploy Windows 10
 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
-## January 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New | 
-| [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New | 
-| [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | New | 
-| [Apply a provisioning package](provisioning-apply-package.md) | New (previously published in other topics) | 
-| [Create a provisioning package for Windows 10](provisioning-create-package.md) | New (previously published in Hardware Dev Center on MSDN) | 
-| [Create a provisioning package with multivariant settings](provisioning-multivariant.md) | New (previously published in Hardware Dev Center on MSDN) | 
-| [How provisioning works in Windows 10](provisioning-how-it-works.md) | New (previously published in Hardware Dev Center on MSDN) | 
-| [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [NFC-based device provisioning](provisioning-nfc.md) | New (previously published in Hardware Dev Center on MSDN) | 
-| [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) | New (previously published in Hardware Dev Center on MSDN) | 
-| [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) | New (previously published in Hardware Dev Center on MSDN) |
-|  [Windows ICD command-line interface (reference)](provisioning-command-line.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog | 
-| [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) | Instructions for applying the provisioning package moved to [Apply a provisioning package](provisioning-apply-package.md) |
-| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) | Instructions for applying the provisioning package moved to [Apply a provisioning package](provisioning-apply-package.md) |
-
-
 ## October 2016
 | New or changed topic | Description |
 |----------------------|-------------|

windows/deploy/create-a-windows-10-reference-image.md

@@ -167,7 +167,7 @@ If you need to add many applications, you can take advantage of the PowerShell s
 2.  Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt:
 
     ``` syntax
-    Import-Module "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1"
+    Import-Topic "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1"
     New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "E:\MDTBuildLab"
     ```
 

windows/deploy/index.md

@@ -17,7 +17,6 @@ Learn about deploying Windows 10 for IT professionals.
 |------|------------|
 |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
 |[Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) |With Upgrade Analytics, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | 
-|[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
 |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. |
 |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
 |[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |
@@ -25,7 +24,8 @@ Learn about deploying Windows 10 for IT professionals.
 |[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
 |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
 |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
-| [Provisioning packages for Windows 10](provisioning-packages.md) | Learn how to use the Windows Imaging and Configuration Designer (ICD) and provisioning packages to easily configure multiple devices. |
+| [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) | Create a provisioning package to apply commonly used settings to a PC running Windows 10. |
+|  [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md) | Create a provisioning package to add apps and certificates to a PC running Windows 10. |
 |[Windows 10 upgrade paths](windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. |
 |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
 |[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |

windows/deploy/provision-pcs-for-initial-deployment.md

@@ -4,7 +4,7 @@ description: Create a provisioning package to apply common settings to a PC runn
 ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
 keywords: ["runtime provisioning", "provisioning package"]
 ms.prod: W10
-ms.mktglfcycl: deploy
+ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
 localizationpriority: high
@@ -92,30 +92,40 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
 > [!IMPORTANT]
 > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
+## Apply package
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+    ![The first screen to set up a new PC](images/oobe.jpg)
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+    ![Set up device?](images/setupmsg.jpg)
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+    ![Provision this device](images/prov.jpg)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+    ![Choose a package](images/choose-package.png)
+
+5. Select **Yes, add it**.
+
+    ![Do you trust this package?](images/trust-package.png)
     
- **Next step**: [How to apply a provisioning package](provisioning-apply-package.md)   
 
 
 ## Learn more
+-   [Build and apply a provisioning package]( https://go.microsoft.com/fwlink/p/?LinkId=629651)
 
 -   Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
 
 -   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
 
  
-## Related topics
 
-- [Provisioning packages for Windows 10](provisioning-packages.md)
+ 
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
 
 
 

windows/deploy/provision-pcs-with-apps-and-certificates.md

@@ -4,7 +4,7 @@ description: Create a provisioning package to apply settings to a PC running Win
 ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
 keywords: ["runtime provisioning", "provisioning package"]
 ms.prod: W10
-ms.mktglfcycl: deploy
+ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
 localizationpriority: high
@@ -57,7 +57,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
 3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option. 
 
 > [!NOTE]
-> If you are installing more than one app, then use `CommandLine` to invoke the script or batch file that orchestrates installation of the files. For more information, see [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md). 
+> If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/library/windows/hardware/mt703295%28v=vs.85%29.aspx). 
 
 
 ### Add a universal app to your package
@@ -170,27 +170,66 @@ If your build is successful, the name of the provisioning package, output direct
 
 
 
-**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
+## Apply package
+
+### During initial setup, from a USB drive
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+    ![The first screen to set up a new PC](images/oobe.jpg)
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+    ![Set up device?](images/setupmsg.jpg)
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+    ![Provision this device](images/prov.jpg)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+    ![Choose a package](images/choose-package.png)
+
+5. Select **Yes, add it**.
+
+    ![Do you trust this package?](images/trust-package.png)
+    
+6. Read and accept the Microsoft Software License Terms.  
+
+    ![Sign in](images/license-terms.png)
+    
+7. Select **Use Express settings**.
+
+    ![Get going fast](images/express-settings.png)
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+    ![Who owns this PC?](images/who-owns-pc.png)
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+    ![Connect to Azure AD](images/connect-aad.png)
+
+10. Sign in with  your domain, Azure AD,  or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+    ![Sign in](images/sign-in-prov.png)
+    
+
+### After setup, from a USB drive, network folder, or SharePoint site
+
+On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install. 
+
+![add a package option](images/package.png)
 
 ## Learn more
+-   [Build and apply a provisioning package]( https://go.microsoft.com/fwlink/p/?LinkId=629651)
 
 -   Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
 
 -   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
  
 
-## Related topics
+
-
+
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
 
 

windows/deploy/provisioning-apply-package.md

@@ -1,119 +0,0 @@
----
-title: Apply a provisioning package (Windows 10)
-description: Provisioning packages can be applied to a device during the first-run experience (OOBE) and after ("runtime").
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: jdeckerMS
-localizationpriority: high
----
-
-# Apply a provisioning package
-
-
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
-Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
-
-## Desktop editions
-
-### During initial setup, from a USB drive
-
-1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
-
-    ![The first screen to set up a new PC](images/oobe.jpg)
-
-2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
-
-    ![Set up device?](images/setupmsg.jpg)
-
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
-
-    ![Provision this device](images/prov.jpg)
-    
-4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
-
-    ![Choose a package](images/choose-package.png)
-
-5. Select **Yes, add it**.
-
-    ![Do you trust this package?](images/trust-package.png)
-    
-6. Read and accept the Microsoft Software License Terms.  
-
-    ![Sign in](images/license-terms.png)
-    
-7. Select **Use Express settings**.
-
-    ![Get going fast](images/express-settings.png)
-
-8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
-
-    ![Who owns this PC?](images/who-owns-pc.png)
-
-9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
-
-    ![Connect to Azure AD](images/connect-aad.png)
-
-10. Sign in with  your domain, Azure AD,  or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
-
-    ![Sign in](images/sign-in-prov.png)
-    
-### After setup, from a USB drive, network folder, or SharePoint site
-
-On a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. 
-
-![add a package option](images/package.png)
-    
-## Mobile editions
-
-### Using removable media
-
-1. Insert an SD card containing the provisioning package into the device.
-2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. 
-
-    ![add a package option](images/packages-mobile.png)
-
-3. Click **Add**.
-
-4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
-
-    ![Is this package from a source you trust](images/package-trust.png)
-    
-### Copying the provisioning package to the device
-
-1. Connect the device to your PC through USB.
-
-2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device.
-
-3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
-
-    ![Is this package from a source you trust](images/package-trust.png)
-
-
-#
-
-
-## Learn more
-
--   Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-
--   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
-
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)

windows/deploy/provisioning-command-line.md

@@ -1,68 +0,0 @@
----
-title: Windows ICD command-line interface (Windows 10)
-description: 
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: jdeckerMS
-localizationpriority: high
----
-
-# Windows ICD command-line interface (reference)
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-You can use the Windows Imaging and Configuration Designer (ICD) command-line interface (CLI) to automate the building of provisioning packages and Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 10 Mobile or Windows 10 IoT Core (IoT Core) images. 
-
-- IT pros can use the Windows ICD CLI to require less re-tooling of existing processes. You must run the Windows ICD CLI from a command window with administrator privileges.
-
-- You must use the Windows ICD CLI and edit the customizations.xml sources to create an image and/or provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows ICD CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). 
-
-
-
-## Syntax
-
-``` 
-icd.exe /Build-ProvisioningPackage /CustomizationXML:<path_to_xml> /PackagePath:<path_to_ppkg> 
-[/StoreFile:<path_to_storefile>]  [/MSPackageRoot:<path_to_mspackage_directory>]  [/OEMInputXML:<path_to_xml>]
-[/ProductName:<product_name>]  [/Variables:<name>:<value>] [[+|-]Encrypted] [[+|-]Overwrite] [/?]
-```
-
-## Switches and arguments
-
-| Switch | Required? | Arguments |
-| --- | --- | --- |
-| /CustomizationXML | No | Specifies the path to a Windows provisioning XML file that contains the customization assets and settings. For more information, see Windows provisioning answer file. |
-| /PackagePath | Yes | Specifies the path and the package name where the built provisioning package will be saved. |
-| /StoreFile | No</br></br></br>See Important note. | For partners using a settings store other than the default store(s) used by Windows ICD, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows ICD.</br></br></br>**Important**  If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. |
-| /Variables | No | Specifies a semicolon separated <name> and <value> macro pair. The format for the argument must be <name>=<value>. |
-| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows ICD auto-generates the decryption password and includes this information in the output.</br></br></br>Precede with + for encryption or - for no encryption. The default is no encryption. |
-| Overwrite | No | Denotes whether to overwrite an existing provisioning package.</br></br></br>Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). |
-| /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. |
- 
-
-
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
- 
-
-
-
-
-

windows/deploy/provisioning-create-package.md

@@ -1,148 +0,0 @@
----
-title: Create a provisioning package (Windows 10)
-description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: jdeckerMS
-localizationpriority: high
----
-
-# Create a provisioning package for Windows 10
-
-
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
-You use Windows Imaging and Configuration Designer (ICD) to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10. 
-
->[Learn how to install Windows ICD.](provisioning-install-icd.md)
-
-## Start a new project
-
-1. Open Windows ICD:
-    - From either the Start screen or Start menu search, type 'Imaging and Configuration Designer' and click on the Windows ICD shortcut, 
-    
-    or
-    
-    - Navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
-
-2. Select your desired option on the **Start** page, which offers three options for creating a provisioning package, as shown in the following image:
-
-    ![Simple provisioning or provision school devices or advanced provisioning](images/icd-create-options.png)
-    
-    - The **Simple provisioning** and **Provision school devices** options provide wizard-style walkthroughs for creating a provisioning package based on a set of common settings. 
-    - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. 
-    >[!TIP]
-    >You can start a project in the simple editor and then switch the project to the advanced editor.
-    >
-    >![Switch to advanced editor](images/icd-switch.png)
-        
-3. Enter a name for your project, and then click **Next**.
-
-4. Select the settings you want to configure, based on the type of device, and then click **Next**. The following table describes the options.
-
-    | Windows edition | Settings available for customization | Provisioning package can apply to |
-    | --- | --- | --- |
-    | All Windows editions | Common settings | All Windows 10 devices |
-    | All Windows desktop editions | Common settings and settings specific to desktop devices  | All Windows 10 desktop editions (Home, Pro, Enterprise, Pro Education, Enterprise Education)   |
-    | All Windows mobile editions | Common settings and settings specific to mobile devices | All Windows 10 Mobile devices |
-    | Windows 10 IoT Core | Common settings and settings specific to Windows 10 IoT Core | All Windows 10 IoT Core devices |
-    | Windows 10 Holographic | Common settings and settings specific to Windows 10 Holographic  | [Microsoft HoloLens](https://technet.microsoft.com/itpro/hololens/hololens-provisioning)   |
-    | Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team  | [Microsoft Surface Hub](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub)  |
- 
-5. On the **Import a provisioning package (optional)** page, you can click **Finish** to create your project, or browse to and select an existing provisioning packge to import to your project, and then click **Finish**.
-
->[!TIP]
->**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages you create so you don't have to reconfigure those common settings repeatedly.
-
-After you click **Finish**, Windows ICD will open the appropriate walkthrough page if you selected **Simple provisioning** or **Provision school devices**, or the **Available customizations** pane if you selected **Advanced provisioning**. The remainder of this topic will explain the **Advanced provisioning scenario**. 
-
-- For instructions on **Simple provisioning**, see [Provision PCs with common settings](provision-pcs-for-initial-deployment.md). 
-- For instructions on **Provision school devices**, see [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain).
-
-
-## Configure settings
-
-For an advanced provisioning project, Windows ICD opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings.
-
-![What the ICD interface looks like](images/icd-runtime.png)
-
-The settings in Windows ICD are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
-
-The process for configuring settings is similar for all settings. The following table shows an example.
-
-<table>
-<tr><td>![step one](images/one.png)</br>Expand a category.</td><td>![Expand Certificates category](images/icd-step1.png)</td></tr>
-<tr><td>![step two](images/two.png)</br>Select a setting.</td><td>![Select ClientCertificates](images/icd-step2.png)</td></tr>
-<tr><td>![step three](images/three.png)</br>Enter a value for the setting. Click **Add** if the button is displayed.</td><td>![Enter a name for the certificate](images/icd-step3.png)</td></tr>
-<tr><td>![step four](images/four.png)</br>Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and additional settings are displayed.</td><td>![Additional settings for client certificate](images/icd-step4.png)</td></tr> 
-<tr><td>![step five](images/five.png)</br>When the setting is configured, it is displayed in the **Selected customizations** pane.</td><td>![Selected customizations pane](images/icd-step5.png)</td></tr>
-</table>
-
-For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows ICD when you select the setting, as shown in the following image.
-
-![Windows ICD opens the reference topic when you select a setting](images/icd-setting-help.png) 
-
-
- ## Build package
-
-1. After you're done configuring your customizations, click **Export** and select **Provisioning Package**.
-
-    ![Export on top bar](images/icd-export-menu.png)
-    
-2. In the **Describe the provisioning package** window, enter the following information, and then click **Next**:
-    - **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field.
-    - **Version (in Major.Minor format** - - Optional. You can change the default package version by specifying a new value in the **Version** field. 
-    - **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages).
-    - **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0.
-    
-3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate. Both selections are optional. Click **Next** after you make your selections.
-
-    - **Encrypt package** -  If you select this option, an auto-generated password will be shown on the screen.
-    - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
-
-    >[!NOTE]
-    >You should only configure provisioning package security when the package is used for device provisioning and the package has contents with sensitive security data such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device. 
-    >
-    >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner.
-
-4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows ICD uses the project folder as the output location.
-
-5. In the **Build the provisioning package** window, click **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. 
-
-    If you need to cancel the build, click Cancel. This cancels the current build process, closes the wizard, and takes you back to the Customizations Page.
-
-6. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
-
-    If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. 
-
-    If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
-
-7. When you are done, click **Finish** to close the wizard and go back to the Customizations page.
-
-**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
-
-## Learn more
-
--   Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-
--   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
-
-
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)

windows/deploy/provisioning-how-it-works.md

@@ -1,184 +0,0 @@
----
-title: How provisioning works in Windows 10 (Windows 10)
-description: A provisioning package (.ppkg) is a container for a collection of configuration settings. 
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: jdeckerMS
-localizationpriority: high
----
-
-# How provisioning works in Windows 10
-
-
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
-Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 devices. Windows Imaging and Configuration Designer (Windows ICD) is a tool that makes it easy to create a provisioning package. Windows ICD is contained in the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). 
-
-## Provisioning packages
-
-A provisioning package contains specific configurations/settings and assets that can be provided through a removable media or simply downloaded to the device.
-
-To enable adding multiple sets of settings or configurations, the configuration data used by the provisioning engine is built out of multiple configuration sources that consist of separate provisioning packages. Each provisioning package contains the provisioning data from a different source.
-
-A provisioning package (.ppkg) is a container for a collection of configuration settings. The package has the following format: 
-
-- Package metadata – The metadata contains basic information about the package such as package name, description, version, ranking, and so on. 
-
-- XML descriptors – Each descriptor defines a customization asset or configuration setting included in the package. 
-
-- Asset payloads – The payloads of a customization asset or a configuration setting associated with an app or data asset. 
-
-You can  use provisioning packages for runtime device provisioning by accessing the package on a removable media attached to the device, through near field communication (NFC), or by downloading from a remote source location. 
-
-## Precedence for provisioning packages
-
-When multiple provisioning packages are available for device provisioning, the combination of package owner type and package rank level defined in the package manifest is used to resolve setting conflicts. The pre-defined package owner types are listed below in the order of lowest to highest owner type precedence:
-
-1. Microsoft 
-
-2. Silicon Vender 
-
-3. OEM 
-
-4. System Integrator 
-
-5. Mobile Operator 
-
-6. IT Admin 
-
-The valid value range of package rank level is 0 to 99. 
-
-When setting conflicts are encountered, the final values provisioned on the device are determined by the owner type precedence and the rank level of the packages containing the settings. For example, the value of a setting in a package with owner **System Integrator** and rank level **3** takes precedence over the same setting in a package with owner **OEM** and rank level **4**. This is because the System Integrator owner type has the higher precedence over the OEM owner type. For packages with the same owner type, the package rank level determines the package from which the setting values get provisioned on the device. 
-
-## Windows provisioning XML
-
-Windows provisioning XML is the framework that allows Microsoft and OEM components to declare end-user configurable settings and the on-device infrastructure for applying the settings with minimal work by the component owner. 
-
-Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows ICD to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows ICD translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format.
-
-When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the Windows provisioning CSP. The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use. 
-
-## Provisioning engine
-
-The provisioning engine is the core component for managing provisioning and configuration at runtime in a device running Windows 10. 
-
-The provisioning engine provides the following functionality:
-
-- Provisioning configuration at any time when the device is running including first boot and setup or OOBE. It is also extensible to other points during the run-time of the device.
-- Reading and combining settings from multiple sources of configuration that may be added to an image by Microsoft, the OEM, or system integrator, or added by IT/education administrators or users to the device at run-time. Configuration sources may be built into the image or from provisioning packages added to the device.
-- Responding to triggers or events and initiating a provisioning stage.
-- Authenticating the provisioning packages.
-- Selecting a set of configuration based on the stage and a set of keys—such as the SIM, MCC/MNC, IMSI range, and so on—that map to a specific configuration then passing this configuration to the configuration management infrastructure to be applied.
-- Working with OOBE and the control panel UI to allow user selection of configuration when a specific match cannot be determined.
-
-## Configuration manager
-
-The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to Configuration Service Providers (CSPs) to perform the specific management requests and settings. 
-
-The provisioning engine relies on configuration manager for all of the actual processing and application of a chosen configuration. The provisioning engine determines the stage of provisioning and, based on a set of keys, determines the set of configuration to send to the configuration manager. The configuration manager in turn parses and calls into the CSPs for the setting to be applied. 
-
-Underneath the configuration manager are the CSPs. Each section of configuration translates to a particular CSP to handle interpreting into an action on the device. Each CSP translates the instructions in the configuration and calls into the appropriate APIs and components to perform the requested provisioning actions. 
-
-## Policy and resource manager
-
-The policy, resource, and context manager components manage the enrollment and unenrollment of devices into enterprise environments. The enrollment process into an enterprise is essentially the provisioning of configuration and device management policies that the enterprise wants to enforce on the device. This is usually done through the explicit signing up of the device to an enterprise's device management server over a network connection. This provides the user with the ability to access the enterprise's resources through the device and the enterprise with a means to manage and control access and manage and control the device itself. 
-
-The key differences between enterprise enrollment and the configuration performed by the provisioning engine are: 
-- Enrollment enforces a limited and controlled set of policies on the device that the user may not have full control over. The provisioning engine exposes a larger set of settings that configure more aspects of the device and are generally user adjustable.
-- The policy manager manages policy settings from multiple entities and performs a selection of the setting based on priority of the entities. The provisioning engine applies the settings and does not offer a means of prioritizing settings from different sources. The more specific provisioning is the last one applied and the one that is used.
-- Individual policy settings applied from different enrollment entities are stored so they can be removed later during unenrollment. This enables the user to remove enterprise policy and return the device to a state without the enterprise restrictions and any sensitive data. The provisioning engine does not maintain individual provisioning settings or a means to roll back all applied settings.
-
-In Windows 10, the application of policy and enrollment through provisioning is required to support cases where an enterprise or educational institution does not have a DM server for full device management. The provisioning engine supports provisioning enrollment and policy through its configuration and integrates with the existing policy and resource manager components directly or through the configuration manager. 
-
-## Triggers and stages
-
-Triggers are events during the lifetime of the system that start a provisioning stage. Some examples of triggers are: boot, OOBE, SIM change, user added, administrator added, user login, device update, and various manual triggers (such as deployment over USB or launched from an email attachment or USB flash drive).
-
-When a trigger occurs, provisioning is initiated for a particular provisioning stage. The stages are grouped into sets based on the scope of the settings:
-- **Static**: First stage run for provisioning to apply configuration settings to the system to set up OOBE or apply device-wide settings that cannot be done when the image is being created.
-- **System**: Run during OOBE and configure system-wide settings.
-- **UICC**: UICC stages run for each new UICC in a device to handle configuration and branding based on the identity of the UICC or SIM card. This enables the runtime configuration scenarios where an OEM can maintain one image that can be configured for multiple operators.
-- **Update**: Runs after an update to apply potential updated settings changes.
-- **User**: runs during a user account first run to configure per-user settings.
-
-
-
-
-
-
-
-
-
-## Device provisioning during OOBE
-
-The provisioning engine always applies provisioning packages persisted in the C:\Recovery\Customizations folder on the OS partition. When the provisioning engine applies provisioning packages in the %ProgramData%\Microsoft\Provisioning folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect. 
-
-Device users can apply a provisioning package from a remote source when the device first boots to OOBE. The device provisioning during OOBE is only triggered after the language, locale, time zone, and other settings on the first OOBE UI page are configured. On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key. When device provisioning is triggered, the provisioning UI is displayed in the OOBE page. The provisioning UI allows users to select a provisioning package acquired from a remote source, such as through NFC or a removable media. 
-
-The following table shows how device provisioning can be initiated when a user first boots to OOBE.
-
-
-| Package delivery | Initiation method | Supported device |
-| --- | --- | --- |
-| Removable media - USB drive or SD card</br> (Packages must be placed at media root) | 5 fast taps on the Windows key to launch the provisioning UI |All Windows devices |
-| From an administrator device through machine to machine NFC or NFC tag</br>(The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows 10 Mobile devices and IoT Core devices |
- 
-The provisioning engine always copies the acquired provisioning packages to the %ProgramData%\Microsoft\Provisioning folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device. 
-
-When the provisioning engine applies provisioning packages during OOBE, it applies only the runtime settings from the package to the device. Runtime settings can be system-wide configuration settings, including security policy, Windows app install/uninstall, network configuration, bootstrapping MDM enrollment, provisioning of file assets, account and domain configuration, Windows edition upgrade, and more. The provisioning engine also checks for the configuration settings on the device, such as region/locale or SIM card, and applies the multivariant settings with matching condition(s). 
-
-## Device provisioning at runtime
-
-At device runtime, standalone provisioning packages can be applied by user initiation. Only runtime configuration settings including multivariant settings contained in a provisioning package can be applied at device runtime.
-
-The following table shows when provisioning at device runtime can be initiated.
-
-| Package delivery | Initiation method | Supported device |
-| --- | --- | --- |
-| Removable media - USB drive or SD card</br>(Packages must be placed at media root) | **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** | All Windows devices |
-| Downloaded from a network connection and copied to a local folder | Double-click the package file | Windows 10 for desktop editions devices |
-| From an administrator device connected to the target device through USB tethering | Drag and drop the package file onto the target device | Windows 10 Mobile devices and IoT Core devices |
-
-When applying provisioning packages from a removable media attached to the device, the Settings UI allows viewing contents of a package before selecting the package for provisioning. To minimize the risk of the device being spammed by applying provisioning packages from unknown sources, a provisioning package can be signed and encrypted. Partners can also set policies to limit the application of provisioning packages at device runtime. Applying provisioning packages at device runtime requires administrator privilege. If the package is not signed or trusted, a user must provide consent before the package is applied to the device. If the package is encrypted, a valid password is needed to decrypt the package before it can be applied to the device.
-
-When applying multiple provisioning packages to a device, the provisioning engine resolves settings with conflicting configuration values from different packages by evaluating the package ranking using the combination of package owner type and package rank level defined in the package metadata. A configuration setting applied from a provisioning package with the highest package ranking will be the final value applied to the device.
-
-After a standalone provisioning package is applied to the device, the package is persisted in the %ProgramData%\Microsoft\Provisioning folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**. However, Windows 10 doesn't provide an uninstall option to revert runtime settings when removing a provisioning package from the device.
-
-
-## Learn more
-
--   Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-
--   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
-
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
-
-
-
- 
-
- 
-
-
-
-
-

windows/deploy/provisioning-install-icd.md

@@ -1,106 +0,0 @@
----
-title: Install Windows Imaging and Configuration Designer (Windows 10)
-description: Learn how to install and run Windows ICD. 
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: jdeckerMS
-localizationpriority: high
----
-
-# Install Windows Imaging and Configuration Designer (ICD)
-
-
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
-Use the Windows Imaging and Configuration Designer (ICD) tool in the Windows Assessment and Deployment Kit (ADK) to create provisioning packages to easily configure devices running Windows 10. Windows ICD is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices.
-
-## Supported platforms
-
-Windows ICD can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core. You can run Windows ICD on the following operating systems:
-
-- Windows 10 - x86 and amd64
-- Windows 8.1 Update - x86 and amd64
-- Windows 8.1 - x86 and amd64
-- Windows 8 - x86 and amd64
-- Windows 7 - x86 and amd64
-- Windows Server 2016
-- Windows Server 2012 R2 Update
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
-
-## Install Windows ICD
-
-1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511 or version 1607).
-
-    >[!NOTE]
-    >The rest of this procedure uses Windows ADK for Windows 10, version 1607 as an example.
-    
-2. Save **adksetup.exe** and then run it.
-
-3. On the **Specify Location** page, select an installation path and then click **Next**.
-    >[!NOTE]
-    >The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows ICD, the space requirement is approximately 32 MB.
-4. Make a selection on the **Windows Kits Privacy** page, and then click **Next**.
-
-5. Accept the **License Agreement**, and then click **Next**.
-
-6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**.
-
-    ![Only Configuration Designer selected for installation](images/icd-install.png)
-
-## Current Windows ICD limitations
-
-
-- You can only run one instance of Windows ICD on your computer at a time.
-
-- Be aware that when adding apps and drivers, all files stored in the same folder will be imported and may cause errors during the build process.
-
-- The Windows ICD UI does not support multivariant configurations. Instead, you must use the Windows ICD command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md).
-
-- While you can open multiple projects at the same time within Windows ICD, you can only build one project at a time.
-
-- In order to enable the simplified authoring jscripts to work on a server SKU running Windows ICD, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security**  -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**. 
-
-- If you copy a Windows ICD project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC. 
-
-    For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows ICD. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows ICD might attempt to resolve the path to the files that point to the original PC.
- 
-- **Recommended**: Before starting, copy all source files to the PC running Windows ICD, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device.
-
-**Next step**: [How to create a provisioning package](provisioning-create-package.md)
-
-## Learn more
-
--   Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-
--   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
-
-
- 
-
- 
-
-
-
-
-

windows/deploy/provisioning-multivariant.md

@@ -1,322 +0,0 @@
----
-title: Create a provisioning package with multivariant settings (Windows 10)
-description: Create a provisioning package with multivariant settings to customize the provisioned settings.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: jdeckerMS
-localizationpriority: high
----
-
-# Create a provisioning package with multivariant settings
-
-
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
-Multivariant provisioning packages enable you to create a single provisioning package that can work for multiple locales.
-
-To provision multivariant settings, you must create a provisioning package with defined **Conditions** and **Settings** that are tied to these conditions. When you install this package on a Windows 10 device, the provisioning engine applies the matching condition settings at every event and triggers provisioning.
-
-The following events trigger provisioning on Windows 10 devices:
-
-| Event | Windows 10 Mobile | Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) |
-| --- | --- | --- |
-| System boot | Supported | Supported |
-| Operating system update | Supported | Planned |
-| Package installation during device first run experience | Supported | Supported |
-| Detection of SIM presence or update | Supported | Not supported |
-| Package installation at runtime | Supported | Supported |
-| Roaming detected | Supported | Not supported |
-
-## Target, TargetState, Condition, and priorities
-
-Targets describe keying for a variant and must be described or pre-declared before being referenced by the variant.
-
-- You can define multiple **Target** child elements for each **Id** that you need for the customization setting.
-
-- Within a **Target** you can define multiple **TargetState** elements.
-
-- Within a **TargetState** element you can create multiple **Condition** elements.
-
-- A **Condition** element defines the matching type between the condition and the specified value.
-
-The following table shows the conditions supported in Windows 10 provisioning:
-
->[!NOTE]
->You can use any of these supported conditions when defining your **TargetState**.
-
-| Condition Name | Condition priority | Windows 10 Mobile | Windows 10 for desktop editions | Value type | Value description |
-| --- | --- | --- | --- | --- | --- |
-| MNC | P0 | Supported | N/A | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. |
-| MCC | P0 | Supported | N/A | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. |
-| SPN | P0 | Supported | N/A | String | Use to target settings based on the Service Provider Name (SPN) value. |
-| PNN | P0 | Supported | N/A | String | Use to target settings based on public land mobile network (PLMN) Network Name value. |
-| GID1 | P0 | Supported | N/A | Digit string | Use to target settings based on the Group Identifier (level 1) value. |
-| ICCID | P0 | Supported | N/A | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. |
-| Roaming | P0 | Supported | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). | 
-| UICC | P0 | Supported | N/A | Enumeration | Use to specify the UICC state. Set the value to one of the following:</br></br></br>- 0 - Empty</br>- 1 - Ready</br>- 2 - Locked |
-| UICCSLOT | P0 | Supported | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:</br></br></br>- 0 - Slot 0</br>- 1 - Slot 1 |
-| ProcessorType | P1 | Supported | Supported | String | Use to target settings based on the processor type. |
-| ProcessorName | P1 | Supported | Supported | String | Use to target settings based on the processor name. |
-| AoAc | P1 | Supported | Supported | Boolean | Set the value to 0 or 1. |
-| PowerPlatformRole | P1 | Supported | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the POWER_PLATFORM_ROLE enumeration. |
-| Architecture | P1 | Supported | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. |
-| Server | P1 | Supported | Supported | Boolean | Set the value to 0 or 1. |
-| Region | P1 | Supported | Supported | Enumeration | Use to target settings based on country/region. |
-| Lang | P1 | Supported | Supported | Enumeration | Use to target settings based on language code. |
-| ROMLANG | P1 | Supported | N/A | Digit string | Use to specify the PhoneROMLanguage that's set for DeviceTargeting. This condition is used primarily to detect variants for China. For example, you can use this condition and set the value to "0804". |
-
-The matching types supported in Windows 10 are:
-
-| Matching type | Syntax | Example |
-| --- | --- | --- |
-| Straight match | Matching type is specified as-is | &lt;Condition Name="ProcessorName" Value="Barton" /&gt; |
-| Regex match | Matching type is prefixed by "Pattern:" | &lt;Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /&gt; |
-| Numeric range match | Matching type is prefixed by "!Range:" | &lt;Condition Name="MNC" Value="!Range:400, 550" /&gt; |
- 
-
-- When all **Condition** elements are TRUE, **TargetState** is TRUE (**AND** logic).
-
-- If any of the **TargetState** elements is TRUE, **Target** is TRUE (**OR** logic), and **Id** can be used for the setting customization.
-
-
-You can define more than one **TargetState** within a provisioning package to apply variant settings that match device conditions. When the provisioning engine evalues each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the variant settings are applied, the system assigns a priority to every **TargetState**. 
-
-A variant setting that matches a **TargetState** with a lower priority is applied before the variant that matches a **TargetState** with a higher priority. Variant settings that match more than one **TargetState** with equal priority are applied according to the order that each **TargetState** is defined in the provisioning package.
-
-The **TargetState** priority is assigned based on the conditions priority and the priority evaluation rules are as followed:
-
-1. **TargetState** with P0 conditions is higher than **TargetState** without P0 conditions.
-
-
-2. **TargetState** with P1 conditions is higher than **TargetState** without P0 and P1 conditions.
-
-
-3. If N₁>N₂>0, the **TargetState** priority with N₁ P0 conditions is higher than the **TargetState** with N₂ P1 conditions.
-
-
-4. For **TargetState** without P0 conditions, if N₁>N₂>0 **TargetState** with N₁ P1 conditions is higher than the **TargetState** with N₂ P1 conditions.
-
-
-5. For **TargetState** without P0 and P1 conditions, if N₁>N₂>0 **TargetState** priority with N₁ P2 conditions is higher than the **TargetState** with N₂ P2 conditions.
-
-
-6. For rules 3, 4, and 5, if N₁=N₂, **TargetState** priorities are considered equal.
-
-
-## Create a provisioning package with multivariant settings
-
-Follow these steps to create a provisioning package with multivariant capabilities.
-
-
-1. Build a provisioning package and configure the customizations you need to apply during certain conditions. For more information, see [Create a provisioning package](provisioning-create-package.md).
-
-
-2. After you've [configured the settings](provisioning-create-package.md#configure-settings), save the project.
-
-
-3. Open the project folder and copy the customizations.xml file. 
-
-4. Use an XML or text editor to open the customizations.xml file.
-
-    The customizations.xml file holds the package metadata (including the package owner and rank) and the settings that you configured when you created your provisioning package. The Customizations node contains a Common section, which contains the customization settings.
-
-    The following example shows the contents of a sample customizations.xml file.
-
-    ```XML
-<?xml version="1.0" encoding="utf-8"?> 
-<WindowsCustomizatons> 
-  <PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0"> 
-    <ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID> 
-    <Name>My Provisioning Package</Name> 
-    <Version>1.0</Version> 
-    <OwnerType>OEM</OwnerType> 
-    <Rank>50</Rank> 
-  </PackageConfig> 
-  <Settings xmlns="urn:schemas-microsoft-com:windows-provisioning"> 
-    <Customizations> 
-      <Common> 
-        <Policies> 
-          <AllowBrowser>0</AllowBrowser> 
-          <AllowCamera>0</AllowCamera> 
-          <AllowBluetooth>0</AllowBluetooth> 
-        </Policies> 
-        <HotSpot> 
-          <Enabled>0</Enabled> 
-        </HotSpot> 
-      </Common> 
-    </Customizations> 
-  </Settings> 
-</WindowsCustomizatons> 
-    ```
-
-4. Edit the customizations.xml file and create a **Targets** section to describe the conditions that will handle your multivariant settings. 
-
-    The following example shows the customizations.xml, which has been modified to include several conditions including **ProcessorName**, **ProcessorType**, **MCC**, and **MNC**.
-    
-    ```XML
-    <?xml version="1.0" encoding="utf-8"?> 
-<WindowsCustomizatons> 
-  <PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0"> 
-    <ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID> 
-    <Name>My Provisioning Package</Name> 
-    <Version>1.0</Version> 
-    <OwnerType>OEM</OwnerType> 
-    <Rank>50</Rank> 
-  </PackageConfig> 
-  <Settings xmlns="urn:schemas-microsoft-com:windows-provisioning"> 
-    <Customizations> 
-      <Common> 
-        <Policies> 
-          <AllowBrowser>0</AllowBrowser> 
-          <AllowCamera>0</AllowCamera> 
-          <AllowBluetooth>0</AllowBluetooth> 
-        </Policies> 
-        <HotSpot> 
-          <Enabled>0</Enabled> 
-        </HotSpot> 
-      </Common> 
-      <Targets> 
-        <Target Id="Unique target identifier for desktop"> 
-          <TargetState> 
-            <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /> 
-            <Condition Name="ProcessorType" Value="Pattern:.*(I|i)ntel.*" /> 
-          </TargetState> 
-          <TargetState> 
-            <Condition Name="ProcessorName" Value="Barton" /> 
-            <Condition Name="ProcessorType" Value="Athlon MP" /> 
-          </TargetState> 
-        </Target> 
-        <Target Id="Mobile target"> 
-          <TargetState> 
-            <Condition Name="MCC" Value="Range:310, 320" /> 
-            <Condition Name="MNC" Value="!Range:400, 550" /> 
-          </TargetState> 
-        </Target> 
-      </Targets> 
-    </Customizations> 
-  </Settings> 
-</WindowsCustomizatons> 
-    ```
-
-5. In the customizations.xml file, create a **Variant** section for the settings you need to customize. To do this:
-
-    a. Define a child **TargetRefs** element.
-    
-    b. Within the **TargetRefs** element, define a **TargetRef** element. You can define multiple **TargetRef** elements for each **Id** that you need to apply to customized settings. 
-
-    c. Move compliant settings from the **Common** section to the **Variant** section.
-
-    If any of the TargetRef elements matches the Target, all settings in the Variant are applied (OR logic).
-
-    >[!NOTE]
-    >You can define multiple Variant sections. Settings that reside in the **Common** section are applied unconditionally on every triggering event.
-
-    The following example shows the customizations.xml updated to include a **Variant** section and the moved settings that will be applied if the conditions for the variant are met.
-
-    ```XML
-<?xml version="1.0" encoding="utf-8"?> 
-<WindowsCustomizatons> 
-  <PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
-    <ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID> 
-    <Name>My Provisioning Package</Name> 
-    <Version>1.0</Version> 
-    <OwnerType>OEM</OwnerType> 
-    <Rank>50</Rank> 
-  </PackageConfig> 
-  <Settings xmlns="urn:schemas-microsoft-com:windows-provisioning"> 
-    <Customizations> 
-      <Common> 
-      </Common> 
-      <Targets> 
-        <Target Id="Unique target identifier for desktop"> 
-          <TargetState> 
-            <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /> 
-            <Condition Name="ProcessorType" Value="Pattern:.*(I|i)ntel.*" /> 
-          </TargetState> 
-          <TargetState> 
-            <Condition Name="ProcessorName" Value="Barton" /> 
-            <Condition Name="ProcessorType" Value="Athlon MP" /> 
-          </TargetState> 
-        </Target> 
-        <Target Id="Mobile target"> 
-          <TargetState> 
-            <Condition Name="MCC" Value="Range:310, 320" /> 
-            <Condition Name="MNC" Value="!Range:400, 550" /> 
-          </TargetState> 
-        </Target>
-      </Targets> 
-      <Variant> 
-        <TargetRefs> 
-          <TargetRef Id="Unique target identifier for desktop" /> 
-          <TargetRef Id="Mobile target" /> 
-        </TargetRefs> 
-        <Settings> 
-          <Policies> 
-            <AllowBrowser>1</AllowBrowser> 
-            <AllowCamera>1</AllowCamera> 
-            <AllowBluetooth>1</AllowBluetooth> 
-          </Policies> 
-          <HotSpot> 
-            <Enabled>1</Enabled> 
-          </HotSpot> 
-        </Settings> 
-      </Variant> 
-    </Customizations> 
-  </Settings> 
-</WindowsCustomizatons> 
-    ```
-
-6. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step.
-
-
-7. Use the [Windows ICD command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml. 
-
-    For example:
-
-    ```
-    icd.exe /Build-ProvisioningPackage /CustomizationXML:"C:\CustomProject\customizations.xml" /PackagePath:"C:\CustomProject\output.ppkg" /StoreFile:C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\Microsoft-Common-Provisioning.dat"
-    ```
-    
-
-In this example, the **StoreFile** corresponds to the location of the settings store that will be used to create the package for the required Windows edition. 
-
->[!NOTE]
->The provisioning package created during this step will contain the multivariant settings. You can use this package either as a standalone package that you can apply to a Windows device or use it as the base when starting another project.
-
- 
-
-
- 
-
- 
-
-
-
-
-
- 
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
-
- 
-
-
-
-
-

windows/deploy/provisioning-nfc.md

@@ -1,153 +0,0 @@
----
-title: NFC-based device provisioning (Windows 10)
-description: 
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: jdeckerMS
-localizationpriority: high
----
-
-# NFC-based device provisioning
-
-
-**Applies to**
-
--   Windows 10 Mobile
-
-Near field communication (NFC) enables Windows 10 Mobile Enterprise and Windows 10 Mobile devices to communicate with an NFC tag or another NFC-enabled transmitting device. Enterprises that do bulk provisioning can use NFC-based device provisioning to provide a provisioning package to the device that's being provisioned. NFC provisioning is simple and convenient and it can easily store an entire provisioning package. 
-
-The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup or the out-of-box experience (OOBE) phase. Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE.
-
-## Provisioning OOBE UI
-
-All Windows 10 Mobile Enterprise and Windows 10 Mobile images have the NFC provisioning capability incorporated into the operating system. On devices that support NFC and are running Windows 10 Mobile Enterprise or Windows 10 Mobile, NFC-based device provisioning provides an additional mechanism to provision the device during OOBE.
-
-On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key, which shows the **Provision this device** screen. In the **Provision this device** screen, select **NFC** for NFC-based provisioning. 
-
-![Example of Provision this device screen](images/nfc.png)
-
-If there is an error during NFC provisioning, the device will show a message if any of the following errors occur:
-
-- **NFC initialization error** - This can be caused by any error that occurs before data transfer has started. For example, if the NFC driver isn't enabled or there's an error communicating with the proximity API.
-- **Interrupted download or incomplete package transfer** - This error can happen if the peer device is out of range or the transfer is aborted. This error can be caused whenever the device being provisioned fails to receive the provisioning package in time.
-- **Incorrect package format** - This error can be caused by any protocol error that the operating system encounters during the data transfer between the devices.
-- **NFC is disabled by policy** - Enterprises can use policies to disallow any NFC usage on the managed device. In this case, NFC functionality is not enabled.
-
-## NFC tag
-
-You can use an NFC tag for minimal provisioning and use an NFC-enabled device tag for larger provisioning packages.
-
-The protocol used for NFC-based device provisioning is similar to the one used for NFC provisioning on Windows Embedded 8.1 Handheld, which supported both single-chunk and multi-chunk transfer when the total transfer didn't fit in one NDEP message size. In Windows 10, the provisioning stack contains the following changes:
-
-- **Protocol namespace** - The protocol namespace has changed from Windows.WEH.PreStageProv.Chunk to Windows.ProvPlugins.Chunk.
-- **Tag data type** - The tag data type has changed from UTF-8 into binary raw data.
-
-
->[!NOTE]
->The NFC tag doesn't go in the secondary device. You can transfer the NFC tag by using a provisioning package from device-to-device using the NFC radio or by re-reading the provisioning package from an NFC tag.
-
-### NFC tag components
-
-NFC tags are suitable for very light applications where minimal provisioning is required. The size of NFC tags that contain provisioning packages is typically 4 KB to 10 KB. 
-
-To write to an NFC tag, you will need to use an NFC Writer tool, or you can use the [ProximityDevice class API](https://msdn.microsoft.com/library/windows/apps/windows.networking.proximity.proximitydevice.aspx) to write your own custom tool to transfer your provisioning package file to your NFC tag. The tool must publish a binary message (write) a Chunk data type to your NFC tag.
-
-The following table describes the information that is required when writing to an NFC tag.
-
-| Required field | Description |
-| --- | --- |
-| **Type** | Windows.ProvPlugins.Chunk<br></br>The receiving device uses this information to understand information in the Data field. |
-| **Data** | Tag data with small header in raw binary format that contains a chunk of the provisioning package to be transferred. |
- 
-
-
-### NFC provisioning helper
-
-The NFC provisioning helper device must split the provisioning package raw content into multiple parts and publish these in order. Each part should follow the following format:
-
-<table><tr><td>**Version**</br>(1 byte)</td><td>**Leading**<br>(1 byte)</td><td>**Order**</br>(1 byte)</td><td>**Total**</br>(1 byte)</td><td>**Chunk payload**</br>(N bytes)</td></tr></table>
- 
-For each part:
-- **Version** should always be 0x00.
-- **Leading byte** should always be 0xFF.
-- **Order** represents which message chunk (out of the whole message) the part belongs to. The Order begins with zero (0). 
-- **Total** represents the total number of chunks to be transferred for the whole message.
-- **Chunk payload** represents each of the split parts.
-
-The NFC provisioning helper device must publish the record in a type of Windows.ProvPlugins.Chunk.
-
-**Code example**
-
-The following example shows how to write to an NFC tag. This example assumes that the tag is already in range of the writing device.
-
-```
-        private async void WriteProvPkgToTag(IStorageFile provPkgFile)
-        {
-            var buffer = await FileIO.ReadBufferAsync(provPkgFile);
-            if (null == buffer)
-            {
-                return;
-            }
-
-            var proximityDevice = Windows.Networking.Proximity.ProximityDevice.GetDefault();
-            if (null == proximityDevice)
-            {
-                return;
-            }
-
-            var dataWriter = new DataWriter();
-            var header = new NfcProvHeader();
-
-            header.version = NFC_PROV_MESSAGE_CURRENT_VERSION;  // Currently the supported version is 0x00.
-            header.leading = NFC_PROV_MESSAGE_LEADING_BYTE;     // The leading byte should be always 0xFF.
-            header.index = 0; // Assume we only have 1 chunk.
-            header.total = 1; // Assume we only have 1 chunk.
-
-            // Write the header first and then the raw data of the provisioning package.
-            dataWriter.WriteBytes(GetBytes(header));
-            dataWriter.WriteBuffer(buffer);
-
-            var chunkPubId = proximityDevice.PublishBinaryMessage(
-                            "Windows:WriteTag.ProvPlugins.Chunk",
-                            dataWriter.DetachBuffer());
-        }
-```
-
-
-### NFC-enabled device tag components
-
-Provisioning from an NFC-enabled source device allows for larger provisioning packages than can be transferred using an NFC tag. When provisioning from an NFC-enabled device, we recommend that the total file size not exceed 120 KB. Be aware that the larger the NFC file is, the longer it will take to transfer the provisioning file. Depending on your NFC hardware, the transfer time for a 120 KB file will vary between 2.5 seconds and 10 seconds.
-
-To provision from an NFC-enabled source device, use [ProximityDevice class API](https://msdn.microsoft.com/library/windows/apps/windows.networking.proximity.proximitydevice.aspx) to write your own custom tool that transfers your provisioning package in chunks to your target mobile device. The tool must publish binary messages (transmit) a Header message, followed by one or more Chunk messages. The Header specifies the total amount of data that will be transferred to the target device; the Chunks must contain binary raw data formatted provisioning data, as shown in the NFC tag components section.
-
-For detailed information and code samples on how to implement an NFC-enabled device tag, see **ConvertToNfcMessageAsync** in [this GitHub NfcProvisioner Universal Windows app example](https://github.com/Microsoft/Windows-universal-samples/blob/master/Samples/NfcProvisioner/cs/Scenario1.xaml.cs). The sample app shows you how to host the provisioning package on a master device so that you can transfer it to the receiving device.
-
- 
-
-
-
-
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
- 
-
- 
-
-
-
-
-

windows/deploy/provisioning-packages.md

@@ -3,8 +3,9 @@ title: Provisioning packages (Windows 10)
 description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
 ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
 ms.prod: w10
-ms.mktglfcycl: deploy
+ms.mktglfcycl: explore
 ms.sitesec: library
+ms.pagetype: mobile
 author: jdeckerMS
 localizationpriority: high
 ---
@@ -17,17 +18,15 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
-Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. 
+Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. 
 
-A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
 
 Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
 
-The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Imaging and Configuration Designer (ICD), a tool for configuring provisioning packages. 
-
 ## New in Windows 10, Version 1607
 
-Windows ICD for Windows 10, Version 1607, simplifies common provisioning scenarios. 
+The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. Windows ICD for Windows 10, Version 1607, simplifies common provisioning scenarios. 
 
 ![Configuration Designer options](images/icd.png)
 
@@ -75,7 +74,7 @@ Provisioning packages can be:
 ## What you can configure
 
 
-The following table provides some examples of what you can configure using provisioning packages.
+The following table provides some examples of what can be configured using provisioning packages.
 
 | Customization options    | Examples                                                                                      |
 |--------------------------|-----------------------------------------------------------------------------------------------|
@@ -93,26 +92,42 @@ The following table provides some examples of what you can configure using provi
 
 For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
 
+## Creating a provisioning package
+
+
+With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must [install the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
+
+When you run ADKsetup.exe for Windows 10, version 1607, select the following feature from the **Select the features you want to install** dialog box:
+
+-   **Configuration Designer**
+
+![Choose Configuration Designer](images/adk-install.png)
+
+> [!NOTE]
+> In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features.
+
+After you install Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkID=629651).
+
+## Applying a provisioning package to a device
+
+
+Provisioning packages can be applied both during image deployment and during runtime. For information on how to apply a provisioning package to a Windows 10-based device, see [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkID=629651).
+
 ## Learn more
 
--   Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
 
--   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+[Windows 10: Deployment](https://go.microsoft.com/fwlink/p/?LinkId=533708)
 
 ## Related topics
 
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md)
-- [Create a provisioning package](provisioning-create-package.md)
+- [Configure devices without MDM](../manage/configure-devices-without-mdm.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
+- [Set up a shared or guest PC with Windows 10](../manage/set-up-shared-or-guest-pc.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Configure devices without MDM](../manage/configure-devices-without-mdm.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Set up a device for anyone to use (kiosk mode)](../manage/set-up-a-device-for-anyone-to-use.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](../manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
 
 
 

windows/deploy/provisioning-script-to-install-app.md

@@ -1,222 +0,0 @@
----
-title: Use a script to install a desktop app in provisioning packages (Windows 10)
-description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: jdeckerMS
-localizationpriority: high
----
-
-# Use a script to install a desktop app in provisioning packages
-
-
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
-This walkthrough describes how to leverage the ability to include scripts in a Windows 10 provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed, however, some care is needed in order to avoid unintended behavior during script execution (see Remarks below). 
-
->**Prerequisite**: [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), version 1511 or higher 
-
->[!NOTE]
->This scenario is only supported for installing applications on Windows 10 for desktop, version 1511 or higher.
-
-## Assemble the application assets
-
-1. On the device where you’re authoring the package, place all of your assets in a known location. Each asset must have a unique filename, because all files will be copied to the same temp directory on the device. It’s common for many apps to have an installer called ‘install.exe’ or similar, and there may be name overlap because of that. To fix this, you can use the technique described in the next step to include a complete directory structure that is then expanded into the temp directory on the device. The most common use for this would be to include a subdirectory for each application. 
-
-2. If you need to include a directory structure of files, you will need to cab the assets for easy inclusion in the provisioning packages.
-
-## Cab the application assets
-
-1. Create a .DDF file as below, replacing *file1* and *file2* with the files you want to package, and adding the name of file/directory.
-
-    ```
-    ;*** MSDN Sample Source Code MakeCAB Directive file example
-    
-    ;
-    
-    .OPTION EXPLICIT  ; Generate errors on variable typos
-    
-    .set DiskDirectoryTemplate=CDROM  ; All cabinets go in a single directory
-    
-    .Set MaxDiskFileCount=1000; Limit file count per cabinet, so that
-    
-    ; scanning is not too slow
-    
-    .Set FolderSizeThreshold=200000   ; Aim for ~200K per folder
-    
-    .Set CompressionType=MSZIP
-    
-    ;** All files are compressed in cabinet files
-    
-    .Set Cabinet=on
-    
-    .Set Compress=on
-    
-    ;-------------------------------------------------------------------
-    
-    ;** CabinetNameTemplate = name of cab
-    
-    ;** DiskDirectory1 = output directory where cab will be created
-    
-    ;-------------------------------------------------------------------
-    
-    .Set CabinetNameTemplate=tt.cab
-    
-    .Set DiskDirectory1=.
-        
-    ;-------------------------------------------------------------------
-    
-    ; Replace <file> with actual files you want to package
-    
-    ;-------------------------------------------------------------------
-    
-    <file1>
-    
-    <file2>
-    
-    ;*** <the end>  
-    ```
-
-2. Use makecab to create the cab files.
-
-    ```
-    Makecab -f <path to DDF file>
-    ```
-
-## Create the script to install the application
-
-Create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples.
-
->[!NOTE]
->All actions performed by the script must happen silently, showing no UI and requiring no user interaction.
->
->The scripts will be run on the device in system context.
-
-### Debugging example 
-
-Granular logging is not built in, so the logging must be built into the script itself. Here is an example script that logs ‘Hello World’ to a logfile. When run on the device, the logfile will be available after provisioning is completed. As you will see in the following examples, it’s recommended that you log each action that your script performs.
-
-```
-set LOGFILE=%SystemDrive%\HelloWorld.log
-echo Hello, World >> %LOGFILE% 
-```
-### .exe example
-
-This example script shows how to create a log output file on the system drive, install an app from a .exe installer, and echo the results to the log file.
-
-```
-set LOGFILE=%SystemDrive%\Fiddler_install.log
-echo Installing Fiddler.exe >> %LOGFILE%
-fiddler4setup.exe /S >> %LOGFILE%
-echo result: %ERRORLEVEL% >> %LOGFILE%
-```
-
-### .msi example
-
-This is the same as the previous installer, but installs the app from an MSI installer. Notice that msiexec is called with the /quiet flag in order to meet the silent requirement of scripts run from within a provisioning package.
-
-```
-set LOGFILE=%SystemDrive%\IPOverUsb_install.log
-echo Installing IpOverUsbInstaller.msi >> %LOGFILE%
-msiexec /i IpOverUsbInstaller.msi /quiet >> %LOGFILE%
-echo result: %ERRORLEVEL% >> %LOGFILE%
-```
-
-### PowerShell example
-
-This is an example script with logging that shows how to run a powershell script from the provisioning commands setting. Note that the PowerShell script referenced from this example must also be included in the package, and obey the same requirements as all scripts run from within the provisioning package: it must execute silently, with no user interaction.
-
-```
-set LOGFILE=%SystemDrive%\my_powershell_script.log
-echo Running my_powershell_script.ps1 in system context >> %LOGFILE%
-echo Executing "PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1" >> %LOGFILE%
-PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1' >> %LOGFILE%
-echo result: %ERRORLEVEL% >> %LOGFILE%
-```
-
-### Extract from a .CAB example
-
-This example script shows expansion of a .cab from the provisioning commands script, as well as installation of the expanded setup.exe
-
-```
-set LOGFILE=%SystemDrive%\install_my_app.log
-echo Expanding installer_assets.cab >> %LOGFILE%
-expand -r installer_assets.cab -F:* . >> %LOGFILE%
-echo result: %ERRORLEVEL% >> %LOGFILE%
-echo Installing MyApp >> %LOGFILE%
-setup.exe >> %LOGFILE%
-echo result: %ERRORLEVEL% >> %LOGFILE%
-```
-
-### Calling multiple scripts in the package
-
-You are currently allowed one CommandLine per PPKG. The batch files shown above are orchestrator scripts that manage the installation and calls any other scripts included in the PPKG. The orchestrator script is what should be invoked from the CommandLine specified in the package. 
-
-Here’s a table describing this relationship, using the PowerShell example from above:
-
-
-|ICD Setting | Value  | Description |
-| --- | --- | --- |
-| ProvisioningCommands/DeviceContext/CommandLine | cmd /c PowerShell_Example.bat | The command line needed to invoke the orchestrator script. |
-| ProvisioningCommands/DeviceContext/CommandFiles | PowerShell_Example.bat | The single orchestrator script referenced by the command line that handles calling into the required installers or performing any other actions such as expanding cab files. This script must do the required logging. |
-| ProvisioningCommands/DeviceContext/CommandFiles | my_powershell_script.ps1 | Other assets referenced by the orchestrator script. In this example there is only one, but there could be many assets referenced here. One common use case is using the orchestrator to call a series of install.exe or setup.exe installers to install several applications. Each of those installers must be included as an asset here. |
-
- 
-### Add script to provisioning package 
- 
-When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Imaging and Configuration Designer (Windows ICD). 
-
-Using ICD, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to: 
-
-```
-cmd /c InstallMyApp.bat
-```
-
-In ICD, this looks like:
-
-![Command line in Selected customizations](images/icd-script1.png)
-
-You also need to add the relevant assets for that command line including the orchestrator script and any other assets it references such as installers or .cab files.
-
-In ICD, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting.
-
-![Command files in Selected customizations](images/icd-script2.png)
-
-When you are done, [build the package](provisioning-create-package.md#build-package). 
- 
-
-### Remarks
-1. No user interaction or console output is supported via ProvisioningCommands. All work needs to be silent. If your script attempts to do any of the following it will cause undefined behavior, and could put the device in an unrecoverable state if executed during setup or the Out of Box Experience:
-    a. Echo to console
-    b. Display anything on the screen
-    c. Prompt the user with a dialog or install wizard
-2. When applied at first boot, provisioning runs early in the boot sequence and before a user context has been established; care must be taken to only include installers that can run at this time. Other installers can be provisioned via a management tool.
-3. If the device is put into an unrecoverable state because of a bad script, you can reset it using [recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options).
-4. The CommandFile assets are deployed on the device to a temporary folder unique to each package.
-    a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands`
-    b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the PPKG: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands`
-5. The command line will be executed with the directory the CommandFiles were deployed to as the working directory. This means you do not need to specific the full path to assets in the command line or from within any script.
-6. The runtime provisioning component will attempt to run the scripts from the PPKG at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the Out-of-Box Experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen. 
-
-    >[!NOTE]
-    >There is a timeout of 30 minutes for the provisioning process at this point. All scripts and installs need to complete within this time. 
-7. The scripts are executed in the background as the rest of provisioning continues to run. For packages added on existing systems using the double-click to install, there is no notification that provisioning or script execution has completed
-
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)

windows/deploy/provisioning-uninstall-package.md

@@ -1,98 +0,0 @@
----
-title: Settings changed when you uninstall a provisioning package (Windows 10)
-description: This topic lists the settings that are reverted when you uninstall a provisioning package.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: jdeckerMS
-localizationpriority: high
----
-
-# Settings changed when you uninstall a provisioning package
-
-
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
-When you uninstall a provisioning package, only certain settings are revertible. This topic lists the settings that are reverted when you uninstall a provisioning package.
-
-
-As an administrator, you can uninstall by using the **Add or remove a package for work or school** option available under **Settings** > **Accounts** > **Access work or school**.
-
-When a provisioning package is uninstalled, some of its settings are reverted, which means the value for the setting is changed to the next available or default value. Not all settings, however, are revertible. 
-
-Only settings in the following lists are revertible. 
-
-## Registry-based settings
-
-The registry-based settings that are revertible when a provisioning package is uninstalled all fall under these categories, which you can find in the Graphical User Interface of the Windows Imaging and Configuration Designer (Windows ICD). 
-
-
-- [Wi-Fi Sense](https://msdn.microsoft.com/library/windows/hardware/mt219706.aspx)
-- [CountryAndRegion](https://msdn.microsoft.com/library/windows/hardware/mt219726.aspx)
-- DeviceManagement / PGList/ LogicalProxyName
-- UniversalAppInstall / LaunchAppAtLogin
-- [Power](https://msdn.microsoft.com/library/windows/hardware/dn953704.aspx)
-- [TabletMode](https://msdn.microsoft.com/library/windows/hardware/mt297550.aspx) 
-- [Maps](https://msdn.microsoft.com/library/windows/hardware/mt131464.aspx) 
-- [Browser](https://msdn.microsoft.com/library/windows/hardware/mt573151.aspx)
-- [DeviceFormFactor](https://msdn.microsoft.com/library/windows/hardware/mt243449.aspx) 
-- [USBErrorsOEMOverride](https://msdn.microsoft.com/library/windows/hardware/mt769908.aspx) 
-- [WeakCharger](https://msdn.microsoft.com/library/windows/hardware/mt346401.aspx) 
-
-
-
-## CSP-based settings
-
-Here is the list of revertible settings based on configuration service providers (CSPs). 
-
-[ActiveSync CSP](https://msdn.microsoft.com/library/windows/hardware/dn920017.aspx) 
-[AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx)  
-[BrowserFavorite CSP](https://msdn.microsoft.com/library/windows/hardware/dn914758.aspx)   
-[CertificateStore CSP](https://msdn.microsoft.com/library/windows/hardware/dn920021.aspx) 
-[ClientCertificateInstall CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023.aspx)   
-[RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx)   
-[CM_CellularEntries CSP](https://msdn.microsoft.com/library/windows/hardware/dn914761.aspx)   
-[CM_ProxyEntries CSP](https://msdn.microsoft.com/library/windows/hardware/dn914762.aspx)   
-[CMPolicy CSP](https://msdn.microsoft.com/library/windows/hardware/dn914760.aspx)   
-[CMPolicyEnterprise CSP](https://msdn.microsoft.com/library/windows/hardware/mt706463.aspx)   
-[EMAIL2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn904953.aspx)   
-[EnterpriseAPN CSP](https://msdn.microsoft.com/library/windows/hardware/dn958617.aspx)   
-[EnterpriseAppManagement CSP](https://msdn.microsoft.com/library/windows/hardware/dn904955.aspx)   
-[EnterpriseDesktopAppManagement CSP](https://msdn.microsoft.com/library/windows/hardware/dn958620.aspx)   
-[EnterpriseModernAppManagement CSP](https://msdn.microsoft.com/library/windows/hardware/dn904956.aspx)   
-[NAP CSP](https://msdn.microsoft.com/library/windows/hardware/dn914767.aspx)   
-[PassportForWork CSP](https://msdn.microsoft.com/library/windows/hardware/dn987099.aspx)   
-[Provisioning CSP](https://msdn.microsoft.com/library/windows/hardware/mt203665.aspx)   
-[PROXY CSP](https://msdn.microsoft.com/library/windows/hardware/dn914770.aspx)   
-[SecureAssessment CSP](https://msdn.microsoft.com/library/windows/hardware/mt718628.aspx)   
-[VPN CSP](https://msdn.microsoft.com/library/windows/hardware/dn904978.aspx)   
-[VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx)   
-[WiFi CSP](https://msdn.microsoft.com/library/windows/hardware/dn904981.aspx)   
-
-
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
- 
-
- 
-
-
-
-
-

windows/deploy/troubleshoot-upgrade-analytics.md

@@ -1,4 +1,4 @@
----
+---
 title: Troubleshoot Upgrade Analytics (Windows 10)
 description: Provides troubleshooting information for Upgrade Analytics.
 ms.prod: w10
@@ -25,14 +25,9 @@ If you still don’t see data in Upgrade Analytics, follow these steps:
 
 If you want to stop using Upgrade Analytics and stop sending telemetry data to Microsoft, follow these steps:
 
-1.  Unsubscribe from the Upgrade Analytics solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option.
+1.  Unsubscribe from the Upgrade Analytics solution in the OMS portal.
 
-  ![Upgrade Analytics unsubscribe](images/upgrade-analytics-unsubscribe.png)
+2.  Disable the Customer Experience Improvement Program on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to Security.
 
-2.  Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to **Security**:
+3.  Delete the CommercialDataOptin key in *HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection*
 
-  **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*
-  **Windows 10**: Follow the instructions in the [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#enterprise-management) topic.
-
-3.	If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0".  The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
-4.	You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". **This is an optional step**.

windows/deploy/upgrade-analytics-get-started.md

@@ -1,4 +1,4 @@
----
+---
 title: Get started with Upgrade Analytics (Windows 10)
 description: Explains how to get started with Upgrade Analytics.
 ms.prod: w10
@@ -77,14 +77,14 @@ For Upgrade Analytics to receive and display upgrade readiness data from Microso
 
 To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
 
-Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688) to learn what you need to do to run it under the logged on user account.
+Note: The compatibility update KB runs under the computer’s system account and does not support user authenticated proxies.
 
 | **Endpoint**  | **Function**  |
 |---------------------------------------------------------|-----------|
-| `https://v10.vortex-win.data.microsoft.com/collect/v1`  <br><br>                       `https://Vortex-win.data.microsoft.com/health/keepalive`                                                                                                      | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint.             |
+| `https://v10.vortex-win.data.microsoft.com/collect/v1`                                                                                                                             | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint.             |
-| `https://settings.data.microsoft.com/qos`                                                                                                                                  | Enables the compatibility update KB to send data to Microsoft.                                                                       |
+| `https://settings-win.data.microsoft.com/settings`                                                                                                                                 | Enables the compatibility update KB to send data to Microsoft.                                                                       |
-| `https://go.microsoft.com/fwlink/?LinkID=544713`<br>`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc`                                         | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. |
+| `https://go.microsoft.com/fwlink/?LinkID=544713`<br>`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended`                                        | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. |
-
+| `https://vortex.data.microsoft.com/health/keepalive` <br>`https://settings.data.microsoft.com/qos` <br>`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | These endpoints are used to validate that user computers are sharing data with Microsoft.                                            |
 
 ## Deploy the compatibility update and related KBs
 
@@ -92,8 +92,8 @@ The compatibility update KB scans your computers and enables application usage t
 
 | **Operating System** | **KBs** |
 |----------------------|-----------------------------------------------------------------------------|
-| Windows 8.1          | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2976978><br><BR>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513.   |
+| Windows 8.1          | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2976978><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513.   |
-| Windows 7 SP1        | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2952664><br><BR>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2952664 must be installed before you can download and install KB3150513. |
+| Windows 7 SP1        | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2952664><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2952664 must be installed before you can download and install KB3150513. |
 
 IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time.
 
@@ -117,7 +117,7 @@ To ensure that user computers are receiving the most up to date data from Micros
 
 To automate many of the steps outlined above and to troubleshoot data sharing issues, you can run the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
 
-> The following guidance applies to version 11.11.16 or later of the Upgrade Analytics deployment script. If you are using an older version, please download the latest from [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
+> The following guidance applies to version 11.30.16 or later of the Upgrade Analytics deployment script. If you are using an older version, please download the latest from [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
 
 The Upgrade Analytics deployment script does the following:
 
@@ -137,7 +137,7 @@ The Upgrade Analytics deployment script does the following:
 
 To run the Upgrade Analytics deployment script:
 
-1.  Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly.  Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
+1.  Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is inteded to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly.  Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
 
 2.  Edit the following parameters in RunConfig.bat:
 
@@ -170,40 +170,35 @@ The deployment script displays the following exit codes to let you know if it wa
 <div style='font-size:10.0pt'>
 
 <TABLE border=1 cellspacing=0 cellpadding=0>
-<TR><TH BGCOLOR="#a0e4fa">Exit code<TH BGCOLOR="#a0e4fa">Meaning<TH BGCOLOR="#a0e4fa">Suggested fix
+<TR><TH BGCOLOR="#a0e4fa">Exit code<TH BGCOLOR="#a0e4fa">Meaning
-<TR><TD>0<TD>Success<TD>
+<TR><TD>0<TD>Success
-<TR><TD>1<TD>Unexpected error occurred while executing the script<TD> The files in the deployment script are likely corrupted.  Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again.
+<TR><TD>1<TD>Unexpected error occurred while executing the script
-<TR><TD>2<TD>Error when logging to console. $logMode = 0.<TD> Try changing the $logMode value to **1** and try again.
+<TR><TD>2<TD>Error when logging to console. $logMode = 0.
-<TR><TD>3<TD>Error when logging to console and file. $logMode = 1.<TD>Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
+<TR><TD>3<TD>Error when logging to console and file. $logMode = 1.
-<TR><TD>4<TD>Error when logging to file. $logMode = 2.<TD>Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
+<TR><TD>4<TD>Error when logging to file. $logMode = 2.
-<TR><TD>5<TD>Error when logging to console and file. $logMode = unknown.<TD>Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
+<TR><TD>5<TD>Error when logging to console and file. $logMode = unknown.
-<TR><TD>6<TD>The commercialID parameter is set to unknown. Modify the script.<TD>Set the value for CommercialID in runconfig.bat file.
+<TR><TD>6<TD>The commercialID parameter is set to unknown. Modify the script.
-<TR><TD>8<TD>Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection. <TD> Verify that the configuration script has access to this location.
+<TR><TD>7<TD>Function -CheckCommercialId: Unexpected failure.
-<TR><TD>9<TD>Error when writing CommercialId to registry.<TD>Verify that the configuration script has access to this location.
+<TR><TD>8<TD>Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection.
-<TR><TD>10<TD>Error when writing CommercialDataOptIn to registry.<TD>Verify that the configuration script has access to this location.
+<TR><TD>9<TD>Error when writing CommercialId to registry.
-<TR><TD>11<TD>Function -SetupCommercialId: Unexpected failure.<TD>Verify that the configuration script has access to this location.
+<TR><TD>10<TD>Error when writing CommercialDataOptIn to registry.
-<TR><TD>12<TD>Can’t connect to Microsoft – Vortex. Check your network/proxy settings.<TD>Verify that the required endpoints are whitelisted correctly.
+<TR><TD>11<TD>Function -SetupCommercialId: Unexpected failure.
-<TR><TD>13<TD>Can’t connect to Microsoft – setting. <TD>Verify that the required endpoints  are whitelisted correctly.
+<TR><TD>12<TD>Can’t connect to Microsoft – Vortex. Check your network/proxy settings.
-<TR><TD>14<TD>Can’t connect to Microsoft – compatexchange.<TD> Verify that the required endpoints are whitelisted.
+<TR><TD>13<TD>Can’t connect to Microsoft – setting. Check your network/proxy settings.
-<TR><TD>15<TD>Error connecting to Microsoft:Unexpected failure.<TD>
+<TR><TD>14<TD>Can’t connect to Microsoft – compatexchange. Check your network/proxy settings.
-<TR><TD>16<TD>Machine requires reboot.<TD> The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script.
+<TR><TD>15<TD>Error connecting to Microsoft. Check your network/proxy settings.
-<TR><TD>17<TD>Function -CheckRebootRequired: Unexpected failure.<TD>The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script.
+<TR><TD>16<TD>Machine requires reboot.
-<TR><TD>18<TD>Outdated compatibility update KB package. Update via Windows Update/WSUS.<TD>
+<TR><TD>17<TD>Function -CheckRebootRequired: Unexpected failure.
-The configuration script detected a version of the Compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Analytics solution. Use the latest version of the Compatibility update for Windows 7 SP1/Windows 8.1.
+<TR><TD>18<TD>Outdated compatibility update KB package. Update via Windows Update/WSUS.
-<TR><TD>19<TD>The compatibility update failed with unexpected exception.<TD> The files in the deployment script are likely corrupted.  Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again.
+<TR><TD>19<TD>This machine doesn’t have the proper KBs installed. Make sure you have recent compatibility update KB downloaded.
-<TR><TD>20<TD>Error writing RequestAllAppraiserVersions registry key.<TD> This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location.
+<TR><TD>20<TD>Error writing RequestAllAppraiserVersions registry key.
-<TR><TD>21<TD>Function – SetRequestAllAppraiserVersions: Unexpected failure.<TD>This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location.
+<TR><TD>21<TD>Function – SetRequestAllAppraiserVersions: Unexpected failure.
-<TR><TD>22<TD>RunAppraiser failed with unexpected exception.<TD> Check %windir%\System32 directory for a file called CompatTelRunner.exe.  If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization group policy to make sure it does not remove this file.
+<TR><TD>22<TD>RunAppraiser failed with unexpected exception.
-<TR><TD>23<TD>Error finding system variable %WINDIR%.<TD> Make sure that this environment variable is available on the machine.
+<TR><TD>23<TD>Error finding system variable %WINDIR%.
-<TR><TD>24<TD>SetIEDataOptIn failed when writing IEDataOptIn to registry.<TD> Verify that the deployment script in running in a context that has access to the registry key.
+<TR><TD>24<TD>SetIEDataOptIn failed when writing IEDataOptIn to registry.
-<TR><TD>25<TD>SetIEDataOptIn failed with unexpected exception.<TD> The files in the deployment script are likely corrupted.  Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again.
+<TR><TD>25<TD>SetIEDataOptIn failed with unexpected exception.
-<TR><TD>26<TD>The operating system is Server or LTSB SKU.<TD> The script does not support Server or LTSB SKUs.
+<TR><TD>26<TD>The operating system is LTSB SKU. The script does not support LTSB SKUs.
-<TR><TD>27<TD>The script is not running under System account.<TD>The Upgrade Analytics configuration script must be run as system.  
+<TR><TD>27<TD>The operating system is Server SKU. The script does not support Server SKUs.
-<TR><TD>28<TD>Could not create log file at the specified logPath.<TD> Make sure the deployment script has access to the location specified in the logPath parameter.
-<TR><TD>29<TD> Connectivity check failed for proxy authentication. <TD> Install the cumulative updates on the machine and enable the `DisableEnterpriseAuthProxy` authentication proxy setting. The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7.  For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
-<TR><TD>30<TD>Connectivity check failed. Registry key property `DisableEnterpriseAuthProxy` is not enabled.<TD> The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7.  For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
-<TR><TD>31<TD>There is more than one instance of the Upgrade Analytics data collector running at the same time on this machine. <TD>  Use the Windows Task Manager to check if CompatTelRunner.exe is running, and wait until it has completed to rerun the script.  
-**The Upgrade Analytics task is scheduled to run daily at 3 a.m.**
 </TABLE>
 
 </div>
@@ -211,3 +206,4 @@ The configuration script detected a version of the Compatibility update module t
 ## Seeing data from computers in Upgrade Analytics
 
 After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Analytics. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Analytics. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers.
+

windows/deploy/upgrade-analytics-requirements.md

@@ -1,4 +1,4 @@
----
+---
 title: Upgrade Analytics requirements (Windows 10)
 description: Provides requirements for Upgrade Analytics.
 ms.prod: w10
@@ -43,8 +43,6 @@ See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields
 
 `https://v10.vortex-win.data.microsoft.com/collect/v1`
 
-`https://vortex-win.data.microsoft.com/health/keepalive`
-
 `https://settings-win.data.microsoft.com/settings`
 
 `https://vortex.data.microsoft.com/health/keepalive`

windows/deploy/windows-10-poc-mdt.md

@@ -1,634 +0,0 @@
----
-title: Step by step - Deploy Windows 10 in a test lab using MDT
-description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT)
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-author: greg-lindsay
----
-
-
-# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
-
-**Applies to**
-
--   Windows 10
-
-**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: 
-- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
-
-Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
-- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
-
-The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
-- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
-- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
-- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network.
-
->This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
-
-## In this guide
-
-This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image.
-
-Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
-
-<div style='font-size:9.0pt'>
-
-<TABLE border=1 cellspacing=0 cellpadding=0>
-<TR><TD BGCOLOR="#a0e4fa"><B>Topic</B><TD BGCOLOR="#a0e4fa"><B>Description</B><TD BGCOLOR="#a0e4fa"><B>Time</B>
-
-<TR><TD>[About MDT](#about-mdt)<TD>A high-level overview of the Microsoft Deployment Toolkit (MDT).<TD>Informational
-<TR><TD>[Install MDT](#install-mdt)<TD>Download and install MDT.<TD>40 minutes
-<TR><TD>[Create a deployment share and reference image](#create-a-deployment-share-and-reference-image)<TD>A reference image is created to serve as the template for deploying new images.<TD>90 minutes
-<TR><TD>[Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt)<TD>The reference image is deployed in the PoC environment.<TD>60 minutes
-<TR><TD>[Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10)<TD>Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.<TD>60 minutes
-<TR><TD>[Replace a computer with Windows 10](#replace-a-computer-with-windows-10)<TD>Back up an existing client computer, then restore this backup to a new computer.<TD>60 minutes
-<TR><TD>[Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities)<TD>Log locations and troubleshooting hints.<TD>Informational
-</TABLE>
-
-</div>
-
-## About MDT
-
-MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods. 
-- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction.
-- ZTI is fully automated, requiring no user interaction and is performed using MDT and System Center Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
-- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and System Center Configuration Manager. 
-
-## Install MDT
-
-1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
-
-    ```
-    $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
-    Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
-    Stop-Process -Name Explorer
-    ```
-2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/en-us/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443.
-
-3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1607. Installation might require several minutes to acquire all components.
-
-3. If desired, re-enable IE Enhanced Security Configuration:
-
-    ```
-    Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
-    Stop-Process -Name Explorer
-    ```
-
-## Create a deployment share and reference image
-
-A reference image serves as the foundation for Windows 10 devices in your organization.
-
-1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1.  To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
-
-    ```
-    Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
-    ```
-2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
-
-3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
-
-4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then click **Pin this program to the taskbar**.
-
-5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
-
-6. Use the following settings for the New Deployment Share Wizard:
-    - Deployment share path: **C:\MDTBuildLab**<BR>
-    - Share name: **MDTBuildLab$**<BR>
-    - Deployment share description: **MDT build lab**<BR>
-    - Options: click **Next** to accept the default<BR>
-    - Summary: click **Next**<BR>
-    - Progress: settings will be applied<BR>
-    - Confirmation: click **Finish**
-
-
-7. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
-
-8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**.
-
-9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
-
-10. Use the following settings for the Import Operating System Wizard: 
-    - OS Type: **Full set of source files**<BR>
-    - Source: **D:\\** <BR>
-    - Destination: **W10Ent_x64**<BR>
-    - Summary: click **Next**
-    - Progress: wait for files to be copied
-    - Confirmation: click **Finish**
-
-    >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/en-us/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic in the TechNet library.
-
-11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-    - Task sequence ID: **REFW10X64-001**<BR>
-    - Task sequence name: **Windows 10 Enterprise x64 Default Image** <BR>
-    - Task sequence comments: **Reference Build**<BR>
-    - Template: **Standard Client Task Sequence**
-    - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
-    - Specify Product Key: **Do not specify a product key at this time**
-    - Full Name: **Contoso**
-    - Organization: **Contoso**
-    - Internet Explorer home page: **http://www.contoso.com**
-    - Admin Password: **Do not specify an Administrator password at this time**
-    - Summary: click **Next**
-    - Confirmation: click **Finish**
-
-
-12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
-
-13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**.
-
-14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change.
-
-15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**.
-
-16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**.
-
-17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
-    
-    >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
-
-18. Click **OK** to complete editing the task sequence.
-
-19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab.
-
-20. Replace the default rules with the following text:
-
-    ```
-    [Settings]
-    Priority=Default
-
-    [Default]
-    _SMSTSORGNAME=Contoso
-    UserDataLocation=NONE
-    DoCapture=YES
-    OSInstall=Y
-    AdminPassword=pass@word1
-    TimeZoneName=Pacific Standard Time
-    OSDComputername=#Left("PC-%SerialNumber%",7)#
-    JoinWorkgroup=WORKGROUP
-    HideShell=YES
-    FinishAction=SHUTDOWN
-    DoNotCreateExtraPartition=YES
-    ApplyGPOPack=NO
-    SkipAdminPassword=YES
-    SkipProductKey=YES
-    SkipComputerName=YES
-    SkipDomainMembership=YES
-    SkipUserData=YES
-    SkipLocaleSelection=YES
-    SkipTaskSequence=NO
-    SkipTimeZone=YES
-    SkipApplications=YES
-    SkipBitLocker=YES
-    SkipSummary=YES
-    SkipRoles=YES
-    SkipCapture=NO
-    SkipFinalSummary=NO
-    ```
-
-21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
-
-    ```
-    [Settings]
-    Priority=Default
-
-    [Default]
-    DeployRoot=\\SRV1\MDTBuildLab$
-    UserDomain=CONTOSO
-    UserID=MDT_BA
-    UserPassword=pass@word1
-    SkipBDDWelcome=YES
-    ```
-
-22. Click **OK** to complete the configuration of the deployment share.
-
-23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**.
-
-24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice.  The update process will take 5 to 10 minutes. When it has completed, click **Finish**.
-
-25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
-
-    >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
-
-26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
-
-    <div style='font-size:8.0pt'>
-    <pre style="overflow-y: visible">
-
-    New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
-    Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
-    Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
-    Start-VM REFW10X64-001
-    vmconnect localhost REFW10X64-001
-	</pre>
-    </div>
-    
-    The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. 
-
-27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**.
-
-28. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated.
-
-	Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
-
-	- Install the Windows 10 Enterprise operating system.
-	- Install added applications, roles, and features.
-	- Update the operating system using Windows Update (or WSUS if optionally specified).
-	- Stage Windows PE on the local disk.
-	- Run System Preparation (Sysprep) and reboot into Windows PE.
-	- Capture the installation to a Windows Imaging (WIM) file.
-	- Turn off the virtual machine.<BR><BR>
-
-    This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**.
-
-## Deploy a Windows 10 image using MDT
-
-This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT.
-
-1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard:
-     - **Deployment share path**: C:\MDTProd
-     - **Share name**: MDTProd$
-     - **Deployment share description**: MDT Production
-     - **Options**: accept the default
-
-
-2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**.
-
-3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values.
-
-4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
-
-5. On the **OS Type** page, choose **Custom image file** and then click **Next**.
-
-6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**.
-
-7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. 
-
-8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**.
-
-9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**.
-
-10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example:
-
-    ![custom image](images/image.png)
-
-
-### Create the deployment task sequence
-
-1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**.
-
-2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-    - Task sequence ID: W10-X64-001
-    - Task sequence name: Windows 10 Enterprise x64 Custom Image
-    - Task sequence comments: Production Image
-    - Select Template: Standard Client Task Sequence
-    - Select OS: Windows 10 Enterprise x64 Custom Image
-    - Specify Product Key: Do not specify a product key at this time
-    - Full Name: Contoso
-    - Organization: Contoso
-    - Internet Explorer home page: http://www.contoso.com
-    - Admin Password: pass@word1 
-    
-### Configure the MDT production deployment share
-
-1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
-
-    ```
-    copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force
-    copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force
-    ``` 
-2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**.
-
-3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet):
-
-    ```
-    [Settings]
-    Priority=Default
-
-    [Default]
-    _SMSTSORGNAME=Contoso
-    OSInstall=YES
-    UserDataLocation=AUTO
-    TimeZoneName=Pacific Standard Time
-    OSDComputername=#Left("PC-%SerialNumber%",7)#
-    AdminPassword=pass@word1
-    JoinDomain=contoso.com
-    DomainAdmin=administrator
-    DomainAdminDomain=CONTOSO
-    DomainAdminPassword=pass@word1
-    ScanStateArgs=/ue:*\* /ui:CONTOSO\*
-    USMTMigFiles001=MigApp.xml
-    USMTMigFiles002=MigUser.xml
-    HideShell=YES
-    ApplyGPOPack=NO
-    SkipAppsOnUpgrade=NO
-    SkipAdminPassword=YES
-    SkipProductKey=YES
-    SkipComputerName=YES
-    SkipDomainMembership=YES
-    SkipUserData=YES
-    SkipLocaleSelection=YES
-    SkipTaskSequence=NO
-    SkipTimeZone=YES
-    SkipApplications=NO
-    SkipBitLocker=YES
-    SkipSummary=YES
-    SkipCapture=YES
-    SkipFinalSummary=NO
-    EventService=http://SRV1:9800
-    ```
-    **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini.
-    
-    >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified.
-
-    If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui):
-    
-    ```
-    ScanStateArgs=/ue:*\* /ui:CONTOSO\*
-    ```
-
-    For example, to migrate **all** users on the computer, replace this line with the following:
-
-    ```
-    ScanStateArgs=/all
-    ```   
-
-    For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx).
-
-4. Click **Edit Bootstap.ini** and replace text in the file with the following text:
-
-    ```
-    [Settings]
-    Priority=Default
-
-    [Default]
-    DeployRoot=\\SRV1\MDTProd$
-    UserDomain=CONTOSO
-    UserID=MDT_BA
-    UserPassword=pass@word1
-    SkipBDDWelcome=YES
-    ```
-5. Click **OK** when finished. 
-
-### Update the deployment share
-
-1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**.
-
-2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete.
-
-3. Click **Finish** when the update is complete.
-
-### Enable deployment monitoring
-
-1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**.
-
-2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**.
-
-3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/).
-
-4. Close Internet Explorer.
-
-### Configure Windows Deployment Services
-
-1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1:
-
-    ```
-    WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
-    WDSUTIL /Set-Server /AnswerClients:All
-    ```
-
-2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**.
-
-3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**.
-
-4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image.
-
-### Deploy the client image
-
-1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway. 
-
-    >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress**
-    
-    Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command:
-
-    ```
-    Disable-NetAdapter "Ethernet 2" -Confirm:$false
-    ```
-
-2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt:
-
-    ```
-    New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
-    Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20
-    ```
-    >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle.
-
-3. Start the new VM and connect to it:
-
-    ```
-    Start-VM PC2
-    vmconnect localhost PC2
-    ```
-4. When prompted, hit ENTER to start the network boot process.
-
-5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
-
-6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command:
-
-    ```
-    Enable-NetAdapter "Ethernet 2"
-    ```
-7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed.
-8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes.  When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator.
-    
-    ![finish](images/deploy-finish.png)
-
-
-This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section.
-
-## Refresh a computer with Windows 10
-
-This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). 
-
-If the PC1 VM is not already running, then start and connect to it:
-
-    ```
-    Start-VM PC1
-    vmconnect localhost PC1
-    ```
-
-1. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios.  Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
-    ```
-    Checkpoint-VM -Name PC1 -SnapshotName BeginState
-    ```
-
-2. Sign on to PC1 using the CONTOSO\Administrator account.
-
-    >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
-
-3. Open an elevated command prompt on PC1 and type the following:
-
-    ```
-    cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
-    ```
-
-    **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer.
-
-4. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
-
-5. Choose **Do not back up the existing computer** and click **Next**.
-
-    **Note**: The USMT will still back up the computer.
-
-6. Lite Touch Installation will perform the following actions:
-    - Back up user settings and data using USMT.
-    - Install the Windows 10 Enterprise X64 operating system.
-    - Update the operating system via Windows Update.
-    - Restore user settings and data using USMT.
-
-    You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings.
-
-7. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
-
-8. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
-    ```
-    Checkpoint-VM -Name PC1 -SnapshotName RefreshState
-    ```
-
-9. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
-    ```
-    Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
-    Start-VM PC1
-    vmconnect localhost PC1
-    ```
-    
-10. Sign in to PC1 using the contoso\administrator account.
-
-## Replace a computer with Windows 10
-
-At a high level, the computer replace process consists of:<BR>
-- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.<BR>
-- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored.
-
-### Create a backup-only task sequence
-
-1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**.
-2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share.
-3. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
-
-    ```
-    New-Item -Path C:\MigData -ItemType directory
-    New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE
-    icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)'
-    ```
-4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**.
-5. Name the new folder **Other**, and complete the wizard using default options.
-6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard:
-    - **Task sequence ID**: REPLACE-001
-    - **Task sequence name**: Backup Only Task Sequence
-    - **Task sequence comments**: Run USMT to back up user data and settings
-    - **Template**: Standard Client Replace Task Sequence (note: this is not the default template)
-7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings.
-8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence.
-
-### Run the backup-only task sequence
-
-1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt:
-
-    ```
-    whoami
-    ```
-2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1:
-
-    ```
-    Remove-Item c:\minint -recurse
-    Remove-Item c:\_SMSTaskSequence -recurse
-    Restart-Computer
-    ```
-2. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt:
-
-    ```
-    cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
-    ```
-3. Complete the deployment wizard using the following:
-    - **Task Sequence**: Backup Only Task Sequence
-    - **User Data**: Specify a location: **\\SRV1\MigData$\PC1**
-    - **Computer Backup**: Do not back up the existing computer.
-4. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks.  
-5. Verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete.
-6. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example:
-
-    ```
-    PS C:\> dir C:\MigData\PC1\USMT
-
-        Directory: C:\MigData\PC1\USMT
-
-    Mode                LastWriteTime     Length Name
-    ----                -------------     ------ ----
-    -a---          9/6/2016  11:34 AM   14248685 USMT.MIG
-    ```
-### Deploy PC3 
-
-1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt:
-
-    ```
-    New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
-    Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
-    ```
-2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1:
-
-    ```
-    Disable-NetAdapter "Ethernet 2" -Confirm:$false
-    ```
-3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
-
-    ```
-    Start-VM PC3
-    vmconnect localhost PC3
-    ```
-4. When prompted, press ENTER for network boot.
-
-6. On PC3, ue the following settings for the Windows Deployment Wizard:
-    - **Task Sequence**: Windows 10 Enterprise x64 Custom Image
-    - **Move Data and Settings**: Do not move user data and settings
-    - **User Data (Restore)**: Specify a location: **\\SRV1\MigData$\PC1**
-5. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1:
-
-    ```
-    Enable-NetAdapter "Ethernet 2"
-    ```
-7. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1.
-
-8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**.
-
-9. Verify that settings have been migrated from PC1, and then shut down PC3 in preparation for the next procedure.
-
-## Troubleshooting logs, events, and utilities
-
-Deployment logs are available on the client computer in the following locations:
-- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS
-- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS
-- After deployment: %WINDIR%\TEMP\DeploymentLogs
-
-You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**.
-
-Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=50012)
-
-Also see [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information.
-
-## Related Topics
-
-[Microsoft Deployment Toolkit](https://technet.microsoft.com/en-US/windows/dn475741)<BR>
-[Prepare for deployment with MDT 2013](prepare-for-windows-deployment-with-mdt-2013.md)
-
- 
-
-
-
-
-

windows/keep-secure/TOC.md

@@ -31,15 +31,12 @@
 ##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
 #### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
 #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)
-#### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md)
-### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
-### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
-### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
 ### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
+#### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
 #### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
 #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md)
-#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md)
+#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
-#### [Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md)
+#### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
 ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
 ## [VPN technical guide](vpn-guide.md)
@@ -697,16 +694,16 @@
 ##### [Smart Cards Debugging Information](smart-card-debugging-information.md)
 ##### [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md)
 ##### [Smart Card Events](smart-card-events.md)
-### [Trusted Platform Module](trusted-platform-module-top-node.md)
+### [Trusted Platform Module](trusted-platform-module-overview.md)
-#### [Trusted Platform Module Overview](trusted-platform-module-overview.md)
 #### [TPM fundamentals](tpm-fundamentals.md)
 #### [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
-#### [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md)
+#### [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
+#### [Backup the TPM recovery Information to AD DS](backup-tpm-recovery-information-to-ad-ds.md)
 #### [Manage TPM commands](manage-tpm-commands.md)
 #### [Manage TPM lockout](manage-tpm-lockout.md)
 #### [Change the TPM owner password](change-the-tpm-owner-password.md)
-#### [View status, clear, or troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md)
+#### [Initialize and configure ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md)
-#### [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md)
+#### [Switch PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md)
 #### [TPM recommendations](tpm-recommendations.md)
 ### [User Account Control](user-account-control-overview.md)
 #### [How User Account Control works](how-user-account-control-works.md)
@@ -743,12 +740,10 @@
 ##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
 ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
 #### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md)
 #### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
 ##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
 ##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
 ##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
-#### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
 #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
 #### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
@@ -876,6 +871,4 @@
 ### [Microsoft Passport guide](microsoft-passport-guide.md)
 ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
 ### [Windows 10 security overview](windows-10-security-guide.md)
-### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md)
-### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
 ## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md)

windows/keep-secure/access-this-computer-from-the-network.md

@@ -1,5 +1,5 @@
 ---
-title: Access this computer from the network - security policy setting (Windows 10)
+title: Access this computer from the network (Windows 10)
 description: Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting.
 ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Access this computer from the network - security policy setting
+# Access this computer from the network
 
 **Applies to**
 -   Windows 10

windows/keep-secure/accounts-guest-account-status.md

@@ -1,5 +1,5 @@
 ---
-title: Accounts Guest account status - security policy setting (Windows 10)
+title: Accounts Guest account status (Windows 10)
 description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting.
 ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Accounts: Guest account status - security policy setting
+# Accounts: Guest account status
 
 **Applies to**
 -   Windows 10

windows/keep-secure/accounts-rename-guest-account.md

@@ -1,5 +1,5 @@
 ---
-title: Accounts Rename guest account - security policy setting (Windows 10)
+title: Accounts Rename guest account (Windows 10)
 description: Describes the best practices, location, values, and security considerations for the Accounts Rename guest account security policy setting.
 ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Accounts: Rename guest account - security policy setting
+# Accounts: Rename guest account
 
 **Applies to**
 -   Windows 10

windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md

@@ -1,5 +1,289 @@
 ---
-title: AD DS schema extensions to support TPM backup
+title: AD DS schema extensions to support TPM backup (Windows 10)
-redirect_url: https://technet.microsoft.com/library/jj635854.aspx
+description: This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization.
+ms.assetid: beb7097c-e674-4eab-b8e2-6f67c85d1f3f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
 ---
 
+# AD DS schema extensions to support TPM backup
+
+**Applies to**
+-   Windows 10, version 1511
+-   Windows 10, version 1507
+
+**Does not apply to**
+- Windows 10, version 1607 or later
+
+This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization.
+
+## Why a schema extension is needed
+
+The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schema. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012, you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8. The following are the two schema extensions that you can use to bring your Windows Server 2008 R2 domain to parity with Windows Server 2012:
+
+### <a href="" id="tpmschemaextension-ldf-"></a>TpmSchemaExtension.ldf
+
+This schema extension brings parity with the Windows Server 2012 schema and is required if you want to store the TPM owner authorization value for a computer running Windows 8 in a Windows Server 2008 R2 AD DS domain. With this extension the TPM owner authorization information will be stored in a separate TPM object linked to the corresponding computer object.
+
+``` syntax
+#===============================================================================
+#
+# Active Directory Domain Services schema extension for 
+# BitLocker Drive Encryption and Trusted Platform Module (TPM) recovery
+#
+# This file contains attributes and class objects that enable Windows Server
+# 2008 and Windows Server 2008 R2 domain controllers to store TPM recovery
+# information in a new, TPM-specific location.
+#
+# Change History: 
+#   07/2010 - Created
+#
+# To extend the schema, use the LDIFDE tool on the schema master of the forest.
+#
+# Sample command:
+#   ldifde -i -v -f TPMSchemaExtension.ldf -c "DC=X" "DC=nttest,dc=microsoft,dc=com" -k -j .
+#
+# For more information on LDIFDE tool, see
+# http://support.microsoft.com/default.aspx?scid=kb;en-us;237677 
+#
+#===============================================================================
+#===============================================================================
+# New schema attributes
+#===============================================================================
+#
+# ms-TPM-Srk-Pub-Thumbprint
+# GUID: 19d706eb-4d76-44a2-85d6-1c342be3be37
+#
+dn: CN=ms-TPM-Srk-Pub-Thumbprint,CN=Schema,CN=Configuration,DC=X
+changetype: add
+objectClass: attributeSchema
+ldapDisplayName: msTPM-SrkPubThumbprint
+adminDisplayName: TPM-SrkPubThumbprint
+adminDescription: This attribute contains the thumbprint of the SrkPub corresponding to a particular TPM. This helps to index the TPM devices in the directory.
+attributeId: 1.2.840.113556.1.4.2107
+attributeSyntax: 2.5.5.10
+omSyntax: 4
+isSingleValued: TRUE
+searchFlags: 11
+schemaIdGuid:: 6wbXGXZNokSF1hw0K+O+Nw==
+showInAdvancedViewOnly: TRUE
+isMemberOfPartialAttributeSet: FALSE
+rangeUpper: 20
+#
+# ms-TPM-Owner-Information-Temp
+# GUID: c894809d-b513-4ff8-8811-f4f43f5ac7bc
+#
+dn: CN=ms-TPM-Owner-Information-Temp,CN=Schema,CN=Configuration,DC=X
+changetype: add
+objectClass: attributeSchema
+ldapDisplayName: msTPM-OwnerInformationTemp
+adminDisplayName: TPM-OwnerInformationTemp
+adminDescription: This attribute contains temporary owner information for a particular TPM.
+attributeId: 1.2.840.113556.1.4.2108
+attributeSyntax: 2.5.5.12
+omSyntax: 64
+isSingleValued: TRUE
+searchFlags: 640
+rangeUpper: 128
+schemaIdGuid:: nYCUyBO1+E+IEfT0P1rHvA==
+showInAdvancedViewOnly: TRUE
+isMemberOfPartialAttributeSet: FALSE
+#
+# ms-TPM-Tpm-Information-For-Computer
+# GUID: ea1b7b93-5e48-46d5-bc6c-4df4fda78a35
+#
+dn: CN=ms-TPM-Tpm-Information-For-Computer,CN=Schema,CN=Configuration,DC=X
+changetype: add
+objectClass: attributeSchema
+ldapDisplayName: msTPM-TpmInformationForComputer
+adminDisplayName: TPM-TpmInformationForComputer
+adminDescription: This attribute links a Computer object to a TPM object.
+attributeId: 1.2.840.113556.1.4.2109
+attributeSyntax: 2.5.5.1
+omSyntax: 127
+isSingleValued: TRUE
+searchFlags: 16
+omObjectClass:: KwwCh3McAIVK
+schemaIdGuid:: k3sb6khe1Ua8bE30/aeKNQ==
+showInAdvancedViewOnly: TRUE
+isMemberOfPartialAttributeSet: FALSE
+linkId: 2182
+#
+# ms-TPM-TpmInformation-For-Computer-BL
+# GUID: 14fa84c9-8ecd-4348-bc91-6d3ced472ab7
+#
+dn: CN=ms-TPM-Tpm-Information-For-Computer-BL,CN=Schema,CN=Configuration,DC=X
+changetype: add
+objectClass: attributeSchema
+ldapDisplayName: msTPM-TpmInformationForComputerBL
+adminDisplayName: TPM-TpmInformationForComputerBL
+adminDescription: This attribute links a TPM object to the Computer objects associated with it.
+attributeId: 1.2.840.113556.1.4.2110
+attributeSyntax: 2.5.5.1
+omSyntax: 127
+isSingleValued: FALSE
+searchFlags: 0
+omObjectClass:: KwwCh3McAIVK
+schemaIdGuid:: yYT6FM2OSEO8kW087Ucqtw==
+showInAdvancedViewOnly: TRUE
+systemOnly: TRUE
+linkId: 2183
+#
+# Commit the new attributes
+#
+dn:
+changetype: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+#
+# Modify the Computer schema to support the TPM link
+#
+dn: CN=computer,CN=Schema,CN=Configuration,DC=X
+changetype: modify
+add: mayContain
+mayContain: msTPM-TpmInformationForComputer
+-
+#
+# Commit the modification to the computer class
+#
+dn:
+changetype: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+#===============================================================================
+# New schema classes
+#===============================================================================
+#
+# ms-TPM-Information-Objects-Container
+# GUID: e027a8bd-6456-45de-90a3-38593877ee74
+#
+dn: CN=ms-TPM-Information-Objects-Container,CN=Schema,CN=Configuration,DC=X
+changetype: add
+objectClass: classSchema
+ldapDisplayName: msTPM-InformationObjectsContainer
+adminDisplayName: TPM-InformationObjectsContainer
+adminDescription: Container for TPM objects.
+governsID: 1.2.840.113556.1.5.276
+objectClassCategory: 1
+subClassOf: top
+systemMustContain: cn
+systemPossSuperiors: domain
+systemPossSuperiors: domainDNS
+schemaIdGUID:: vagn4FZk3kWQozhZOHfudA==
+defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;LOLCCCRP;;;DC)
+defaultHidingValue: TRUE
+defaultObjectCategory: CN=ms-TPM-Information-Objects-Container,CN=Schema,CN=Configuration,DC=X
+#
+# ms-TPM-Information-Object
+# GUID: 85045b6a-47a6-4243-a7cc-6890701f662c
+#
+# NOTE: If the 'defaultSecurityDescriptor' value below is changed,
+#   also change the other '.ldf' files in this directory, as appropriate.
+#
+dn: CN=ms-TPM-Information-Object,CN=Schema,CN=Configuration,DC=X
+changetype: add
+objectClass: classSchema
+ldapDisplayName: msTPM-InformationObject
+adminDisplayName: TPM-InformationObject
+adminDescription: This class contains recovery information for a Trusted Platform Module (TPM) device.
+governsID: 1.2.840.113556.1.5.275
+objectClassCategory: 1
+subClassOf: top
+systemMustContain: msTPM-OwnerInformation
+systemMayContain: msTPM-SrkPubThumbprint
+systemMayContain: msTPM-OwnerInformationTemp
+systemPossSuperiors: 1.2.840.113556.1.5.276
+schemaIdGUID:: alsEhaZHQ0KnzGiQcB9mLA==
+defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLO;;;DC)(A;;WP;;;CO)
+defaultHidingValue: TRUE
+defaultObjectCategory: CN=ms-TPM-Information-Object,CN=Schema,CN=Configuration,DC=X
+#
+# NOTE: If the 'defaultSecurityDescriptor' value above is changed,
+#   also change the other '.ldf' files in this directory, as appropriate.
+#
+#
+# Commit the new TPM object class
+#
+dn:
+changetype: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+#===============================================================================
+# New objects
+#===============================================================================
+#
+# Add the TPM container to its location in the directory
+#
+dn: CN=TPM Devices,DC=X
+changetype: add
+objectClass: msTPM-InformationObjectsContainer
+```
+
+You should be aware that only the Computer object that has created the TPM object can update it. This means that any subsequent updates to the TPM objects will not succeed in dual boot scenarios or scenarios where the computer is reimaged resulting in a new AD computer object being created. If you are planning to support such scenarios, you will need to update the schema further as shown in the schema extension example, TpmSchemaExtensionACLChanges.ldf.
+
+### TpmSchemaExtensionACLChanges.ldf
+
+This schema update modifies the ACLs on the TPM object to be less restrictive so that any subsequent operating system which takes ownership of the computer object can update the owner authorization value in AD DS.
+> **Important**  After implementing this schema update, any computer in the domain can update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth). When using this extension, perform a regular backup of the TPM objects and enable auditing to track the changes for these objects.
+ 
+``` syntax
+#===============================================================================
+#
+# Active Directory Domain Services schema extension for 
+# BitLocker Drive Encryption and Trusted Platform Module (TPM) recovery
+#
+# This file modifies a class object that enables Windows Server 2008
+# and Windows Server 2008 R2 domain controllers to store TPM recovery
+# information in a new, TPM-specific location.
+#
+# This file converts the standard schema extension in which only the creator
+# of an 'ms-TPM-Information-Object' can write to the object to the Open
+# schema extension in which any Domain Computer can write to the object.
+#
+# This conversion does not apply to any 'ms-TPM-Information-Object' that
+# was created before the conversion.
+#
+# Change History: 
+#   12/2011 - Created
+#
+# To change the schema, use the LDIFDE tool on the schema master of the forest.
+#
+# Sample command:
+#   ldifde -i -v -f TpmSchemaExtensionACLChanges.ldf
+#      -c "DC=X" "DC=nttest,dc=microsoft,dc=com" -k -j .
+#
+# For more information on LDIFDE tool, see
+# http://support.microsoft.com/default.aspx?scid=kb;en-us;237677 
+#
+#===============================================================================
+#
+# Modify the TPM-Information-Object class schema 'defaultSecurityDescriptor' to
+# allow any Domain Computer to write its properties (including the TPM OwnerAuth
+# value) from allowing only the creating Computer object to write its properties
+#
+# NOTE: Keep any changes to the 'defaultSecurityDescriptor' value in synchronization
+#   with the value in the TPM-Information-Object class description in the
+#   'TpmSchemaExtension.ldf' file
+#
+dn: CN=ms-TPM-Information-Object,CN=Schema,CN=Configuration,DC=X
+changetype: modify
+replace: defaultSecurityDescriptor
+defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPLO;;;DC)
+-
+#
+# Commit the modification to the TPM-Information-Object schema
+#
+dn:
+changetype: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+```
+ 
+ 

windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md

@@ -19,8 +19,8 @@ localizationpriority: high
 
 You can add apps to your Windows Information Protection (WIP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=691330).
 
->[!IMPORTANT]
+>**Important**<br>
->Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
+Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
 
 ## Add Store apps
 1.  Go to the AppLocker UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**.
@@ -39,15 +39,13 @@ You can add apps to your Windows Information Protection (WIP) protected app list
 
 5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
 
-    >[!NOTE]
+    >**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
-    >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
 
 6.  In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
 
 7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
 
-    >[!IMPORTANT]
+    >**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
-    >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
 
 8.  Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
 
@@ -87,18 +85,16 @@ After saving the policy, you’ll need to deploy it to your employee’s devices
 
 5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
 
-    >[!IMPORTANT]
+    >**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
-    >You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
     
-    >[!NOTE]
+    <p>
-    >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
+    >**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
 
 6.  In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
 
 7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
 
-    >[!IMPORTANT]
+    >**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
-    >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
 
 8.  Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
 
@@ -122,10 +118,7 @@ After saving the policy, you’ll need to deploy it to your employee’s devices
 
     After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
 
->[!NOTE]
+##Related topics
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
-## Related topics
 - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
 - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
 - [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)

windows/keep-secure/allow-log-on-locally.md

@@ -1,5 +1,5 @@
 ---
-title: Allow log on locally - security policy setting (Windows 10)
+title: Allow log on locally (Windows 10)
 description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting.
 ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Allow log on locally - security policy setting
+# Allow log on locally
 
 **Applies to**
 -   Windows 10

windows/keep-secure/app-behavior-with-wip.md

@@ -129,6 +129,3 @@ This table includes info about how enlightened apps might behave, based on your
         </td>
     </tr>
 </table>
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/keep-secure/back-up-files-and-directories.md

@@ -1,5 +1,5 @@
 ---
-title: Back up files and directories - security policy setting (Windows 10)
+title: Back up files and directories (Windows 10)
 description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting.
 ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Back up files and directories - security policy setting
+# Back up files and directories
 
 **Applies to**
 -   Windows 10

windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md

@@ -1,6 +1,6 @@
 ---
-title: Back up the TPM recovery information to AD DS (Windows 10)
+title: Backup the TPM recovery Information to AD DS (Windows 10)
-description: This topic for the IT professional describes backup of Trusted Platform Module (TPM) information.
+description: This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer.
 ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,19 +9,556 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Back up the TPM recovery information to AD DS
+# Backup the TPM recovery Information to AD DS
 
 **Applies to**
 -   Windows 10, version 1511
 -   Windows 10, version 1507
 
 **Does not apply to**
+- Windows 10, version 1607 or later
 
--   Windows 10, version 1607 or later
+This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer.
 
-With Windows 10, versions 1511 and 1507, you can back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](https://technet.microsoft.com/library/dn466534(v=ws.11).aspx).
+## About administering TPM remotely
 
-## Related topics
+Backing up the TPM owner information for a computer allows administrators in a domain to remotely configure the TPM security hardware on the local computer. For example, administrators might want to reset the TPM to the manufacturer’s defaults when they decommission or repurpose computers, without having to be present at the computer.
 
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
+You can use AD DS to store TPM owner information for use in recovery situations where the TPM owner has forgotten the password or where you must take control of the TPM. There is only one TPM owner password per computer; therefore, the hash of the TPM owner password can be stored as an attribute of the computer object in AD DS. The attribute has the common name (CN) of **ms-TPM-OwnerInformation**.
+
+> **Note:**  The TPM owner authorization value is stored in AD DS, and it is present in a TPM owner password file as a SHA-1 hash of the TPM owner password, which is base 64–encoded. The actual owner password is not stored.
+ 
+Domain controllers running Windows Server 2012 R2 or Windows Server 2012 include the required AD DS schema objects by default. However, if your domain controller is running Windows Server 2008 R2, you need to update the schema as described in [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+
+This topic contains procedures, some of which are dependent on Visual Basic scripts, to recover TPM information and decommission TPM on remote computers. Sample scripts are available, which you can customize to meet the requirements of your environment.
+
+In this topic:
+
+1.  [Check status of prerequisites](#bkmk-prereqs)
+2.  [Set permissions to back up password information](#bkmk-setperms)
+3.  [Configure Group Policy to back up TPM recovery information in AD DS](#bkmk-configuregp)
+4.  [Use AD DS to recover TPM information](#bkmk-useit)
+5.  [Sample scripts](#bkmk-adds-tpm-scripts)
+
+## <a href="" id="bkmk-prereqs"></a>Check status of prerequisites
+
+Before you begin your backup, ensure that the following prerequisites are met:
+
+1.  All domain controllers that are accessible by client computers that will be using TPM services are running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 with the updated schema.
+    
+    > **Tip:**  For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+     
+2.  You have domain administrator rights in the target forest, or you are using an account that has been granted appropriate permissions to extend the schema for the target forest. Members of the Enterprise Admins or Schema Admins groups are examples of accounts that have the appropriate permissions.
+
+## <a href="" id="bkmk-setperms"></a>Set permissions to back up password information
+
+This procedure uses the sample script [Add-TPMSelfWriteACE.vbs](#bkmk-add-tpmselfwriteace) to add an access control entry (ACE) so that backing up TPM recovery information is possible. A client computer cannot back up TPM owner information until this ACE is added.
+
+This script is run on the domain controller that you will use to administer the TPM recovery information, and it operates under the following assumptions:
+
+-   You have domain administrator credentials to set permissions for the top-level domain object.
+-   Your target domain is the same as the domain for the user account that is running the script. For example, running the script as TESTDOMAIN\\admin will extend permissions for TESTDOMAIN.
+
+    > **Note:**  You might need to modify the sample script if you want to set permissions for multiple domains, but you do not have domain administrator accounts for each of those domains. Find the variable **strPathToDomain** in the script, and modify it for your target domain, for example:
+    `LDAP://DC=testdomain,DC=nttest,DC=microsoft,DC=com`
+     
+-   Your domain is configured so that permissions are inherited from the top-level domain object to targeted computer objects.
+
+    Permissions will not take effect if any container in the hierarchy does not allow inherited permissions. By default, permissions inheritance is set in AD DS. If you are not sure whether your configuration differs from this default, you can continue with the setup steps to set the permissions. 
+    You can then verify your configuration as described later in this topic. Or you can click the **Effective Permissions** button while viewing the properties of a computer object, then check that **Self** is approved to write the **msTPM-OwnerInformation** attribute.
+
+**To add an ACE to allow TPM recovery information backup**
+
+1.  Open the sample script **Add-TPMSelfWriteACE.vbs**.
+
+    The script contains a permission extension, and you must modify the value of **strPathToDomain** by using your domain name.
+
+2.  Save your modifications to the script.
+3.  Type the following at a command prompt, and then press ENTER:
+
+    **cscript Add-TPMSelfWriteACE.vbs**
+
+This script adds a single ACE to the top-level domain object. The ACE is an inheritable permission that allows the computer (SELF) to write to the **ms-TPM-OwnerInformation** attribute for computer objects in the domain.
+Complete the following procedure to check that the correct permissions are set and to remove TPM and BitLocker ACEs from the top-level domain, if necessary.
+
+**Manage ACEs configured on TPM schema objects**
+
+1.  Open the sample script **List-ACEs.vbs**.
+2.  Modify **List-ACEs.vbs**.
+
+    You must modify:
+    -   Value of **strPathToDomain**: Use your domain name.
+    -   Filter options: The script sets a filter to address BitLocker and TPM schema objects, so you must modify **If IsFilterActive ()** if you want to list or remove other schema objects.
+
+3.  Save your modifications to the script.
+4.  Type the following at a command prompt, and then press ENTER:
+
+    **cscript List-ACEs.vbs**
+
+    With this script you can optionally remove ACEs from BitLocker and TPM schema objects on the top-level domain.
+
+## <a href="" id="bkmk-configuregp"></a>Configure Group Policy to back up TPM recovery information in AD DS
+
+Use these procedures to configure the [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-addsbu) policy setting on a local computer. In a production environment, an efficient way to do this is to create or edit a Group Policy Object (GPO) that can target client computers in the domain.
+
+**To enable local policy setting to back up TPM recovery information to AD DS**
+
+1.  Sign in to a domain-joined computer by using a domain account that is a member of the local Administrators group.
+2.  Open the Local Group Policy Editor (gpedit.msc), and in the console tree, navigate to **Computer Configuration\\Administrative Templates\\System**.
+3.  Click **Trusted Platform Module Services**.
+4.  Double-click **Turn on TPM backup to Active Directory Domain Services**.
+5.  Click **Enabled**, and then click **OK**.
+> **Important:**  When this setting is enabled, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup of the TPM recovery information succeeds.
+ 
+## <a href="" id="bkmk-useit"></a>Use AD DS to recover TPM information
+
+When you need to recover the TPM owner information from AD DS and use it to manage the TPM, you need to read the **ms-TPM-OwnerInformation** object from AD DS, and then manually create a TPM owner password backup file that can be supplied when TPM owner credentials are required.
+
+**To obtain TPM owner backup information from AD DS and create a password file**
+
+1.  Sign in to a domain controller by using domain administrator credentials.
+2.  Copy the sample script file, [Get-TPMOwnerInfo.vbs](#bkmk-get-tpmownerinfo), to a location on your computer.
+3.  Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step.
+4.  At the command prompt, type **cscript Get-TPMOwnerInfo.vbs**.
+
+    The expected output is a string that is the hash of the password that you created earlier.
+    > **Note:**  If you receive the error message, "Active Directory: The directory property cannot be found in the cache," verify that you are using a domain administrator account, which is required to read the **ms-TPM-OwnerInformation** attribute.
+    
+    The only exception to this requirement is that if users are the Creator Owner of computer objects that they join to the domain, they can possibly read the TPM owner information for their computer objects.
+     
+5.  Open Notepad or another text editor, and copy the following code sample into the file, and replace *TpmOwnerPasswordHash* with the string that you recorded in the previous step.
+    
+    ``` syntax
+    <?xml version="1.0" encoding="UTF-8"?>
+    <!--
+    This page is a backup of Trusted Platform Module (TPM) owner
+    authorization information. Upon request, use the authorization information to
+    prove ownership of the computer's TPM.
+    IMPORTANT: Please keep this file in a secure location away from your computer's
+    local hard drive.
+    -->
+    <tpmOwnerData version="1.0" softwareAuthor="Microsoft Windows [Version 6.1.7600]" creationDate="2009-11-11T14:39:29-08:00" creationUser="DOMAIN\username" machineName="mymachine">
+                    <tpmInfo manufacturerId="1096043852"/>
+                    <ownerAuth>TpmOwnerPasswordHash</ownerAuth>
+    </tpmOwnerData>
+    ```
+6.  Save this file with a .tpm extension on a removable storage device, such as a USB flash drive. When you access the TPM, and you are required to provide the TPM owner password, choose the option for reading the password from a file and provide the path to this file.
+
+## <a href="" id="bkmk-adds-tpm-scripts"></a>Sample scripts
+
+You can use all or portions of the following sample scripts, which are used in the preceding procedures, to configure AD DS for backing up TPM recovery information. Customization is required depending on how your environment is configured.
+
+-   [Add-TPMSelfWriteACE.vbs: Use to add the access control entry (ACE) for the TPM to AD DS](#bkmk-add-tpmselfwriteace)
+-   [List-ACEs.vbs: Use to list or remove the ACEs that are configured on BitLocker and TPM schema objects](#bkmk-list-aces)
+-   [Get-TPMOwnerInfo.vbs: Use to retrieve the TPM recovery information from AD DS for a particular computer](#bkmk-get-tpmownerinfo)
+
+### <a href="" id="bkmk-add-tpmselfwriteace"></a>Add-TPMSelfWriteACE.vbs
+
+This script adds the access control entry (ACE) for the TPM to AD DS so that the computer can back up TPM recovery information in AD DS.
+
+``` syntax
+'===============================================================================
+'
+' This script demonstrates the addition of an Access Control Entry (ACE)
+' to allow computers to write Trusted Platform Module (TPM) 
+' recovery information to Active Directory.
+'
+' This script creates a SELF ACE on the top-level domain object, and
+' assumes that inheritance of ACL's from the top-level domain object to 
+' down-level computer objects are enabled.
+'
+' 
+'
+' Last Updated: 12/05/2012
+' Last Reviewed: 12/05/2012
+' Microsoft Corporation
+'
+' Disclaimer
+' 
+' The sample scripts are not supported under any Microsoft standard support program
+' or service. The sample scripts are provided AS IS without warranty of any kind. 
+' Microsoft further disclaims all implied warranties including, without limitation, 
+' any implied warranties of merchantability or of fitness for a particular purpose. 
+' The entire risk arising out of the use or performance of the sample scripts and 
+' documentation remains with you. In no event shall Microsoft, its authors, or 
+' anyone else involved in the creation, production, or delivery of the scripts be 
+' liable for any damages whatsoever (including, without limitation, damages for loss 
+' of business profits, business interruption, loss of business information, or 
+' other pecuniary loss) arising out of the use of or inability to use the sample 
+' scripts or documentation, even if Microsoft has been advised of the possibility 
+' of such damages.
+'
+' Version 1.0.2 - Tested and re-released for Windows 8 and Windows Server 2012 
+' 
+'===============================================================================
+' --------------------------------------------------------------------------------
+' Access Control Entry (ACE) constants 
+' --------------------------------------------------------------------------------
+'- From the ADS_ACETYPE_ENUM enumeration
+Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT      = &H5   'Allows an object to do something
+'- From the ADS_ACEFLAG_ENUM enumeration
+Const ADS_ACEFLAG_INHERIT_ACE                = &H2   'ACE can be inherited to child objects
+Const ADS_ACEFLAG_INHERIT_ONLY_ACE           = &H8   'ACE does NOT apply to target (parent) object
+'- From the ADS_RIGHTS_ENUM enumeration
+Const ADS_RIGHT_DS_WRITE_PROP                = &H20  'The right to write object properties
+Const ADS_RIGHT_DS_CREATE_CHILD              = &H1   'The right to create child objects
+'- From the ADS_FLAGTYPE_ENUM enumeration
+Const ADS_FLAG_OBJECT_TYPE_PRESENT           = &H1   'Target object type is present in the ACE 
+Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2   'Target inherited object type is present in the ACE 
+' --------------------------------------------------------------------------------
+' TPM and FVE schema object GUID's 
+' --------------------------------------------------------------------------------
+'- ms-TPM-OwnerInformation attribute
+SCHEMA_GUID_MS_TPM_OWNERINFORMATION = "{AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}"
+'- ms-FVE-RecoveryInformation object
+SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION = "{EA715D30-8F53-40D0-BD1E-6109186D782C}"
+'- Computer object
+SCHEMA_GUID_COMPUTER = "{BF967A86-0DE6-11D0-A285-00AA003049E2}"
+'Reference: "Platform SDK: Active Directory Schema"
+' --------------------------------------------------------------------------------
+' Set up the ACE to allow write of TPM owner information
+' --------------------------------------------------------------------------------
+Set objAce1 = createObject("AccessControlEntry")
+objAce1.AceFlags = ADS_ACEFLAG_INHERIT_ACE + ADS_ACEFLAG_INHERIT_ONLY_ACE
+objAce1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
+objAce1.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT + ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
+objAce1.Trustee = "SELF"
+objAce1.AccessMask = ADS_RIGHT_DS_WRITE_PROP 
+objAce1.ObjectType = SCHEMA_GUID_MS_TPM_OWNERINFORMATION
+objAce1.InheritedObjectType = SCHEMA_GUID_COMPUTER
+' --------------------------------------------------------------------------------
+' NOTE: BY default, the "SELF" computer account can create 
+' BitLocker recovery information objects and write BitLocker recovery properties
+'
+' No additional ACE's are needed.
+' --------------------------------------------------------------------------------
+' --------------------------------------------------------------------------------
+' Connect to Discretional ACL (DACL) for domain object
+' --------------------------------------------------------------------------------
+Set objRootLDAP = GetObject("LDAP://rootDSE")
+strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com
+Set objDomain = GetObject(strPathToDomain)
+WScript.Echo "Accessing object: " + objDomain.Get("distinguishedName")
+Set objDescriptor = objDomain.Get("ntSecurityDescriptor")
+Set objDacl = objDescriptor.DiscretionaryAcl
+ 
+' --------------------------------------------------------------------------------
+' Add the ACEs to the Discretionary ACL (DACL) and set the DACL
+' --------------------------------------------------------------------------------
+objDacl.AddAce objAce1
+objDescriptor.DiscretionaryAcl = objDacl
+objDomain.Put "ntSecurityDescriptor", Array(objDescriptor)
+objDomain.SetInfo
+WScript.Echo "SUCCESS!"
+```
+
+### <a href="" id="bkmk-list-aces"></a>List-ACEs.vbs
+
+This script lists or removes the ACEs that are configured on BitLocker and TPM schema objects for the top-level domain. This enables you to verify that the expected ACEs have been added appropriately or to remove any ACEs that are related to BitLocker or the TPM, if necessary.
+
+``` syntax
+'===============================================================================
+'
+' This script lists the access control entries (ACE's) configured on 
+' Trusted Platform Module (TPM) and BitLocker Drive Encryption (BDE) schema objects 
+' for the top-level domain.
+'
+' You can use this script to check that the correct permissions have been set and
+' to remove TPM and BitLocker ACE's from the top-level domain.
+'
+' 
+' Last Updated: 12/05/2012
+' Last Reviewed: 12/02/2012
+'
+' Microsoft Corporation
+'
+' Disclaimer
+' 
+' The sample scripts are not supported under any Microsoft standard support program
+' or service. The sample scripts are provided AS IS without warranty of any kind. 
+' Microsoft further disclaims all implied warranties including, without limitation, 
+' any implied warranties of merchantability or of fitness for a particular purpose. 
+' The entire risk arising out of the use or performance of the sample scripts and 
+' documentation remains with you. In no event shall Microsoft, its authors, or 
+' anyone else involved in the creation, production, or delivery of the scripts be 
+' liable for any damages whatsoever (including, without limitation, damages for loss 
+' of business profits, business interruption, loss of business information, or 
+' other pecuniary loss) arising out of the use of or inability to use the sample 
+' scripts or documentation, even if Microsoft has been advised of the possibility 
+' of such damages.
+'
+' Version 1.0.2 - Tested and re-released for Windows 8 and Windows Server 2012
+' 
+'===============================================================================
+' --------------------------------------------------------------------------------
+' Usage
+' --------------------------------------------------------------------------------
+Sub ShowUsage
+   Wscript.Echo "USAGE: List-ACEs"
+   Wscript.Echo "List access permissions for BitLocker and TPM schema objects"
+   Wscript.Echo ""
+   Wscript.Echo "USAGE: List-ACEs -remove"
+   Wscript.Echo "Removes access permissions for BitLocker and TPM schema objects"
+   WScript.Quit
+End Sub
+' --------------------------------------------------------------------------------
+' Parse Arguments
+' --------------------------------------------------------------------------------
+Set args = WScript.Arguments
+Select Case args.Count
+  
+  Case 0
+      ' do nothing - checks for ACE's 
+      removeACE = False
+      
+  Case 1
+    If args(0) = "/?" Or args(0) = "-?" Then
+      ShowUsage
+    Else 
+      If UCase(args(0)) = "-REMOVE" Then
+            removeACE = True
+      End If
+    End If
+  Case Else
+    ShowUsage
+End Select
+' --------------------------------------------------------------------------------
+' Configuration of the filter to show/remove only ACE's for BDE and TPM objects
+' --------------------------------------------------------------------------------
+'- ms-TPM-OwnerInformation attribute
+SCHEMA_GUID_MS_TPM_OWNERINFORMATION = "{AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}"
+'- ms-FVE-RecoveryInformation object
+SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION = "{EA715D30-8F53-40D0-BD1E-6109186D782C}"
+' Use this filter to list/remove only ACEs related to TPM and BitLocker
+aceGuidFilter = Array(SCHEMA_GUID_MS_TPM_OWNERINFORMATION, _
+                      SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION)
+' Note to script source reader:
+' Uncomment the following line to turn off the filter and list all ACEs
+'aceGuidFilter = Array()
+' --------------------------------------------------------------------------------
+' Helper functions related to the list filter for listing or removing ACE's
+' --------------------------------------------------------------------------------
+Function IsFilterActive()
+    If Join(aceGuidFilter) = "" Then
+       IsFilterActive = False
+    Else 
+       IsFilterActive = True
+    End If
+End Function
+Function isAceWithinFilter(ace) 
+    aceWithinFilter = False  ' assume first not pass the filter
+    For Each guid In aceGuidFilter 
+        If ace.ObjectType = guid Or ace.InheritedObjectType = guid Then
+           isAceWithinFilter = True           
+        End If
+    Next
+End Function
+Sub displayFilter
+    For Each guid In aceGuidFilter
+       WScript.echo guid
+    Next
+End Sub
+' --------------------------------------------------------------------------------
+' Connect to Discretional ACL (DACL) for domain object
+' --------------------------------------------------------------------------------
+Set objRootLDAP = GetObject("LDAP://rootDSE")
+strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. dc=fabrikam,dc=com
+Set domain = GetObject(strPathToDomain)
+WScript.Echo "Accessing object: " + domain.Get("distinguishedName")
+WScript.Echo ""
+Set descriptor = domain.Get("ntSecurityDescriptor")
+Set dacl = descriptor.DiscretionaryAcl
+' --------------------------------------------------------------------------------
+' Show Access Control Entries (ACE's)
+' --------------------------------------------------------------------------------
+' Loop through the existing ACEs, including all ACEs if the filter is not active
+i = 1 ' global index
+c = 0 ' found count - relevant if filter is active
+For Each ace In dacl
+ If IsFilterActive() = False or isAceWithinFilter(ace) = True Then
+    ' note to script source reader:
+    ' echo i to show the index of the ACE
+    
+    WScript.echo ">            AceFlags: " & ace.AceFlags
+    WScript.echo ">             AceType: " & ace.AceType
+    WScript.echo ">               Flags: " & ace.Flags
+    WScript.echo ">          AccessMask: " & ace.AccessMask
+    WScript.echo ">          ObjectType: " & ace.ObjectType
+    WScript.echo "> InheritedObjectType: " & ace.InheritedObjectType
+    WScript.echo ">             Trustee: " & ace.Trustee
+    WScript.echo ""
+    if IsFilterActive() = True Then
+      c = c + 1
+      ' optionally include this ACE in removal list if configured
+      ' note that the filter being active is a requirement since we don't
+      ' want to accidentally remove all ACEs
+      If removeACE = True Then
+        dacl.RemoveAce ace  
+      End If
+    end if
+  End If 
+  i = i + 1
+Next
+' Display number of ACEs found
+If IsFilterActive() = True Then
+  WScript.echo c & " ACE(s) found in " & domain.Get("distinguishedName") _
+                 & " related to BitLocker and TPM" 'note to script source reader: change this line if you configure your own 
+filter
+  ' note to script source reader: 
+  ' uncomment the following lines if you configure your own filter
+  'WScript.echo ""
+  'WScript.echo "The following filter was active: "
+  'displayFilter
+  'Wscript.echo ""
+Else
+  i = i - 1
+  WScript.echo i & " total ACE(s) found in " & domain.Get("distinguishedName")
+  
+End If
+' --------------------------------------------------------------------------------
+' Optionally remove ACE's on a filtered list
+' --------------------------------------------------------------------------------
+if removeACE = True and IsFilterActive() = True then
+  descriptor.DiscretionaryAcl =  dacl
+  domain.Put "ntSecurityDescriptor", Array(descriptor)
+  domain.setInfo
+  WScript.echo c & " ACE(s) removed from " & domain.Get("distinguishedName")
+else 
+  if removeACE = True then
+    WScript.echo "You must specify a filter to remove ACEs from " & domain.Get("distinguishedName") 
+ 
+ end if
+end if
+```
+
+### <a href="" id="bkmk-get-tpmownerinfo"></a>Get-TPMOwnerInfo.vbs
+
+This script retrieves TPM recovery information from AD DS for a particular computer so that you can verify that only domain administrators (or delegated roles) can read backed up TPM recovery information and verify that the information is being backed up correctly.
+
+``` syntax
+'=================================================================================
+'
+' This script demonstrates the retrieval of Trusted Platform Module (TPM) 
+' recovery information from Active Directory for a particular computer.
+'
+' It returns the TPM owner information stored as an attribute of a 
+' computer object.
+'
+' Last Updated: 12/05/2012
+' Last Reviewed: 12/05/2012
+'
+' Microsoft Corporation
+'
+' Disclaimer
+' 
+' The sample scripts are not supported under any Microsoft standard support program
+' or service. The sample scripts are provided AS IS without warranty of any kind. 
+' Microsoft further disclaims all implied warranties including, without limitation, 
+' any implied warranties of merchantability or of fitness for a particular purpose. 
+' The entire risk arising out of the use or performance of the sample scripts and 
+' documentation remains with you. In no event shall Microsoft, its authors, or 
+' anyone else involved in the creation, production, or delivery of the scripts be 
+' liable for any damages whatsoever (including, without limitation, damages for loss 
+' of business profits, business interruption, loss of business information, or 
+' other pecuniary loss) arising out of the use of or inability to use the sample 
+' scripts or documentation, even if Microsoft has been advised of the possibility 
+' of such damages.
+'
+' Version 1.0 - Initial release
+' Version 1.1 - Updated GetStrPathToComputer to search the global catalog.
+' Version 1.1.2 - Tested and re-released for Windows 8 and Windows Server 2012
+' 
+'=================================================================================
+' --------------------------------------------------------------------------------
+' Usage
+' --------------------------------------------------------------------------------
+Sub ShowUsage
+   Wscript.Echo "USAGE: Get-TpmOwnerInfo [Optional Computer Name]"
+   Wscript.Echo "If no computer name is specified, the local computer is assumed."
+   WScript.Quit
+End Sub
+' --------------------------------------------------------------------------------
+' Parse Arguments
+' --------------------------------------------------------------------------------
+Set args = WScript.Arguments
+Select Case args.Count
+  
+  Case 0
+      ' Get the name of the local computer      
+      Set objNetwork = CreateObject("WScript.Network")
+      strComputerName = objNetwork.ComputerName
+    
+  Case 1
+    If args(0) = "/?" Or args(0) = "-?" Then
+      ShowUsage
+    Else
+      strComputerName = args(0)
+    End If
+  
+  Case Else
+    ShowUsage
+End Select
+' --------------------------------------------------------------------------------
+' Get path to Active Directory computer object associated with the computer name
+' --------------------------------------------------------------------------------
+Function GetStrPathToComputer(strComputerName) 
+    ' Uses the global catalog to find the computer in the forest
+    ' Search also includes deleted computers in the tombstone
+    Set objRootLDAP = GetObject("LDAP://rootDSE")
+    namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com    
+    strBase = "<GC://" & namingContext & ">"
+ 
+    Set objConnection = CreateObject("ADODB.Connection") 
+    Set objCommand = CreateObject("ADODB.Command") 
+    objConnection.Provider = "ADsDSOOBject" 
+    objConnection.Open "Active Directory Provider" 
+    Set objCommand.ActiveConnection = objConnection 
+    strFilter = "(&(objectCategory=Computer)(cn=" &  strComputerName & "))"
+    strQuery = strBase & ";" & strFilter  & ";distinguishedName;subtree" 
+    objCommand.CommandText = strQuery 
+    objCommand.Properties("Page Size") = 100 
+    objCommand.Properties("Timeout") = 100
+    objCommand.Properties("Cache Results") = False 
+    ' Enumerate all objects found. 
+    Set objRecordSet = objCommand.Execute 
+    If objRecordSet.EOF Then
+      WScript.echo "The computer name '" &  strComputerName & "' cannot be found."
+      WScript.Quit 1
+    End If
+    ' Found object matching name
+    Do Until objRecordSet.EOF 
+      dnFound = objRecordSet.Fields("distinguishedName")
+      GetStrPathToComputer = "LDAP://" & dnFound
+      objRecordSet.MoveNext 
+    Loop 
+    ' Clean up. 
+    Set objConnection = Nothing 
+    Set objCommand = Nothing 
+    Set objRecordSet = Nothing 
+End Function
+' --------------------------------------------------------------------------------
+' Securely access the Active Directory computer object using Kerberos
+' --------------------------------------------------------------------------------
+Set objDSO = GetObject("LDAP:")
+strPath = GetStrPathToComputer(strComputerName)
+WScript.Echo "Accessing object: " + strPath
+Const ADS_SECURE_AUTHENTICATION = 1
+Const ADS_USE_SEALING = 64 '0x40
+Const ADS_USE_SIGNING = 128 '0x80
+Set objComputer = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _
+                                   ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)
+' --------------------------------------------------------------------------------
+' Get the TPM owner information from the Active Directory computer object
+' --------------------------------------------------------------------------------
+strOwnerInformation = objComputer.Get("msTPM-OwnerInformation")
+WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation
+```
+
+## Additional resources
+
+- [Trusted Platform Module technology overview](trusted-platform-module-overview.md)
+- [TPM fundamentals](tpm-fundamentals.md)
 - [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
+- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+- [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
+- [Prepare your organization for BitLocker: Planning and Policies](http://technet.microsoft.com/library/jj592683.aspx), see TPM considerations

windows/keep-secure/basic-audit-logon-events.md

@@ -22,8 +22,6 @@ If you define this policy setting, you can specify whether to audit successes, a
 
 To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
 
-For information about advanced security policy settings for logon events, see the [Logon/logoff](advanced-security-audit-policy-settings.md#logonlogoff) section in [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
-
 ## Configure this audit setting
 
 You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.

windows/keep-secure/bitlocker-basic-deployment.md

@@ -40,7 +40,7 @@ BitLocker encryption can be done using the following methods:
 
 ### Encrypting volumes using the BitLocker control panel
 
-Encrypting volumes with the BitLocker control panel (click **Start**, type **bitlocker**, click **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
+Encrypting volumes with the BitLocker control panel is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
 To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
 
 ### Operating system volume

windows/keep-secure/bitlocker-countermeasures.md

@@ -23,9 +23,9 @@ The sections that follow provide more detailed information about the different t
 
 ### Protection before startup
 
-Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM and Secure Boot. Fortunately, many modern computers feature TPM.
+Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM andSecure Boot. Fortunately, many modern computers feature TPM.
 
-#### Trusted Platform Module
+**Trusted Platform Module**
 
 Software alone isn’t sufficient to protect a system. After an attacker has compromised software, the software might be unable to detect the compromise. Therefore, a single successful software compromise results in an untrusted system that might never be detected. Hardware, however, is much more difficult to modify.
 
@@ -33,7 +33,7 @@ A TPM is a microchip designed to provide basic security-related functions, prima
 By binding the BitLocker encryption key with the TPM and properly configuring the device, it’s nearly impossible for an attacker to gain access to the BitLocker-encrypted data without obtaining an authorized user’s credentials. Therefore, computers with a TPM can provide a high level of protection against attacks that attempt to directly retrieve the BitLocker encryption key.
 For more info about TPM, see [Trusted Platform Module](trusted-platform-module-overview.md).
 
-#### UEFI and Secure Boot
+**UEFI and Secure Boot**
 
 No operating system can protect a device when the operating system is offline. For that reason, Microsoft worked closely with hardware vendors to require firmware-level protection against boot and rootkits that might compromise an encryption solution’s encryption keys.
 
@@ -53,7 +53,7 @@ Using the digital signature, UEFI verifies that the bootloader was signed using
 
 If the bootloader passes these two tests, UEFI knows that the bootloader isn’t a bootkit and starts it. At this point, Trusted Boot takes over, and the Windows bootloader, using the same cryptographic technologies that UEFI used to verify the bootloader, then verifies that the Windows system files haven’t been changed.
 
-Starting with Windows 8, certified devices must meet several requirements related to UEFI-based Secure Boot:
+All Windows 8–certified devices must meet several requirements related to UEFI-based Secure Boot:
 
 -   They must have Secure Boot enabled by default.
 -   They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed).

windows/keep-secure/bitlocker-frequently-asked-questions.md

@@ -47,8 +47,6 @@ Yes, BitLocker supports multifactor authentication for operating system drives.
 
 ### <a href="" id="bkmk-hsrequirements"></a>What are the BitLocker hardware and software requirements?
 
-For requirements, see [System requirements](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview#system-requirements).
-
 > **Note:**  Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.
  
 ### <a href="" id="bkmk-partitions"></a>Why are two partitions required? Why does the system drive have to be so large?
@@ -200,9 +198,9 @@ Any number of internal, fixed data drives can be protected with BitLocker. On so
 
 ## <a href="" id="bkmk-keymanagement"></a>Key management
 
-### <a href="" id="bkmk-key"></a>What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
+### <a href="" id="bkmk-key"></a>What is the difference between a TPM owner password, recovery password, recovery key, password, PIN, enhanced PIN, and startup key?
 
-For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods). 
+There are multiple keys that can be generated and used by BitLocker. Some keys are required and some are optional protectors you can choose to use depending on the level of security you require.
 
 ### <a href="" id="bkmk-recoverypass"></a>How can the recovery password and recovery key be stored?
 

windows/keep-secure/bitlocker-group-policy-settings.md

@@ -1509,6 +1509,7 @@ If the **Require BitLocker backup to AD DS** option is not selected, AD DS bac
 TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services** to ensure that TPM information is also backed up.
 
 For more information about this setting, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md).
+If you are using domain controllers running Windows Server 2003 with Service Pack 1, you must first set up appropriate schema extensions and access control settings on the domain before a backup to AD DS can succeed. For more info, see [Backup the TPM recovery Information to AD DS](backup-tpm-recovery-information-to-ad-ds.md).
 
 ### <a href="" id="bkmk-rec4"></a>Choose default folder for recovery password
 

windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md

@@ -14,7 +14,7 @@ author: brianlic-msft
 **Applies to**
 -   Windows 10
 
-This topic for the IT professional explains how to deploy BitLocker on Windows Server 2012 and later.
+This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.
 
 For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before the server operating system is installed as part of your deployment.
 

windows/keep-secure/bitlocker-how-to-enable-network-unlock.md

@@ -231,7 +231,7 @@ The following steps detail how to create a certificate template for use with Bit
 
 1.  Open the Certificates Template snap-in (certtmpl.msc).
 2.  Locate the User template. Right-click the template name and select **Duplicate Template**.
-3.  On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8 respectively. Ensure the **Show resulting changes** dialog box is selected.
+3.  On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected.
 4.  Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
 5.  Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
 6.  Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility we recommend using the **Microsoft Software Key Storage Provider**.)

windows/keep-secure/bitlocker-overview.md

@@ -42,7 +42,7 @@ BitLocker control panel, and they are appropriate to use for automated deploymen
 
 ## <a href="" id="bkmk-new"></a>New and changed functionality
 
-To find out what's new in BitLocker for Windows 10, see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511."
+To find out what's new in BitLocker for Windows 10, see [What's new in BitLocker?](../whats-new/bitlocker.md)
  
 ## System requirements
 
@@ -74,10 +74,9 @@ When installing the BitLocker optional component on a server you will also need
 | [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. |
 | [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This topic for the IT professional describes how to use tools to manage BitLocker.| 
 | [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. |
-| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker. |
 | [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic for IT professionals describes the BCD settings that are used by BitLocker.| 
 | [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. |
 | [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. |
 | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| 
 
-If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker).
+If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/win10/SB_BL.htm).