Merge remote-tracking branch 'refs/remotes/Microsoft/sh-1607'

devices/surface-hub/accessibility-surface-hub.md

@@ -13,66 +13,44 @@ localizationpriority: medium
 
 # Accessibility (Surface Hub)
 
+Microsoft Surface Hub has the same accessibility options as Windows 10.
 
-Accessibility settings for the Microsoft Surface Hub can be changed by using the Settings app. You'll find them under **Ease of Access**. Your Surface Hub has the same accessibility options as Windows 10.
 
-The default accessibility settings for Surface Hub include:
+## Default accessibility settings
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Accessibility feature</th>
-<th align="left">Default setting</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p><strong>Narrator</strong></p></td>
-<td align="left"><p>Off</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Magnifier</strong></p></td>
-<td align="left"><p>Off</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><strong>High contrast</strong></p></td>
-<td align="left"><p>No theme selected</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Closed captions</strong></p></td>
-<td align="left"><p>Defaults selected for <strong>Font</strong> and <strong>Background and window</strong>.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><strong>Keyboard</strong></p></td>
-<td align="left"><p>On-screen <strong>Keyboard</strong>, <strong>Sticky Keys</strong>, <strong>Toggle Keys</strong>, and <strong>Filter Keys</strong> are all off.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Mouse</strong></p></td>
-<td align="left"><p>Defaults selected for <strong>Pointer size</strong>, <strong>Pointer color</strong> and <strong>Mouse keys</strong>.</p></td>
-</tr>
-</tbody>
-</table>
+The full list of accessibility settings are available to IT admins in the **Settings** app. The default accessibility settings for Surface Hub include:
 
- 
+| Accessibility feature | Default settings  |
+| --------------------- | ----------------- |
+| Narrator              | Off               |
+| Magnifier             | Off               |
+| High contrast         | No theme selected |
+| Closed captions       | Defaults selected for Font and Background and window |
+| Keyboard              | **On-screen Keyboard**, **Sticky Keys**, **Toggle Keys**, and **Filter Keys** are all off. |
+| Mouse                 | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. |
+| Other options         | Defaults selected for **Visual options** and **Touch feedback**. |
+
+Additionally, these accessibility features and apps are returned to default settings when users press [**I'm Done**](i-am-done-finishing-your-surface-hub-meeting.md):
+- Narrator
+- Magnifier
+- High contrast
+- Filter keys
+- Sticky keys
+- Toggle keys
+- Mouse keys
+
+
+## Change accessibility settings during a meeting
+
+During a meeting, users can toggle accessibility features and apps in a couple ways:
+- [Keyboard shortcuts](https://support.microsoft.com/en-us/help/13813/windows-10-microsoft-surface-hub-keyboard-shortcuts)
+- **Quick Actions** > **Ease of Access** from the status bar
+
+> ![Image showing Quick Action center on Surface Hub](images/sh-quick-action.png)
 
-You'll find additional settings under **Ease of Access** &gt; **Other options**.
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
-
- 
-
- 
-
-
-
-
-

devices/surface-hub/admin-group-management-for-surface-hub.md

@@ -14,96 +14,73 @@ localizationpriority: medium
 # Admin group management (Surface Hub)
 
 
-Every Microsoft Surface Hub can be configured individually by opening the Settings app on the device. However, to prevent people who are not administrators from changing the settings, the Settings app requires administrator credentials to open the app and change settings.
+Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app.
+
 
-The Settings app requires local administrator credentials to open the app.
 ## Admin Group Management
 
+You can set up administrator accounts for the device in one of three ways:
 
-You can set up administrator accounts for the device in any of three ways:
+-   Create a local admin account
+-   Domain join the device to Active Directory (AD)
+-   Azure Active Directory (Azure AD) join the device
 
--   Create a local admin account.
--   Domain join the device to Active Directory (AD).
--   Azure Active Directory (Azure AD) join the device.
 
 ### Create a local admin account
 
-To create a local admin, choose to use a local admin during first run. This will create a single local admin account on the Surface Hub with the username and password of your choice. These same credentials will need to be provided to open the Settings app.
+To create a local admin, [choose to use a local admin during first run](first-run-program-surface-hub.md#use-a-local-admin). This will create a single local admin account on the Surface Hub with the username and password of your choice. Use these credentials to open the Settings app.
+
+Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory (AD) or Azure Active Directory (Azure AD). If you decide to change the local admin’s password, you can do so in Settings. However, if you want to change from using the local admin account to using a group from your domain or Azure AD tenant, then you’ll need to [reset the device](device-reset-surface-hub.md) and go through the first-time program again.
 
-Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory (AD) or Azure Active Directory (Azure AD). If you decide to change the local admin’s password, you can do so in Settings. However, if you want to change from using the local admin account to using a group from your domain or Azure AD organization, then you’ll need to reset the device and go through first-time setup again.
 
 ### Domain join the device to Active Directory (AD)
 
-You can set a security group from your domain as local administrators on the Surface Hub after you domain join the device to AD. You will need to provide credentials that are capable of joining the domain of your choice. After you domain join successfully, you will be asked to pick an existing security group to be set as the local admins. Anyone who is a member of that security group can enter their credentials and unlock Settings.
+You can domain join the Surface Hub to your AD domain to allow users from a specified security group to configure settings. During first run, choose to use [Active Directory Domain Services](first-run-program-surface-hub.md#a-href-iduse-active-directoryause-active-directory-domain-services). You'll need to provide credentials that are capable of joining the domain of your choice, and the name of an existing security group. Anyone who is a member of that security group can enter their credentials and unlock Settings.
 
->**Note**  Surface Hubs domain join for the single purpose of using a security group as local admins. Group policies are not applied after the device is domain joined.
+#### What happens when you domain join your Surface Hub?
+Surface Hubs use domain join to:
+- Grant admin rights to members of a specified security group in AD.
+- Backup the device's BitLocker recovery key by storing it under the computer object in AD. See [Save your BitLocker key](save-bitlocker-key-surface-hub.md) for details.
+- Synchronize the system clock with the domain controller for encrypted communication
 
- 
+Surface Hub does not support applying group policies or certificates from the domain controller.
 
->**Note**  If your Surface Hub loses trust with the domain (for example, if you remove the Surface Hub from the domain after it is domain joined), you won't be able to authenticate into the device and open up Settings. If you decide to remove the trust relationship of the Surface Hub with your domain, reset the device first.
+> [!NOTE]
+> If your Surface Hub loses trust with the domain (for example, if you remove the Surface Hub from the domain after it is domain joined), you won't be able to authenticate into the device and open up Settings. If you decide to remove the trust relationship of the Surface Hub with your domain, [reset the device](device-reset-surface-hub.md) first.
 
- 
 
 ### Azure Active Directory (Azure AD) join the device
 
-You can set up IT pros from your Azure AD organization as local administrators on the Surface Hub after you join the device. The people that are provisioned as local admins on your device depend on what Azure AD subscription you have. You will need to provide credentials that are capable of joining the Azure AD organization of your choice. After you successfully join Azure AD, the appropriate people will be set as local admins on the device. Any user who was set up as a local admin as a result of this process can enter their credentials and unlock the Settings app.
+You can Azure AD join the Surface Hub to allow IT pros from your Azure AD tenant to configure settings. During first run, choose to use [Microsoft Azure Active Directory](first-run-program-surface-hub.md#a-href-iduse-microsoft-azureause-microsoft-azure-active-directory). You will need to provide credentials that are capable of joining the Azure AD tenant of your choice. After you successfully Azure AD join, the appropriate people will be granted admin rights on the device.
 
->**Note**  If your Azure AD organization is configured with mobile device management (MDM) enrollment, Surface Hubs will be enrolled into MDM as a result of joining Azure AD. Surface Hubs that have joined Azure AD are subject to receiving MDM policies, and can be managed using the MDM solution that your organization uses.
+By default, all **global administrators** will be given admin rights on an Azure AD joined Surface Hub. With **Azure AD Premium** or **Enterprise Mobility Suite (EMS)**, you can add additional administrators:
+1.  In the [Azure classic portal](https://manage.windowsazure.com/), click **Active Directory**, and then click the name of your organization's directory.
+2.  On the **Configure** page, under **Devices** > **Additional administrators on Azure AD joined devices**, click **Selected**.
+3.  Click **Add**, and select the users you want to add as administrators on your Surface Hub and other Azure AD joined devices.
+4.  When you have finished, click the checkmark button to save your change.
+
+#### What happens when you Azure AD join your Surface Hub?
+Surface Hubs use Azure AD join to:
+- Grant admin rights to the appropriate users in your Azure AD tenant.
+- Backup the device's BitLocker recovery key by storing it under the account that was used to Azure AD join the device. See [Save your BitLocker key](save-bitlocker-key-surface-hub.md) for details.
+
+> [!IMPORTANT]
+> Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
 
- 
 
 ### Which should I choose?
 
-If your organization is using AD or Azure AD, we recommend you either domain join or join Azure AD, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with you domain or organization.
+If your organization is using AD or Azure AD, we recommend you either domain join or Azure AD join, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with your domain.
 
-We recommend that a local admin be set up only if you do not have Active Directory or Azure AD, or if you cannot connect to your Active Directory or Azure AD during first run.
 
 ### Summary
 
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">How is the local administrator set up?</th>
-<th align="left">Requirements</th>
-<th align="left">Which credentials can be used for the Settings app?</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left">A local admin account is created.</td>
-<td align="left">None.</td>
-<td align="left">The credentials of the local admin that was created.</td>
-</tr>
-<tr class="even">
-<td align="left">The Surface Hub is joined to a domain.</td>
-<td align="left">Your organization is using Active Directory (AD).</td>
-<td align="left">Credentials of any AD user from a specified security group</td>
-</tr>
-<tr class="odd">
-<td align="left">The Surface Hub is joined to Azure Active Directory (Azure AD).</td>
-<td align="left">Your organization is using Azure AD Basic.</td>
-<td align="left">Tenant or device admins</td>
-</tr>
-<tr class="even">
-<td align="left">Your organization is using Azure AD Premium.</td>
-<td align="left">Tenant or device admins + additional specified people</td>
-<td align="left"></td>
-</tr>
-</tbody>
-</table>
-
- 
-
- 
-
- 
-
-
 
 
+| Option                                            | Requirements                            | Which credentials can be used to access the Settings app?  |
+|---------------------------------------------------|-----------------------------------------|-------|
+| Create a local admin account                      | None                                    | The user name and password specified during first run |
+| Domain join to Active Directory (AD)              | Your organization uses AD               | Any AD user from a specific security group in your domain |
+| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic   | Global administators only |
+| &nbsp;                                            | Your organization uses Azure AD Premium or Enterprise Mobility Suite (EMS) | Global administrators and additional administrators |
 

devices/surface-hub/create-a-device-account-using-office-365.md

@@ -133,7 +133,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
 5.  Finally, to connect to Exchange Online Services, run:
 
     ``` syntax
-    $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri"https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" –AllowRedirection
+    $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" –AllowRedirection
     ```
 
     ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-21.png)
@@ -202,7 +202,7 @@ Now that you're connected to the online services, you can finish setting up the
 
     ``` syntax
     Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts   $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
-    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
+    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
     ```
 
     ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-26.png)
@@ -350,7 +350,7 @@ Now that you're connected to the online services, you can finish setting up the
 
     ``` syntax
     Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts   $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
-    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
+    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
     ```
 
 5.  Now we have to set some properties in AD. To do that, you need the alias of the account (this is the part of the UPN that becomes before the “@”).

devices/surface-hub/create-and-test-a-device-account-surface-hub.md

@@ -16,166 +16,43 @@ localizationpriority: medium
 
 This topic introduces how to create and test the device account that Microsoft Surface Hub uses to communicate with Microsoft Exchange and Skype.
 
-A "device account" is an account that the Microsoft Surface Hub uses to:
+A **device account** is an Exchange resource account that Surface Hub uses to:
 
--   sync its meeting calendar,
--   send mail,
--   and enable Skype for Business compatibility.
+-   Display its meeting calendar
+-   Join Skype for Business calls
+-   Send email (for example, email whiteboard content from a meeting)
 
-People can book this account by scheduling a meeting with it. The Surface Hub will be able to join that meeting and provide various features to the meeting attendees.
+Once the device account is provisioned to a Surface Hub, people can add this account to a meeting invitation the same way that they would invite a meeting room. 
 
->**Important**  Without a device account, none of these features will work.
+## Configuration overview
 
- 
+This table explains the main steps and configuration decisions when you create a device account. 
  
-Every device account is unique to a single Surface Hub, and requires some setup:
+| Step | Description                     |  Purpose                             |
+|------|---------------------------------|--------------------------------------|
+| 1    | Created a logon-enabled Exchange resource mailbox (Exchange 2013 or later, or Exchange Online) | This resource mailbox allows the device to maintain a meeting calendar, receive meeting requests, and send mail. It must be logon-enabled to be provisioned to a Surface Hub. |
+| 2    | Configure mailbox properties | The mailbox must be configured with the correct properties to enable the best meeting experience on Surface Hub. For more information on mailbox properties, see [Mailbox properties](exchange-properties-for-surface-hub-device-accounts.md). |
+| 3    | Apply a compatible mobile device mailbox policy to the mailbox | Surface Hub is managed using mobile device management (MDM) rather than through mobile device mailbox policies. For compatibility, the device account must have a mobile device mailbox policy where the **PasswordEnabled** setting is set to False. Otherwise, Surface Hub can't sync mail and calendar info. |
+| 4    | Enable mailbox with Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business must be enabled to use conferencing features like video calls, IM, and screen sharing.  |
+| 5    | (Optional) Whitelist ActiveSync Device ID | Your organization may have a global policy that prevents device accounts from syncing mail and calendar info. If so, you need to whitelist the ActiveSync Device ID of your Surface Hub. |
+| 6    | (Optional) Disable password expiration | To simplify management, you can turn off password expiration for the device account and allow Surface Hub to automatically rotate the device account password. For more information about password management, see [Password management](password-management-for-surface-hub-device-accounts.md).  |
 
--   The device account must be configured correctly, as described in the folllowing sections.
--   Your infrastructure must be configured to allow the Surface Hub to validate the device account, and to reach the appropriate Microsoft services.
+## Detailed configuration steps 
 
-You can think of a device account as the resource account that people recognize as a conference room’s or meeting space’s account. When you want to schedule a meeting using that conference room, you invite the account to that meeting. In order to use the Surface Hub most effectively, you do the same with the device account that's assigned to each one.
+We recommend setting up your device accounts using remote PowerShell. There are PowerShell scripts available to help create and validate device accounts For more information on PowerShell scripts and instructions, see [Appendix A: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md). 
 
-If you already have a resource mailbox account set up for the meeting space where you’re putting a Surface Hub, you can change that resource account into a device account. Once that’s done, all you need to do is add the device account to a Surface Hub. See step 2 of either [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) or [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md).
+For detailed steps using PowerShell to provision a device account, choose an option from the table, based on your organization deployment. 
 
-The following sections will describe how to create and test a device account before configuring your Surface Hub.
+| Organization deployment             |  Description                  |
+|---------------------------------|--------------------------------------|
+| [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md) | Your organization's environment is deployed entirely on Office 365. |
+| [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync). |
+| [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. |
 
-### Basic configuration
-
-These properties represent the minimum configuration for a device account to work on a Surface Hub. Your device account may require further setup, which is covered in [Advanced configuration](#advanced-config).
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Property</th>
-<th align="left">Purpose</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Exchange mailbox (Exchange 2013 or later, or Exchange Online)</p></td>
-<td align="left"><p>Enabling the account with an Exchange mailbox gives the device account the capability to receive and send both mail and meeting requests, and to display a meetings calendar on the Surface Hub’s welcome screen. The Surface Hub mailbox must be a room mailbox.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Skype for Business-enabled (Lync/Skype for Business 2013 or later or Skype for Business Online)</p></td>
-<td align="left"><p>Skype for Business must be enabled in order to use various conferencing features, like video calls, IM, and screen-sharing.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Password-enabled</p></td>
-<td align="left"><p>The device account must be enabled with a password, or it cannot authenticate with either Exchange or Skype for Business.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Compatible EAS policies</p></td>
-<td align="left"><p>The device account must use a compatible EAS policy in order for it to sync its mail and calendar. In order to implement this policy, the PasswordEnabled property must be set to False. If an incompatible EAS policy is used, the Surface Hub will not be able to use any services provided by Exchange and ActiveSync.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-### <a href="" id="advanced-config"></a>Advanced configuration
-
-While the properties for the basic configuration will allow the device account to be set up in a simple environment, it is possible your environment has other restrictions on directory accounts that must be met in order for the Surface Hub to successfully use the device account.
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Property</th>
-<th align="left">Purpose</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Certificate-based authentication</p></td>
-<td align="left"><p>Certificates may be required for both ActiveSync and Skype for Business. To deploy certificates, you need to use provisioning packages or an MDM solution.</p>
-<p>See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Allowed device IDs (ActiveSync Device ID)</p></td>
-<td align="left"><p>Your Exchange ActiveSync setup may require that an account must whitelist device IDs so that ActiveSync can retrieve the device account’s mail and calendar. You must ensure that the Surface Hub’s device ID is added to this whitelist. This can either be configured using PowerShell (by setting the <code>ActiveSyncAllowedDeviceIDs</code> property) or the Exchange administrative portal.</p>
-<p>You can find out how to find and whitelist a device ID with PowerShell in [Allowing device IDs for ActiveSync](appendix-a-powershell-scripts-for-surface-hub.md#whitelisting-device-ids-cmdlet).</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-### How do I set up the account?
-
-The best way to set up device accounts is to configure them using remote PowerShell. We provide several PowerShell scripts that will help create new device accounts, or validate existing resource accounts you have in order to help you turn them into compatible Surface Hub device accounts. These PowerShell scripts, and instructions for their use, are in [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md).
-
-You can check online for updated versions at [Surface Hub device account scripts](http://aka.ms/surfacehubscripts).
-
-### Device account configuration
-
-Your infrastructure will likely fall into one of three configurations. Which configuration you have will affect how you prepare for device setup.
-
--   [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md): Your organization’s environment is deployed entirely on Office 365.
--   [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md): Your organization has servers that it controls, where Active Directory, Exchange, and Skype for Business (or Lync) are hosted.
--   [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md): Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365.
-
-If you prefer to use the Office 365 UI over PowerShell cmdlets, some steps can be performed manually. See [Creating a device account using Office 365](create-a-device-account-using-office-365.md).
-
-### Device account resources
-
-These sections describe resources used by the Surface Hub device account.
-
--   [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md): The Exchange properties of the device account must be set to particular values for the Surface Hub to work properly.
--   [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md): The Surface Hub uses ActiveSync to sync both mail and its meeting calendar.
--   [Password management](password-management-for-surface-hub-device-accounts.md): Every device account requires a password to authenticate. This section describes your options for managing this password.
-
-## In this section
+If you prefer to use a graphical user interface, some steps can be done using UI instead of PowerShell. 
+For more information, see [Creating a device account using UI](create-a-device-account-using-office-365.md).
 
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Online deployment](online-deployment-surface-hub-device-accounts.md)</p></td>
-<td align="left"><p>This topic has instructions for adding a device account for your Surface Hub when you have a pure, online deployment.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md)</p></td>
-<td align="left"><p>This topic explains how you add a device account for your Surface Hub when you have a single-forest, on-premises deployment.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)</p></td>
-<td align="left"><p>A hybrid deployment requires special processing in order to set up a device account for your Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#hybrid-exchange-on-prem), and [Exchange hosted online](#hybrid-exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided PowerShell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Create a device account using UI](create-a-device-account-using-office-365.md)</p></td>
-<td align="left"><p>If you prefer to use a graphical user interface, you can create a device account for your Surface Hub with either the [Office 365 UI](#create-device-acct-o365) or the [Exchange Admin Center](#create-device-acct-eac).</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)</p></td>
-<td align="left"><p>Some Exchange properties of the device account must be set to particular values to have the best meeting experience on Surface Hub. The following table lists various Exchange properties based on PowerShell cmdlet parameters, their purpose, and the values they should be set to.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md)</p></td>
-<td align="left"><p>The Surface Hub's device account uses ActiveSync to sync mail and calendar. This allows people to join and start scheduled meetings from the Surface Hub, and allows them to email any whiteboards they have made during their meeting.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Password management](password-management-for-surface-hub-device-accounts.md)</p></td>
-<td align="left"><p>Every Surface Hub device account requires a password to authenticate and enable features on the device.</p></td>
-</tr>
-</tbody>
-</table>
 
  
 

devices/surface-hub/device-reset-surface-hub.md

@@ -43,14 +43,22 @@ Initiating a reset will return the device to the last cumulative Windows update,
 
     ![Image showing Reset device option in Settings app for Surface Hub.](images/sh-settings-reset-device.png) 
 
-**Important Note**</br>
-Performing a device reset may take up to 6 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
+**To reset a Surface Hub from Windows Recovery Environment**
+ 
+On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset the device from [Windows Recovery Environment](https://technet.microsoft.com/library/cc765966.aspx) (Windows RE). 
+
+1.  From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch. 
+2. The device should automatically boot into Windows RE. Select **Advanced Repair**.
+3. Select **Reset**.
+4. If prompted, enter your device's BitLocker key. 
+
+> [!IMPORTANT]
+> Performing a device reset may take up to 2 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
 
 After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again. 
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/first-run-program-surface-hub.md

@@ -169,17 +169,19 @@ On this page, the Surface Hub will ask for credentials for the device account th
 
 >**Note**  This section does not cover specific errors that can happen during first run. See [Troubleshoot Surface Hub](troubleshoot-surface-hub.md) for more information on errors.
 
- 
 
 ![Image showing Enter device account info page.](images/setupdeviceacct.png)
 
 ### Details
 
-Use either a **user principal name (UPN)** or a **domain\\user name** as the account identifier in the first entry field.
+Use either a **user principal name (UPN)** or a **domain\\user name** as the account identifier in the first entry field. Use the format that matches your environment, and enter the password.
+
+| Environment  | Required format for device account|
+| ------------ | ----------------------------------|
+| Device account is hosted only online.  | username@domain.com|
+| Device account is hosted only on-prem.  | DOMAIN\username|
+| Device account is hosted online and on-prem (hybrid).  |  DOMAIN\username|
 
--   **User principal name:** This is the UPN of the device account for this Surface Hub. If you’re using Azure Active Directory (Azure AD) or a hybrid deployment, then you must enter the UPN of the device account.
--   **Domain\\user name:** This is the identity of the device account for this Surface Hub, in domain\\user name format. If you’re using an Active Directory (AD) deployment, then you must enter the account in this format.
--   **Password:** Enter the device account password.
 
 Click **Skip setting up a device account** to skip setting up a device account. However, if you don't set up a device account, the device will not be fully integrated into your infrastructure. For example, people won't be able to:
 

devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md

@@ -11,7 +11,7 @@ localizationpriority: medium
 ---
 
 # End a Surface Hub meeting with I'm Done
-Surface Hub is a collaboration device designed to be used simultaneously and sequentially by multiple people. At the end of a Surface Hub meeting, one of the attendees can tap or click **I'm Done** to end the meeting. Tapping **I'm Done** tells Surface Hub to clean up info from the current meeting, so that it will be ready for the next meeting. When a meeting attendee taps **I'm Done**, Surface Hub cleans up, or resets, these states. 
+Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **I'm Done** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states:
 - Applications
 - Operating system
 - User interface
@@ -35,6 +35,7 @@ Skype does not store personally-identifiable information on Surface Hub. Informa
 
 ## Operating System
 The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting. 
+
 ### File System
 Meeting attendees have access to a limited set of directories on the Surface Hub. When **I'm Done** is selected, Surface Hub clears these directories:<br>
 - Music
@@ -53,7 +54,7 @@ Surface Hub also clears these directories, since many applications often write t
 - Public Downloads
 
 ### Credentials
-User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap I’m done.
+User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **I’m done**.
 
 ## User interface
 User interface (UI) settings are returned to their default values when **I'm Done** is selected. 
@@ -69,7 +70,7 @@ User interface (UI) settings are returned to their default values when **I'm Don
 Accessibility features and apps are returned to default settings when **I'm Done** is selected.
 - Filter keys
 - High contrast
-- Stickey keys
+- Sticky keys
 - Toggle keys
 - Mouse keys
 - Magnifier
@@ -80,12 +81,11 @@ The clipboard is cleared to remove data that was copied to the clipboard during
 
 ## Frequently asked questions
 **What happens if I forget to tap I'm Done at the end of a meeting, and someone else uses the Surface Hub later?**<br>
-When you don't tap **I"m Done** at the end of your meeting, Surface Hub enters a Resume state. This is similar to leaving content on a whiteboard in a meeting room, and forgetting to erase the whiteboard. When you return to the meeting room, that content will still be on the whiteboard unless someone erarses it. With Surface Hub, meeting content is still available if an attendee doesn't tap **I'm Done**. However, Surface Hub removes all meeting data during daily maintenance. Any meeting that wasn't ended with **I'm Done** will be cleaned up during maintenance. 
+Surface Hub only cleans up meeting content when users tap **I'm Done**. If you leave the meeting without tapping **I'm Done**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one.
 
 **Are documents recoverable?**<br> 
-Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. 3rd-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. 
+Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting.
 
 **Do the clean-up actions from I'm Done comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**<br>
 No. Currently, the clean-up actions from **I'm Done** do not comply with this standard.  
   
-  

devices/surface-hub/index.md

@@ -36,14 +36,3 @@ Documents related to the Microsoft Surface Hub.
 </tr>
 </tbody>
 </table>
-
- 
-
- 
-
- 
-
-
-
-
-

devices/surface-hub/install-apps-on-surface-hub.md

@@ -13,22 +13,158 @@ localizationpriority: medium
 
 # Install apps on your Microsoft Surface Hub
 
+You can install additional apps on your Surface Hub to fit your team or organization's needs. There are different methods for installing apps depending on whether you are developing and testing an app, or deploying a released app. This topic describes methods for installing apps for either scenario.
 
-Admins can install apps can from either the Windows Store or the Windows Store for Business.
-
-## Using the Windows Store
+A few things to know about apps on Surface Hub:
+- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp).
+- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631).
+- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.
+- When submitting an app to the Windows Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub.
+- You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Windows Store to download and install apps.
 
 
-Admins can install apps on the device using the Windows Store app available in **Settings** > **System** > **Microsoft Surface Hub**. They can start the store app, sign in using their Microsoft account credentials, browse, purchase, and install the apps as with any other Windows device.
+## Develop and test apps
+While you're developing your own app, there are a few options for testing apps on Surface Hub.
 
-## Using the Store for Business
+### Developer Mode
+By default, Surface Hub only runs UWP apps that have been published to and signed by the Windows Store. Apps submitted to the Windows Store go through security and compliance tests as part of the [app certification process](https://msdn.microsoft.com/en-us/windows/uwp/publish/the-app-certification-process), so this helps safeguard your Surface Hub against malicious apps.
+ 
+By enabling developer mode, you can also install developer-signed UWP apps.
+ 
+> [!IMPORTANT]
+> After developer mode has been enabled, you will need to reset the Surface Hub to disable it. Resetting the device removes all local user files and configurations and then reinstalls Windows.
+
+**To turn on developer mode** 
+1.	From your Surface Hub, start **Settings**.
+2.	Type the device admin credentials when prompted.
+3.	Navigate to **Update & security** > **For developers**.
+4.	Select **Developer mode** and accept the warning prompt.
+
+### Visual Studio
+During development, the easiest way to test your app on a Surface Hub is using Visual Studio. Visual Studio's remote debugging feature helps you discover issues in your app before deploying it broadly. For more information, see [Test Surface Hub apps using Visual Studio](https://msdn.microsoft.com/windows/uwp/debug-test-perf/test-surface-hub-apps-using-visual-studio).
+
+### Provisioning package
+Use Visual Studio to [create an app package](https://msdn.microsoft.com/library/windows/apps/hh454036.aspx) for your UWP app, signed using a test certificate. Then use Windows Imaging and Configuration Designer (ICD) to create a provisioning package containing the app package. For more information, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
 
 
-For apps purchased through the Store for Business, download the Appxbundle, offline license, and the dependencies for the App from the store to a separate PC. Create a provisioning package and copy it to a USB drive. (See [Create a provisioning package](provisioning-packages-for-certificates-surface-hub.md).) Move the USB drive to the Surface Hub, and install the app on the device using the Settings app.
+## Submit apps to the Windows Store
+Once an app is ready for release, developers need to submit and publish it to the Windows Store. For more information, see [Publish Windows apps](https://developer.microsoft.com/store/publish-apps).
+
+During app submission, developers need to set **Device family availability** and **Organizational licensing** options to make sure the app will be available to run on Surface Hub.
+
+**To set device family availability**  
+1. On the [Windows Dev Center](https://developer.microsoft.com), navigate to your app submission page.
+2. Select **Packages**.
+3. Under Device family availability, select these options:
+    - **Windows 10 Desktop** (other device families are optional)
+    - **Let Microsoft decide whether to make the app available to any future device families**
+  
+> ![Image showing Device family availability page - part of Windows Store app submission process.](images/sh-device-family-availability.png)  
+    
+For more information, see [Device family availability](https://msdn.microsoft.com/windows/uwp/publish/upload-app-packages#device-family-availability).
+
+**To set organizational licensing**
+1. On the [Windows Dev Center](https://developer.microsoft.com), navigate to your app submission page.
+2. Select **Pricing and availability**.
+3. Under Organizational licensing, select **Allow disconnected (offline) licensing for organizations**.
+
+> ![Image showing Organizational licensing page - part of Windows Store app submission process.](images/sh-org-licensing.png)
+
+> [!NOTE]
+> **Make my app available to organizations with Store-managed (online) licensing and distribution** is selected by default.
+
+> [!NOTE]
+> Developers can also publish line-of-business apps directly to enterprises without making them broadly available in the Store. For more information, see [Distribute LOB apps to enterprises](https://msdn.microsoft.com/windows/uwp/publish/distribute-lob-apps-to-enterprises).
+
+For more information, see [Organizational licensing options](https://msdn.microsoft.com/windows/uwp/publish/organizational-licensing).
+
+
+## Deploy released apps
+
+There are several options for installing apps that have been released to the Windows Store, depending on whether you want to evaluate them on a few devices, or deploy them broadly to your organization.
+
+To install released apps:
+- Download the app using the Windows Store app, or
+- Download the app package from the Windows Store for Business, and distribute it using a provisioning package or a supported MDM provider.
+
+### Windows Store app
+To evaluate apps released on the Windows Store, use the Windows Store app on the Surface Hub to browse and download apps.
+
+> [!NOTE]
+> Using the Windows Store app is not the recommended method of deploying apps at scale to your organization:
+> - To download apps, you must sign in to the Windows Store app with a Microsoft account or organizational account. However, you can only connect an account to a maximum of 10 devices at once. If you have more than 10 Surface Hubs, you will need to create multiple accounts or remove devices from your account between app installations.
+> - To install apps, you will need to manually sign in to the Windows Store app on each Surface Hub you own.
+
+**To browse the Windows Store on Surface Hub** 
+1.	From your Surface Hub, start **Settings**.
+2.	Type the device admin credentials when prompted.
+3.	Navigate to **This device** > **Apps & features**.
+4.	Select **Open Store**.
+
+### Download app packages from Windows Store for Business
+To download the app package you need to install apps on your Surface Hub, visit the [Windows Store for Business](https://www.microsoft.com/business-store). The Store for Business is where you can find, acquire, and manage apps for the Windows 10 devices in your organization, including Surface Hub.
+ 
+> [!NOTE]
+> Currently, Surface Hub only supports offline-licensed apps available through the Store for Business. App developers set offline-license availability when they submit apps.
+
+Find and acquire the app you want, then download:
+- The offline-licensed app package (either an .appx or an .appxbundle)
+- The *unencoded* license file (if you're using provisioning packages to install the app)
+- The *encoded* license file (if you're using MDM to distribute the app)
+- Any necessary dependency files
+
+For more information, see [Download an offline-licensed app](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app).
+
+### Provisioning package
+You can manually install the offline-licensed apps that you downloaded from the Store for Business on a few Surface Hubs using provisioning packages. Use Windows Imaging and Configuration Designer (ICD) to create a provisioning package containing the app package and *unencoded* license file that you downloaded from the Store for Business. For more information, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
+
+### Supported MDM provider
+To deploy apps to a large number of Surface Hubs in your organization, use a supported MDM provider. The table below shows which MDM providers support deploying offline-licensed app packages.
+
+| MDM provider                | Supports offline-licensed app packages |
+|-----------------------------|----------------------------------------|
+| On-premises MDM with System Center Configuration Manager (beginning in version 1602) | Yes |
+| Hybrid MDM with System Center Configuration Manager and Microsoft Intune | Yes |
+| Microsoft Intune standalone | No |
+| Third-party MDM provider    | Check to make sure your MDM provider supports deploying offline-licensed app packages. |
+
+**To deploy apps remotely using System Center Configuration Manager (either on-prem MDM or hybrid MDM)**
+
+> [!NOTE]
+> These instructions are based on the current branch of System Center Configuration Manager.
+
+1. Enroll your Surface Hubs to System Center Configuration Manager. For more information, see [Enroll a Surface Hub into MDM](manage-settings-with-mdm-for-surface-hub.md#enroll-into-mdm).
+2. Download the offline-licensed app package, the *encoded* license file, and any necessary dependency files from the Store for Business. For more information, see [Download an offline-licensed app](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app). Place the downloaded files in the same folder on a network share.
+3. In the **Software Library** workspace of the Configuration Manager console, click **Overview** > **Application Management** > **Applications**.
+4. On the **Home** tab, in the **Create** group, click **Create Application**.
+5. On the **General** page of the **Create Application Wizard**, select the **Automatically detect information about this application from installation files** check box.
+6. In the **Type** drop-down list, select **Windows app package (\*.appx, \*.appxbundle)**.
+7. In the **Location** field, specify the UNC path in the form \\server\share\\filename for the offline-licensed app package that you downloaded from the Store for Business. Alternatively, click **Browse** to browse to the app package.
+8. On the **Import Information** page, review the information that was imported, and then click **Next**. If necessary, you can click **Previous** to go back and correct any errors.
+9. On the **General Information** page, complete additional details about the app. Some of this information might already be populated if it was automatically obtained from the app package.
+10. Click **Next**, review the application information on the Summary page, and then complete the Create Application Wizard. 
+11. Create a deployment type for the application. For more information, see [Create deployment types for the application](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/create-applications#create-deployment-types-for-the-application).
+12. Deploy the application to your Surface Hubs. For more information, see [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/deploy-applications).
+13. As needed, update the app by downloading a new package from the Store for Business, and publishing an application revision in Configuration Manager. For more information, see [Update and retire applications with System Center Configuration Manager](https://technet.microsoft.com/library/mt595704.aspx). 
+
+> [!NOTE] 
+> If you are using System Center Configuration Manager (current branch), you can bypass the above steps by connecting the Store for Business to System Center Configuration Manager. By doing so, you can synchronize the list of apps you've purchased with System Center Configuration Manager, view these in the Configuration Manager console, and deploy them like you would any other app. For more information, see [Manage apps from the Windows Store for Business with System Center Configuration Manager](https://technet.microsoft.com/library/mt740630.aspx).
+
+
+## Summary
+
+There are a few different ways to install apps on your Surface Hub depending on whether you are developing apps, evaluating apps on a small number of devices, or deploying apps broadly to your oganization. This table summarizes the supported methods:
+
+| Install method             | Developing apps | Evaluating apps on <br> a few devices | Deploying apps broadly <br> to your organization |
+| -------------------------- | --------------- | ------------------------------------- | ---------------------- |
+| Visual Studio              | X |   |   |
+| Provisioning package       | X | X |   |
+| Windows Store app          |   | X |   |
+| Supported MDM provider     |   |   | X |
+
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md

@@ -13,116 +13,214 @@ localizationpriority: medium
 
 # Manage settings with an MDM provider (Surface Hub)
 
+Surface Hub and other Windows 10 devices allow IT administrators to manage settings and policies using a mobile device management (MDM) provider. A built-in management component communicates with the management server, so there is no need to install additional clients on the device. For more information, see [Windows 10 mobile device management](https://msdn.microsoft.com/library/windows/hardware/dn914769.aspx).
 
-Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.
+Surface Hub has been validated with Microsoft’s first-party MDM providers:
+- On-premises MDM with System Center Configuration Manager (beginning in version 1602)
+- Hybrid MDM with System Center Configuration Manager and Microsoft Intune
+- Microsoft Intune standalone
 
-The Surface Hub operating system has a built-in management component that's used to communicate with the device management server. There are two parts to the Surface Hub management component: the enrollment client, which enrolls and configures the device to communicate with the enterprise management server; and the management client, which periodically synchronizes with the management server to check for and apply updates. Third-party MDM servers can manage Surface Hub devices by using the Mobile Device Management protocol.
+You can also manage Surface Hubs using any third-party MDM provider that can communicate with Windows 10 using the MDM protocol.
 
-### Supported services
+## <a href="" id="enroll-into-mdm"></a>Enroll a Surface Hub into MDM
+You can enroll your Surface Hubs using automatic, bulk, or manual enrollment.
 
-Surface Hub management has been validated for the following MDM providers:
+> [!NOTE]
+> You can join your Surface Hub to Azure Active Directory (Azure AD) to manage admin groups on the device. However, Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
+> **To disable automatic enrollment for Microsoft Intune**
+> 1. In the [Azure classic portal](https://manage.windowsazure.com/), navigate to the **Active Directory** node and select your directory.
+> 2. Click the **Applications** tab, then click **Microsoft Intune**.
+> 3. Under **Manage devices for these users**, click **Groups**.
+> 4. Click **Select Groups**, then select the groups of users you want to automatically enroll into Intune. Do not include accounts that are used to enroll Surface Hubs into Intune.
+> 5. Click the checkmark button, then click **Save**.
 
--   Microsoft Intune
--   System Center Configuration Manager
+### Bulk enrollment
+**To configure bulk enrollment**
+- Surface Hub supports the [Provisioning CSP](https://msdn.microsoft.com/library/windows/hardware/mt203665.aspx) for bulk enrollment into MDM. For more information, see [Windows 10 bulk enrollment](https://msdn.microsoft.com/library/windows/hardware/mt613115.aspx).<br>
+--OR--
+- If you have an on-premises System Center Configuration Manager infrastructure, see [How to bulk enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx).
 
-### <a href="" id="enroll-into-mdm"></a>Enroll a Surface Hub into MDM
+### Manual enrollment
+You can manually enroll with an MDM using the **Settings** app on your Surface Hub. 
 
-If you joined your Surface Hub to an Azure Active Directory (Azure AD) subscription, the device can automatically enroll into MDM and will be ready for remote management.
+**To configure manual enrollment**
+1. From your Surface Hub, open **Settings**.
+2. Type the device admin credentials when prompted.
+3. Select **This device**, and navigate to **Device management**.
+4. Under **Device management**, select **+ Device management**.
+5. Follow the instructions in the dialog to connect to your MDM provider.
 
-Alternatively, the device can be enrolled like any other Windows device by going to **Settings** &gt; **Accounts** &gt; **Work access**.
+## Manage Surface Hub settings with MDM
 
-![Image showing enroll in device maagement page.](images/managesettingsmdm-enroll.png)
+You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings), and some [Windows 10 settings](#supported-windows-10-settings). Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML.
 
-### Manage a device through MDM
+### Supported Surface Hub CSP settings
 
-The following table lists the device settings that can be managed remotely using MDM, including the OMA URI paths that 3rd party MDM providers need to create policies. Intune and System Center Configuration Manager have special templates to help create policies to manage these settings.
+You can configure the Surface Hub settings in the following table using MDM. The table also tells if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.
 
-<table>
-<colgroup>
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left"></th>
-<th align="left">Setting</th>
-<th align="left">OMA URI</th>
-<th align="left">Type</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>1</p></td>
-<td align="left"><p>Auto Awake when someone is in the room</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/AutoWakeScreen</p></td>
-<td align="left"><p>Boolean</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>2</p></td>
-<td align="left"><p>Require that people must enter a PIN when pairing to the Surface Hub</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/PINRequired</p></td>
-<td align="left"><p>Boolean</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>3</p></td>
-<td align="left"><p>Set the maintenance window duration. This time is in minutes. As an example, to set a 3 hour duration, you set the value to 180.</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours/Duration</p></td>
-<td align="left"><p>Int</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>4</p></td>
-<td align="left"><p>Set the maintenance window start time. This time is in minutes past midnight. To set a 2:00 am start time, set a value of 120, meaning 120 minutes past midnight.</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours/StartTime</p></td>
-<td align="left"><p>Int</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>5</p></td>
-<td align="left"><p>The Microsoft Operations Management Suite (OMS) Workspace ID that this device will connect to.</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/MOMAgent/WorkspaceID</p></td>
-<td align="left"><p>String</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>6</p></td>
-<td align="left"><p>The key that must be used when connecting to the specified OMS workspace.</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/MOMAgent/WorkspaceKey</p></td>
-<td align="left"><p>String</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>7</p></td>
-<td align="left"><p>Choose the meeting information displayed on the welcome screen.</p>
-<p>Value : 0 - Show organizer and time only</p>
-<p>Value : 1 - Show organizer, time, and subject (subject is hidden for private meetings)</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/MeetingInfoOption</p></td>
-<td align="left"><p>Int</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>8</p></td>
-<td align="left"><p>Enable/Disable all Wireless Projection to the Surface Hub</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled</p></td>
-<td align="left"><p>Boolean</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>9</p></td>
-<td align="left"><p>Select a specific wireless channel on which Miracast Receive will operate</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Channel</p></td>
-<td align="left"><p>Int</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>10</p></td>
-<td align="left"><p>Change the background image for the welcome screen using a PNG image URL.</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/CurrentBackgroundPath (Note: must be accessed using https.)</p></td>
-<td align="left"><p>String</p></td>
-</tr>
-</tbody>
-</table>
+For more information, see [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). 
+
+| Setting              | Node in the SurfaceHub CSP         | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| -------------------- | -----------------------|-------------------------- | ---------------------------------------- | ------------------------- |
+| Maintenance hours | MaintenanceHoursSimple/Hours/StartTime <br> MaintenanceHoursSimple/Hours/Duration | Yes | Yes | Yes |
+| Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
+| Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
+| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.<br> Use a custom setting. | Yes |
+| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.<br> Use a custom setting. | Yes |
+| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID <br> MOMAgent/WorkspaceKey | Yes | Yes.<br> Use a custom setting. | Yes |
+| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.<br> Use a custom setting. | Yes |
+| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.<br> Use a custom setting. | Yes |
+| Friendly name for wireless projection | Properties/FriendlyName | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Device account, including password rotation | DeviceAccount/\<name of policy\> <br> See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |
+
+
+### Supported Windows 10 settings 
+
+In addition to Surface Hub specific settings, there are numerous settings common to all Windows 10 devices. These settings are defined in the [Configuration service provider reference](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920025.aspx). 
+
+The following tables include info on Windows 10 settings that have been validated with Surface Hub. There is a table with settings for these areas: security, browser, Windows Updates, Windows Defender, remote reboot, certificates, and logs. Each table also tells if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.
+
+#### Security settings 
+
+| Setting  | Details  | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| -------- | -------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/\<name of policy\> <br> See [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+
+#### Browser settings
+
+| Setting  | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| -------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Browser_Homepages)  | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow developer tools  | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes. <br>  Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow search suggestions | Use to block search suggestions in the address bar| [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow SmartScreen | Keep this enabled to turn on SmartScreen | [Browser/AllowSmartScreen](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+
+#### Windows Update settings
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_BranchReadinessLevel) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_PauseFeatureUpdates) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_PauseQualityUpdates) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes|
+| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_UpdateServiceUrl) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/\<name of policy\> <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+
+#### Windows Defender settings
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Defender policies. |Use to configure various Defender settings, including a scheduled scan time. | Defender/\<name of policy\> <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br>  Use a custom policy. | Yes. <br> Use a custom setting. | Yes
+| Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes |
+
+#### Remote reboot settings
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Reboot the device immediately| Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow <br> See [Reboot CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt720802(v=vs.85).aspx) | No | No | Yes |
+| Reboot the device at a scheduled date and time| See above. | ./Vendor/MSFT/Reboot/Schedule/Single <br> See [Reboot CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt720802(v=vs.85).aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Reboot the device daily at a scheduled date and time| See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent <br> See [Reboot CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt720802(v=vs.85).aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+
+#### Certficate settings
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Install certificates | Use to deploy certificates to the Surface Hub. | [RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) <br> [ClientCertificateInstall CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023.aspx) | Yes. <br> See [Secure resource access with certificate profiles](https://docs.microsoft.com/intune/deploy-use/secure-resource-access-with-certificate-profiles). | Yes. <br> See [How to create certificate profiles in Configuration Manager](https://technet.microsoft.com/library/dn270541.aspx). | Yes |
+
+#### Log settings
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Log collection | Use to remotely collect ETW logs from Surface Hub. | [DiagnosticLog CSP](https://msdn.microsoft.com/library/windows/hardware/mt219118.aspx) | No | No | Yes |
+
+### Generate OMA URIs for settings 
+You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager.
+
+**To generate the OMA URI for any setting in the CSP documentation**
+1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like `./Vendor/MSFT/<name of CSP>`. <br>
+For example, the root node of the [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) is `./Vendor/MSFT/SurfaceHub`.
+2. Identify the node path for the setting you want to use. <br>
+For example, the node path for the setting to enable wireless projection is `InBoxApps/WirelessProjection/Enabled`.
+3. Append the node path to the root node to generate the OMA URI. <br>
+For example, the OMA URI for the setting to enable wireless projection is `./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled`.
+
+The data type is also stated in the CSP documentation. The most common data types are:
+- char (String)
+- int (Integer)
+- bool (Boolean)
+
+## Example: Manage Surface Hub settings with Micosoft Intune
+
+You can use Microsoft Intune to manage Surface Hub settings. 
+
+**To create a configuration policy from a template**
+
+You'll use the **Windows 10 Team general configuration policy** as the template.
+
+1. On the [Intune management portal](https://manage.microsoft.com), sign in with your Intune administrator account.
+2. On the left-hand navigation menu, click **Policy**.
+3. In the Overview page, click **Add Policy**.
+4. On **Select a template for the new policy**, expand **Windows**, select **General Configuration (Windows 10 Team and later)**, and then click **Create Policy**.
+5. Configure your policy, then click **Save Policy**
+6. When prompted, click **Yes** to deploy your new policy to a user or device group. For more information, see [Use groups to manage users and devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune).
+
+**To create a custom configuration policy**
+
+You’ll need to create a custom policy to manage settings that are not available in the template. 
+
+1. On the [Intune management portal](https://manage.microsoft.com), sign in with your Intune administrator account.
+2. On the left-hand navigation menu, click **Policy**.
+3. In the Overview page, click **Add Policy**.
+4. On **Select a template for the new policy**, expand **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+5. Type a name and optional description for the policy.
+6. Under OMA-URI Settings, click **Add**.
+7. Complete the form to create a new setting, and then click **OK**.
+8. Repeat Steps 6 and 7 for each setting you want to configure with this policy.
+9. Once you're done, click **Save Policy** and deploy it to a user or device group.
+
+## Example: Manage Surface Hub settings with System Center Configuration Manager
+System Center Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use System Center Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs.
+
+> [!NOTE]
+> These instructions are based on the current branch of System Center Configuration Manager.
+
+**To create a configuration item for Surface Hub settings**
+
+1. On the **Assets and Compliance** workspace of the Configuration Manager console, click **Overview** > **Compliance Settings** > **Configuration Items**.
+2. On the **Home** tab, in the **Create** group, click **Create Configuration Item**.
+3. On the **General** page of the Create Configuration Item Wizard, specify a name and optional description for the configuration item.
+4. Under **Specify the type of configuration item that you want to create**, select **Windows 8.1 and Windows 10**.
+5. Click **Categories** if you create and assign categories to help you search and filter configuration items in the Configuration Manager console.
+6. On the **Supported Platforms** page, select **Windows 10** > **All Windows 10 Team and higher**. Unselect the other Windows platforms. 
+7. On the **Device Settings** page, under **Device settings groups**, select **Windows 10 Team**.
+8. On the **Windows 10 Team** page, configure the settings you require.
+9. You'll need to create custom settings to manage settings that are not available in the Windows 10 Team page. On the **Device Settings** page, select the check box **Configure additional settings that are not in the default setting groups**.
+10. On the **Additional Settings** page, click **Add**.
+11. On the **Browse Settings** dialog, click **Create Setting**.
+12. On the **Create Setting** dialog, under the **General** tab, specify a name and optional description for the custom setting.
+13. Under **Setting type**, select **OMA URI**.
+14. Complete the form to create a new setting, and then click **OK**.
+15. On the **Browse Settings** dialog, under **Available settings**, select the new setting you created, and then click **Select**.
+16. On the **Create Rule** dialog, complete the form to specify a rule for the setting, and then click **OK**.
+17. Repeat Steps 10 to 16 for each custom setting you want to add to the configuration item.
+18. Once you're done, on the **Browse Settings** dialog, click **Close**.
+19. Complete the wizard. <br> You can view the new configuration item in the **Configuration Items** node of the **Assets and Compliance** workspace.
+
+For more information, see [Create configuration items for Windows 8.1 and Windows 10 devices managed without the System Center Configuration Manager client](https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/create-configuration-items-for-windows-8.1-and-windows-10-devices-managed-without-the-client).
 
- 
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/monitor-surface-hub.md

@@ -13,72 +13,128 @@ localizationpriority: medium
 
 # Monitor your Microsoft Surface Hub
 
+Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS). The [Operations Management Suite](https://go.microsoft.com/fwlink/?LinkId=718138) is Microsoft's IT management solution that helps you manage and protect your entire IT infrastructure, including your Surface Hubs.
 
-Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).
 
-The [Operations Management Suite (OMS)](https://go.microsoft.com/fwlink/?LinkId=718138) is Microsoft's IT management solution that helps you manage and protect your entire IT infrastructure, including your Surface Hubs. You can use OMS to help you track the health of your Surface Hubs as well as understand how they are being used. Log files are read on the devices and sent to the OMS service. Issues like servers being offline, the calendar not syncing, or the device account being unable to log into Skype are shown in OMS in the Surface Hub dashboard. By using the data in the dashboard, you can identify devices that are not running, or that are having other problems, and potentially apply fixes for the detected issues.
+Surface Hub is offered as a Log Analytics solution in OMS, allowing you to collect and view usage and reliability data across all your Surface Hubs. Use the Surface Hub solution to:
+- Inventory your Surface Hubs.
+- View a snapshot of usage and reliability data for Skype meetings, wired and wireless projection, and apps on your Surface Hubs.
+- Create custom alerts to respond quickly if your Surface Hubs report software or hardware issues.
 
-### OMS requirements
+## Add Surface Hub to Operations Management Suite
 
-In order to manage your Surface Hubs from the Microsoft Operations Management Suite (OMS), you'll need the following:
+1. **Sign in to Operations Management Suite (OMS)**. You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+2. **Create a new OMS workspace**. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
+3. **Link Azure subscription to your workspace**. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
+    > [!NOTE] 
+    > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
+4. **Add Surface Hub solution**. In the Solutions Gallery, select the **Surface Hub** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace.
 
--   A valid [subscription to OMS](http://www.microsoft.com/server-cloud/operations-management-suite/overview.aspx).
--   [Subscription level](https://go.microsoft.com/fwlink/?LinkId=718139) in line with the number of devices. OMS pricing varies depending on how many devices are enrolled, and how much data it processes. You'll want to take this into consideration when planning your Surface Hub rollout.
+## Use the Surface Hub dashboard
+From the **Overview** page in your OMS workspace, click the Surface Hub tile to see the Surface Hub dashboard. Use the dashboard to get a snapshot of usage and reliability data across your Surface Hubs. Click into each view on the dashboard to see detailed data, modify the query as desired, and create alerts.
 
-Next, you will either add an OMS subscription to your existing Microsoft Azure subscription or create a new workspace directly through the OMS portal. Detailed instructions for setting up the account can be found at: [Onboard in minutes](https://go.microsoft.com/fwlink/?LinkId=718141). Once the OMS subscription is set up, there are two ways to enroll your Surface Hub devices:
+> [!NOTE]
+> Most of these views show data for the past 30 days, but this is subject to your subscription's data retention policy.
 
-1.  Automatically through [InTune](https://go.microsoft.com/fwlink/?LinkId=718150), or
-2.  Manually through Settings.
+**Active Surface Hubs**
 
-### Setting up monitoring
+Use this view to get an inventory of all your Surface Hubs. Once connected to OMS, each Surface Hub periodically sends a "heartbeat" event to the server. This view shows Surface Hubs that have reported a heartbeat in the past 24 hours.
 
-You can monitor health and activity of your Surface Hub using Microsoft Operations Management Suite (OMS). The device can be enrolled in OMS remotely, using InTune, or locally, by using Settings.
+**Skype meetings**
 
-### Enrolling devices through InTune
+Use this view to get usage data for Skype over the past 30 days. The graph shows the total number of Skype Meetings started across your Surface Hubs, and a breakdown between scheduled meetings, ad hoc meetings, and PSTN calls.
  
-You'll need the workspace ID and primary key for your Surface Hub. You can get those from the OMS portal.
+**Wireless projection**
 
-InTune is a Microsoft product that allows you to centrally manage the OMS configuration settings that will be applied to one or more of your devices. Follow these steps to configure your devices through InTune:
+Use this view to get usage and reliability data for wireless projection over the past 30 days. The graph shows the total number of wireless connections across all your Surface Hubs, which provides an indication whether people in your organization are using this feature. If it's a low number, it may suggest a need to provide training to help people in your organization learn how to wirelessly connect to a Surface Hub.
  
-1.  Sign in to InTune.
-2.  Navigate to **Settings** > **Connected Sources**.
-3.  Create or edit a policy based on the Surface Hub template.
-4.  Navigate to the OMS section of the policy, and add the **workspace ID** and **primary key** to the policy.
-5.  Save the policy.
-6.  Associate the policy with the appropriate group of devices.
+Also, the graph shows a breakdown of successful and unsuccessful connections. If you see a high number of unsuccessful connections, devices may not properly support wireless projection using Miracast. For best performance, Microsoft suggests that devices run a WDI Wi-Fi driver and a WDDM 2.0 graphics driver. Use the details view to learn if wireless projection problems are common with particular devices.
  
-InTune will now sync the OMS settings with the devices in the target group, enrolling them in your OMS workspace.
+When a connection fails, users can also do the following if they are using a Windows laptop or phone:
+- Remove the paired device from **Settings** > **Devices** > **Connected devices**, then try to connect again.
+- Reboot the device.
  
-### Enrolling devices using the Settings app
+**Wired projection**
 
-You'll need the workspace ID and primary key for your Surface Hub. You can get those from the OMS portal.
+Use this view to get usage and reliability data for wired projection over the past 30 days. If the graph shows a high number of unsuccessful connections, it may indicate a connectivity issue in your audio-visual pipeline. For example, if you use a HDMI repeater or a center-of-room control panel, they may need to be restarted.
  
-If you don't use InTune to manage your environment, you can enroll devices manually through **Settings**:
+**Application usage**
+
+Use this view to get usage data for apps on your Surface Hubs over the past 30 days. The data comes from app launches on your Surface Hubs, not including Skype for Business. This view helps you understand which Surface Hub apps are the most valuable in your organization. If you are deploying new line-of-business apps in your environment, this can also help you understand how often they are being used.
+ 
+**Application Crashes**
+
+Use this view to get reliability data for apps on your Surface Hubs over the past 30 days. The data comes from app crashes on your Surface Hubs. This view helps you detect and notify app developers of poorly behaving in-box and line-of-business apps.
+ 
+**Sample Queries**
+
+Use this to create custom alerts based on a recommended set of queries. Alerts help you respond quickly if your Surface Hubs report software or hardware issues. For more inforamtion, see [Set up alerts using sample queries](#set-up-alerts-with-sample-queries).
+
+## Set up alerts with sample queries
+
+Use alerts to respond quickly if your Surface Hubs report software or hardware issues. Alert rules automatically run log searches according to a schedule, and runs one or more actions if the results match specific criteria. For more information, see [Alerts in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-alerts/).
+ 
+The Surface Hub Log Analytics solution comes with a set of sample queries to help you set up the appropriate alerts and understand how to resolve issues you may encounter. Use them as a starting point to plan your monitoring and support strategy.
+
+This table describes the sample queries in the Surface Hub solution:
+
+| Alert type | Impact | Recommended remediation | Details |
+| ---------- | ------ | ----------------------- | ------- |
+| Software   | Error  | **Reboot the device**. <br> Reboot manually, or using the [Reboot configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt720802(v=vs.85).aspx). <br> Suggest doing this between meetings to minimize impact to your people in your organization. | Trigger conditions: <br> - A critical process in the Surface Hub operating system, such as the shell, projection, or Skype, crashes or becomes non-responsive. <br> - The device hasn't reported a heartbeat in the past 24 hours. This may be due to network connectivity issue or network-related hardware failure, or an error with the telemetry reporting system. |
+| Software   | Error  | **Check your Exchange service**. <br> Verify: <br> - The service is available. <br> - The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details.| Triggers when there's an error syncing the device calendar with Exchange. |
+| Software   | Error  | **Check your Skype for Business service**. <br> Verify: <br> - The service is available. <br> - The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details. <br> - The domain name for Skype for Business is properly configured - see [Configure a domain name](use-fully-qualified-domain-name-surface-hub.md). | Triggers when Skype fails to sign in. |
+| Software   | Error  | **Reset the device**. <br> This takes some time, so you should take the device offline. <br> For more information, see [Device reset](device-reset-surface-hub.md).| Triggers when there is an error cleaning up user and app data at the end of a session. When this operation repeatedly fails, the device is locked to protect user data. You must reset the device to continue. |
+| Hardware   | Warning | **None**. Indicates negligible impact to functionality.| Triggers when there is an error with any of the following hardware components: <br> - Virtual pen slots <br> - NFC driver <br> - USB hub driver <br> - Bluetooth driver <br> - Proximity sensor <br> - Graphical performance (video card driver) <br> - Mismatched hard drive <br> - No keyboard/mouse detected |
+| Hardware   | Error | **Contact Microsoft support**. <br> Indicates impact to core functionality (such as Skype, projection, touch, and internet connectivity). <br> **Note** Some events, including heartbeat, include the device’s serial number that you can use when contacting support.| Triggers when there is an error with any of the following hardware components. <br> **Components that affect Skype**: <br> - Speaker driver <br> - Microphone driver <br> - Camera driver <br> **Components that affect wired and wireless projection**: <br> - Wired touchback driver <br> - Wired ingest driver <br> - Wireless adapter driver <br> - Wi-Fi Direct error <br> **Other components**: <br> - Touch digitizer driver <br> - Network adapter error (not reported to OMS)|
+
+**To set up an alert**
+1.	From the Surface Hub solution, select one of the sample queries.
+2.	Modify the query as desired. See Log Analytics search reference to learn more.
+3.	Click **Alert** at the top of the page to open the **Add Alert Rule** screen. See [Alerts in Log Analytics](https://azure.microsoft.com/en-us/documentation/articles/log-analytics-alerts/) for details on the options to configure the alert.
+4.	Click **Save** to complete the alert rule. It will start running immediately.
+
+## Enroll your Surface Hub
+
+For Surface Hub to connect to and register with the OMS service, it must have access to the port number of your domains and the URLs. This table list the ports that OMS needs. For more information, see [Configure proxy and firewall settings in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-proxy-firewall/).
+
+| Agent resource              | Ports | Bypass HTTPS inspection? |
+| --------------------------- | ----- | ------------------------ |
+| *.ods.opinsights.azure.com  | 443   | Yes |
+| *.oms.opinsights.azure.com  | 443   | Yes |
+| *.blob.core.windows.net     | 443   | Yes |
+| ods.systemcenteradvisor.com | 443   | No  |
+
+The Microsoft Monitoring Agent, used to connect devices to OMS, is integrated with the Surface Hub operating system, so there is no need to install additional clients to connect Surface Hub to OMS.
+ 
+Once your OMS workspace is set up, there are several ways to enroll your Surface Hub devices:
+- [Settings app](#enroll-using-the-settings-app)
+- [Provisioning package](#enroll-using-a-provisioning-package)
+- [MDM provider](#enroll-using-a-mdm-provider), such as Microsoft Intune and Configuration Manager
+ 
+You'll need the workspace ID and primary key of your OMS workspace. You can get these from the OMS portal.
+ 
+### Enroll using the Settings app
+
+**To Enroll using the settings app**
 
 1. From your Surface Hub, start **Settings**.
 2. Enter the device admin credentials when prompted.
-3.  Click **System**, and navigate to Microsoft Operations Management Suite.
-4.  Click **Configure**.
-5.  Select **Enable monitoring**.
-6.  In the OMS settings dialog, type the **workspace ID**.
-7.  Repeat steps 5 and 6 for the **primary key**.
-8.  Click **OK** to complete the configuration.
+3. Select **This device**, and navigate to **Device management**.
+4. Under **Monitoring**, select **Configure OMS settings**.
+5. In the OMS settings dialog, select **Enable monitoring**.
+6. Type the workspace ID and primary key of your OMS workspace. You can get these from the OMS portal.
+7. Click **OK** to complete the configuration.
  
 A confirmation dialog will appear telling you whether or not the OMS configuration was successfully applied to the device. If it was, the device will start sending data to OMS.
 
-### Monitoring devices
+### Enroll using a provisioning package
+You can use a provisioning package to enroll your Surface Hub. For more infomation, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
  
-Monitoring your Surface Hubs using OMS is much like monitoring any other enrolled devices.
-
-1.  Sign in to the OMS portal.
-2.  Navigate to the Surface Hub solution pack dashboard.
-3.  Your device's health will be displayed here.
-
-You can create OMS alerts based on existing or custom queries that use the data collected through OMS.
+### Enroll using a MDM provider
+You can enroll Surface Hub into OMS using the SurfaceHub CSP. Intune and Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. For more information, see [Manage Surface Hub settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md).
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md

@@ -71,7 +71,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013
 
     ```PowerShell
     Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
-    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
+    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
     ```
 
 5.  If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.

devices/surface-hub/password-management-for-surface-hub-device-accounts.md

@@ -13,62 +13,24 @@ localizationpriority: medium
 
 # Password management (Surface Hub)
 
+Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. For security reasons, you may want to change (or "rotate") this password regularly. However, if the device account’s password changes, the password that was previously stored on the Surface Hub will be invalid, and all features that depend on the device account will be disabled. You will need to update the device account’s password on the Surface Hub from the Settings app to re-enable these features.
 
-Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. For security reasons, you may want to change ( or "rotate") this password. However, if the device account’s password changes, the device account on the Surface Hub will be expired, and all features that depend on the device account will be disabled. You can update the device account’s password on the Surface Hub from the Settings app to re-enable these features.
+To simplify password management for your Surface Hub device accounts, there are two options:
 
-To prevent the device account from expiring, there are two options:
-
-1.  Set the password on the device account so it doesn't expire.
+1.  Turn off password expiration for the device account.
 2.  Allow the Surface Hub to automatically rotate the device account’s password.
 
-## Setting the password so it doesn't expire
 
+## Turn off password rotation for the device account
 
 Set the device account’s **PasswordNeverExpires** property to True. You should verify whether this meets your organization’s security requirements.
 
-## Allow the Surface Hub to manage the password
-
-
-The Surface Hub can manage a device account’s password by changing it frequently without requiring you to manually update the device account’s information from the Surface Hub. You can enable this feature in **Settings**. Once enabled, the device account's password will change daily.
-
-Note that when the device account’s password is changed, you will not be shown the new password. If you need to sign in to the account, or to provide the password again (for example, if you want to change the device account settings on the Surface Hub), then you'll need use Active Directory to reset the password.
-
-For your device account to use password rotation, you must meet enter the device account’s information when you set up your Surface Hub (during First-run experience), or in **Settings**. The format you'll use depends on where your device account it hosted:
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Environment</th>
-<th align="left">Required format for device account</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Device account is hosted only online</p></td>
-<td align="left"><p>username@contoso.com</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Device account is hosted only on-prem</p></td>
-<td align="left"><p>DOMAIN\username</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Device account is hosted online and on-prem (hybrid)</p></td>
-<td align="left"><p>DOMAIN\username</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
- 
-
- 
-
 
+## Allow the Surface Hub to automatically rotate the device account’s password
 
+The Surface Hub can manage a device account’s password by changing it frequently without requiring you to manually update the device account’s information. You can enable this feature in **Settings**. Once enabled, the device account's password will change weekly during maintenance hours.
 
+Note that when the device account’s password is changed, you will not be shown the new password. If you need to sign in to the account, or to provide the password again (for example, if you want to change the device account settings on the Surface Hub), then you'll need use Active Directory or the Office 365 admin portal to reset the password.
 
+> [!IMPORTANT]
+> If your organization uses a hybrid topology (some services are hosted on-premises and some are hosted online through Office 365), you must setup the device account in **domain\username** format. Otherwise, password rotation will not work.

devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md

@@ -13,248 +13,209 @@ localizationpriority: medium
 
 # Create provisioning packages (Surface Hub)
 
+This topic explains how to create a provisioning package using the Windows Imaging and Configuration Designer (ICD), and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings.
 
-For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning.
+You can apply a provisioning package using a USB during first run, or through the **Settings** app. 
 
-In this topic, you'll find the following information:
 
--   [Introduction to provisioning packages](#intro-prov-pkg)
--   [What can provisioning packages configure for Microsoft Surface Hubs?](#what-can-prov-pkg)
--   [How do I create and deploy a provisioning package?](#how-do-i-prov-pkg)
--   [Requirements](#requirements-prov-pkg)
--   [Install the Windows Imaging and Configuration Designer](#installing-wicd-prov-pkg)
--   [Create a provisioning package for certificates](#creating-prov-pkg-certs)
--   [Create a provisioning package for apps](#creating-prov-pkg-apps)
--   [Deploy a provisioning package to a Surface Hub](#deploy-to-hub-prov-pkg)
-    -   [Deploy a provisioning package using first run](#deploy-via-oobe-prov-pkg)
-    -   [Deploy a provisioning package using Settings](#deploy-via-settings-prov-pkg)
+## Advantages
+-   Quickly configure devices without using a MDM provider.
 
-### <a href="" id="intro-prov-pkg"></a>Introduction to provisioning packages
+-   No network connectivity required.
 
-Provisioning packages are created using Windows Imaging and Configuration Designer (WICD), which is a part of the Windows Assessment and Deployment Kit (ADK). For Surface Hub, the provisioning packages can be placed on a USB drive.
+-   Simple to apply.
 
-### <a href="" id="what-can-prov-pkg"></a>What can provisioning packages configure for Surface Hubs?
+[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/whats-new/new-provisioning-packages)
 
-Currently, you can use provisioning packages to install certificates and to install Universal Windows Platform (UWP) apps on your Surface Hub. These are the only two supported scenarios.
 
-You may use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange or Skype for Business, or to sideload apps that don't come from the Windows Store (for example, your own in-house apps).
+## Requirements 
 
->**Note**  Provisioning can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, you must use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
+To create and apply a provisioning package to a Surface Hub, you'll need the following:
 
- 
-
-### <a href="" id="how-do-i-prov-pkg"></a>How do I create and deploy a provisioning package?
-
-Provisioning packages must be created using the Windows Imaging and Configuration Designer (ICD).
-
-### <a href="" id="requirements-prov-pkg"></a>Requirements
-
-In order to create and deploy provisioning packages, all of the following are required:
-
--   Access to the Settings app on Surface Hub (using admin credentials which were configured at initial setup of the Surface Hub).
--   Windows Imaging and Configuration Designer (ICD), which is installed as a part of the windows 10 Assessment and Deployment Kit (ADK).
+-   Windows Imaging and Configuration Designer (ICD), which is installed as a part of the [Windows 10 Assessment and Deployment Kit (ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526740).
 -   A PC running Windows 10.
--   USB flash drive.
+-   A USB flash drive.
+-   If you apply the package using the **Settings** app, you'll need device admin credentials.
 
-### <a href="" id="installing-wicd-prov-pkg"></a>Install the Windows Imaging and Configuration Designer
+You'll create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub.
 
-1.  The Windows Imaging and Configuration Designer (ICD) is installed as part of the Windows 10 ADK. The installer for the ADK can be downloaded from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?LinkId=718147).
-    >**Note**  The ADK must be installed on a separate PC, not on the Surface Hub.  
 
-2.  Run the installer, and set your preferences for installation. When asked what features you want to install, you will see a checklist like the one in the following figure. Note that **Windows Performance Toolkit** and **Windows Assessment Toolkit** should be unchecked, as they are not needed to run the ICD.
+## Supported items for Surface Hub provisioning packages
 
-    Before going to the next step, make sure you have the following checked:
+Currently, you can add these items to provisioning packages for Surface Hub:
+- **Certificates** - You can add certificates, if needed, to authenticate to Microsoft Exchange.
+- **Universal Windows Platform (UWP) apps** - You can install UWP apps. This can be an offline-licensed app from the Windows Store for Business, or an app created by an in-house dev.
+- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
+- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx).
 
-    -   **Deployment Tools**
-    -   **Windows Preinstallation Environment**
-    -   **Imaging and Configuration Designer**
-    -   **User State Migration Tool**
 
-    All four of these features are required to run the ICD and create a package for the Surfact Hub.
+## Create the provisioning package
 
-    ![Image showing Windows ADK install page - select features to install.](images/idcfeatureschecklist.png)
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. When you install the ADK, you can choose to install only the Imaging and Configuration Designer (ICD).  [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
 
-3.  Continue with the installer until the ADK is installed. This may take a while, because the installer downloads remote content.
+1. Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`).
 
-### <a href="" id="creating-prov-pkg-certs"></a>Create a provisioning package for certificates
+2. Click **Advanced provisioning**.
 
-This example will demonstrate how to create a provisioning package to install a certificate.
+    ![ICD start options](images/ICDstart-option.PNG)  
   
-1.  On the PC that had the Windows 10 ADK installed, open ICD and choose the **New provisioning package** tile from the main menu.
+3. Name your project and click **Next**.
 
-    ![Image showing Start page in Windows Imaging and Configuration Designer.](images/wicd-screen01a.png)
+4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**.
 
-2.  When the **New project** dialog box opens, type whatever name you like in the **Name** box. The **Location** and **Description** boxes can also be filled at your discretion, though we recommend using the **Description** box to help you distinguish among multiple packages. Click **Next**.
+    ![ICD new project](images/icd-new-project.png)
 
-    ![Image showing New project screen for Windows Imaging and Configuration Designer.](images/wicd-screen02a.png)
+5. In the project, under **Available customizations**, select **Common Team edition settings**.
 
-    Select the settings that are **Common to all Windows editions**, and click **Next**.
+    ![ICD common settings](images/icd-common-settings.png)
 
-    ![Image showing project settings in Windows Imaging and Configuration Designer.](images/wicd-screen02b.png)
 
-    When asked to import a provisioning package, just click **Finish.**
+### Add a certificate to your package
+You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange.
 
-    ![Image showing option for importing a provisioning package.](images/wicd-screen02c.png)
+> [!NOTE]
+> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
 
-3.  ICD's main screen will be displayed. This is where you create the provisioning package. In the **Available customizations** pane, expand **Runtime settings** and then expand **Certificates**. Click **Root certificates**.
+1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. 
 
-    ![Image showing Windows Imaging and Configuration Designer's man page.](images/wicd-screen03a.png)
+2. Enter a **CertificateName** and then click **Add**. 
 
-    In the center pane, you’ll be asked to specify a **CertificateName** for the Root certificate. You can set this to whatever you want. For the example, we've used the same name as the project. Click **Add**, and an entry will be added in the left pane.
+2. Enter the **CertificatePassword**. 
 
-4.  In the **Available customizations** pane on the left, a new category has appeared for **CertificatePath** underneath the **CertificateName** you provided. There’s also a red exclamation icon indicating that there is a required field that needs to be set. Click **CeritficatePath**.
+3. For **CertificatePath**, browse and select the certificate. 
 
-    ![Image showing available customizations in Windows Imaging and Configuration Designer.](images/wicd-screen04a.png)
+4. Set **ExportCertificate** to **False**.
 
-5.  In the center pane, you’ll be asked to specify the path for the certificate. Enter the name of the .cer file that you want to deploy, either by typing or clicking **Browse**. It must be a root certificate. The provisioning package created will copy the .cer file into the package it creates.
+5. For **KeyLocation**, select **Software only**.
 
-    ![icd tiles](images/wicd-screen06a.png)
 
-6.  Verify that the path is set, then click **Export** in the top menu and choose **Provisioning package**.
+### Add a Universal Windows Platform (UWP) app to your package
+Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Windows Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Windows Store for Business.
 
-    ![icd tiles](images/wicd-screen07a.png)
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**.
 
-7.  You'll see a series of dialog boxes next. In the first one, either accept the defaults, or enter new values as needed, and click **Next**. You'll most likely want to accept the defaults.
+2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Windows Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \<PFM\>...\</PFM\> tags.
 
-    ![icd tiles](images/wicd-screen08a.png)
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
 
-    Click **Next** again in the security options dialog box, because this package doesn't need to be encrypted or signed.
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies.
 
-    ![icd tiles](images/wicd-screen09a.png)
+If you acquired the app from the Windows Store for Business, you will also need to add the app license to your provisioning package.
 
-    Choose where to save the provisioning package, and click **Next**.
+1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license".
 
-    ![icd tiles](images/wicd-screen10a.png)
+2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**.
 
-    Review the information shown, and if it looks good, click **Build**.
+3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \<License\> tag, use the value in the **LicenseID** attribute.
 
-    ![icd tiles](images/wicd-screen11a.png)
+4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1.
 
-    You will see a confirmation dialog box similar to the one following. Click the link under **Output location** to open the directory containing the provisioning package.
 
-    ![icd tiles](images/wicd-screen12a.png)
+### Add a policy to your package
+Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
 
-8.  Copy the .ppkg from the output directory into the root directory of a USB drive. If it’s not at the root, it won’t be recognized by the device. You’ve finished making the provisioning package—now you just need to deploy it to the Surface Hub.
+1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**.
 
-### <a href="" id="creating-prov-pkg-apps"></a>Create a provisioning package for apps
+2. Select one of the available policy areas.
 
-This example will demonstrate how to create a provisioning package to install offline-licensed apps purchased from the Windows Store for Business. For information on offline-licensed apps and what you need to download in order to install them, see [Distribute offline apps](https://go.microsoft.com/fwlink/?LinkId=718148).
+3. Select and set the policy you want to add to your provisioning package.
 
-For each app you want to install on Surface Hubs, you'll need to download:
 
--   App metadata
--   App package
--   App license
+### Add Surface Hub settings to your package 
 
-Depending on the app, you may or may not need to download a new app framework.
+You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package. 
 
-1.  On the PC that had the Windows 10 ADK installed, open ICD and choose the **New provisioning package** tile from the main menu.
+1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**.
 
-    ![icd tiles](images/wicd-screen01a.png)
+2. Select one of the available setting areas.
 
-2.  When the **New project** dialog box opens, type whatever name you like in the **Name** box. The **Location** and **Description** boxes can also be filled at your discretion, though we recommend using the **Description** box to help you distinguish among multiple packages. Click **Next**.
+3. Select and set the setting you want to add to your provisioning package. 
 
-    ![icd tiles](images/wicd-screen-apps-02a.png)
 
-    Select the settings that are **Common to all Windows editions**, and click **Next**.
+## Build your package
 
-    ![icd tiles](images/wicd-screen02b.png)
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
 
-    When asked to import a provisioning package, just click **Finish.**
+2. Read the warning that project files may contain sensitive information, and click **OK**.
 
-    ![icd tiles](images/wicd-screen02c.png)
+    > [!IMPORTANT]
+    > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
-3.  ICD's main screen will be displayed. This is where you create the provisioning package. In the **Available customizations** pane, expand **UniversalAppInstall** and click **DeviceContextApp**.
+3. On the **Export** menu, click **Provisioning package**.
 
-    ![icd tiles](images/wicd-screen-apps-03a.png)
+4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources.
 
-    In the center pane, you’ll be asked to specify a **PackageFamilyName** for the app. This is one of the things you downloaded from the Store for Business. Click **Add**, and an entry will be added in the left pane.
+5. Set a value for **Package Version**, and then select **Next.**
 
-4.  In the **Available customizations** pane on the left, new categories will be displayed for **ApplicationFile** and **LaunchAppAtLogin** underneath the **PackageFamilyName** you just entered. Enter the appx filename in the **ApplicationFile** box in the center pane.
+    > [!TIP]
+    > You can make changes to existing packages and change the version number to update previously applied packages.
 
-    ![icd tiles](images/wicd-screen-apps-04a.png)
+6. Optional: You can choose to encrypt the package and enable package signing.
 
-    Generally, **LaunchAppAtLogin** should be set to **Do not launch app** or **NOT CONFIGURED**.
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
 
-5.  Next, click **DeviceContextAppLicense** in the left pane. In the center pane, you’ll be asked to specify the **LicenseProductId**. Click **Add**. Back in the left pane, click on the **LicenseProductId** that you just added. In the center pane, you'll need to specify **LicenseInstall**. Enter the name of the license file that you previously downloaded from the Store for Business, either by typing or clicking **Browse**. The file will have a extension of "ms-windows-store-license".
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package.
 
-    ![icd tiles](images/wicd-screen-apps-06a.png)
+        > [!IMPORTANT]
+        > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
 
-6.  Verify that the path is set, then click **Export** in the top menu and choose **Provisioning package**.
+7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
+Optionally, you can click **Browse** to change the default output location.
 
-    ![icd tiles](images/wicd-screen07a.png)
+8. Click **Next**.
 
-7.  You'll see a series of dialog boxes next. In the first one, either accept the defaults, or enter new values as needed, and click **Next**. You'll most likely want to accept the defaults.
+9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
 
-    ![icd tiles](images/wicd-screen-apps-08a.png)
+10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
 
-    Click **Next** again in the security options dialog box, because this package doesn't need to be encrypted or signed.
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
     
-    ![icd tiles](images/wicd-screen09a.png)
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
 
-    Choose where to save the provisioning package, and click **Next**.
+11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive.
 
-    ![icd tiles](images/wicd-screen-apps-10a.png)
 
-    Review the information shown, and if it looks good, click **Build**.
+## Apply a provisioning package to Surface Hub
 
-    ![icd tiles](images/wicd-screen-apps-11a.png)
+There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings). 
 
-    You will see a confirmation dialog box similar to the one following. Click the link under **Output location** to open the directory containing the provisioning package.
 
-    ![icd tiles](images/wicd-screen-apps-12a.png)
+### Apply a provisioning package during first run
 
-8.  Copy the .ppkg from the output directory into the root directory of a USB drive. If it’s not at the root, it won’t be recognized by the device. You’ve finished making the provisioning package—now you just need to deploy it to the Surface Hub.
+> [!IMPORTANT]
+> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings.
 
-### <a href="" id="deploy-to-hub-prov-pkg"></a>Deploy a provisioning package to a Surface Hub
+1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding.
 
-The following two methods for deploying provisioning packages apply to any kind of provisioning package that is being deployed to a Surface Hub. There is no difference in the way cert provisioning packages and app provisioning packages are installed. You may see different description text in the UI depending on what the package is for, but the process is still the same.
+2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**.
 
-### <a href="" id="deploy-via-oobe-prov-pkg"></a>Deploy a provisioning package using first run
+    ![Set up device?](images/provisioningpackageoobe-01.png)
 
-1.  When you turn on the Surface Hub for the first time, the first run process will display the page titled **Hi there**. Make sure the settings on this page are correct before you proceed. (See [Hi there page](first-run-program-surface-hub.md#first-page) for details.) Once you've deployed your provisioning package, the first run process will not return here. It will continue to the next screen.
-2.  Insert the USB drive into the Surface Hub.
-3.  Press the Windows key on the separate keyboard five times. You’ll see a dialog box asking whether you want to set up your device. Click **Set Up**.
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
 
-    ![image with set up device message for surface hub.](images/provisioningpackageoobe-01.png)IMage
+    ![Provision this device](images/provisioningpackageoobe-02.png)
     
-4.  Click on **Removable Media** in the **Provision From** dropdown list, then click **Next**.
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run.
 
-    ![image with provision this device page for surface hub. ](images/provisioningpackageoobe-02.png)
+    ![Choose a package](images/provisioningpackageoobe-03.png)
 
-5.  The available packages in the root directory of the USB drive will be listed. Note that you can only install one package during first run. Select the package you want to install and then click **Next**.
+5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**. The package will be applied, and you'll be taken to the next page in the first-run program.
 
-    ![image with choose a package page for surface hub. ](images/provisioningpackageoobe-03.png)
+    ![Do you trust this package?](images/provisioningpackageoobe-04.png)
 
-6.  You’ll then see a dialog asking if it’s from a source you trust. Click **Yes, add it**. The certificate will be installed, and you’ll be taken to the next page of first run.
 
-    ![image with ](images/provisioningpackageoobe-04.png)
+### Apply a package using Settings
 
-### <a href="" id="deploy-via-settings-prov-pkg"></a>Deploy a provisioning package using Settings
-
-1.  Insert the USB drive into the Surface Hub you want to deploy to.
-2.  On the Surface Hub, open **Settings** and enter in the admin credentials.
-3.  Navigate to **System &gt; Work Access**. Under the header **Related settings**, click on **Add or remove a management package**.
-4.  Here, click the button for **Add a package**.
-
-    ![Image showing provisioining packages page in Settings.](images/provisioningpackagesettings-01.png)
-
-5.  Click **Removable media** from the dropdown list. You will see a list of available provisioning packages on the **Settings** page.
-
-    ![Image showing add a package page in Settings.](images/provisioningpackagesettings-02.png)
-
-6.  Choose your package and click **Add**.
-
-    ![Image showing select a package box.](images/provisioningpackagesettings-03.png)
-
-7.  You may have to re-enter the admin credentials if User Access Control (UAC) asks for them.
-8.  You’ll see a confirmation dialog box. Click **Yes, add it**. The certificate will be installed.
-
- 
-
- 
+1. Insert the USB flash drive containing the .ppkg file into the Surface Hub.
 
+2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted.
 
+3. Navigate to **This device** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**.
 
+4. Select **Add a package**.
 
+5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted.
 
+6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**.

devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md

@@ -7,21 +7,19 @@ author: TrudyHa
 localizationpriority: medium
 ---
 
-# When to use a fully qualified domain name with Surface Hub
+# Configure domain name for Skype for Business
 
-A fully qualified domain name (FQDN) is a domain name that explicitly states the location in the Domain Name System (DNS) hierarchy. All levels of a domain are specified. In the case of Skype for Business on the Surface Hub, there are a few scenarios where you need to use a FQDN.
+There are a few scenarios where you need to specify the domain name of your Skype for Business server:
 - **Multiple DNS suffixes** - When your Skype for Business infrastructure has disjointed namespaces such that one or more servers have a DNS suffix that doesn't match the suffix of the sign-in address (SIP) for Skype for Business.  
 - **Skype for Business and Exchange suffixes are different** - When the suffix of the sign-in address for Skype for Business differs from the suffix of the Exchange address used for the device account.
-- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails.  The Skype app needs to know the FQDN of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
+- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails.  Skype needs to know the domain name of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
 
-## Add FQDN to Surface Hub 
-
-You use the Settings app on Surface Hub to add FQDN information. You can add multiple entries, if needed. 
-
-**To add Skype for Business Server FQDN**</br>
-1. On Surface Hub open the **Settings** app.
-2. Navigate to **System**, **Microsoft Surface Hub**. 
-3. Under **Skype for Business**, click **Add FQDN**. 
-4. Type the FQDN for the Skype for Business certificate. You can type multiple FQDNs separated by a comma. For example: lync.com, outlook.com, lync.glbdns.microsoft.com. 
+**To configure the domain name for your Skype for Business server**</br>
+1. On Surface Hub, open **Settings**.
+2. Click **This device**, and then click **Calling**. 
+3. Under **Skype for Business configuration**, click **Configure domain name**. 
+4. Type the domain name for your Skype for Business server, and then click **Ok**. 
+> [!TIP]
+> You can type multiple domain names, separated by commas. <br> For example: lync.com, outlook.com, lync.glbdns.microsoft.com
 
     ![Add Skype for Business FQDN to Settings](images/system-settings-add-fqdn.png)

education/windows/deploy-windows-10-in-a-school.md

@@ -565,7 +565,7 @@ After you create the Windows Store for Business portal, configure it by using th
 
 Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business.
 
-**Note**  Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business.
+**Note**  Your educational institution can now use a credit card to pay for apps in Windows Store for Business.
 
 You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users.
 

education/windows/get-minecraft-for-education.md

@@ -19,24 +19,24 @@ author: jdeckerMS
 
 <iframe width="501" height="282" src="https://www.youtube.com/embed/hl9ZQiektJE" frameborder="0" allowfullscreen></iframe>
 
-Teachers and IT administrators can now get early access to **Minecraft Education Edition** and add it their Microsoft Store for Business for distribution. 
+Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution. 
 
-![education.minecraft.net](images/minecraft.png)
+<!-- ![education.minecraft.net](images/minecraft.png) -->
 
 ## Prerequisites
  
-- **Minecraft Education Edition** requires Windows 10.
-- Early access to **Minecraft Education Edition** is offered to education tenants that are managed by Azure Active Directory (Azure AD).
-    - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft Education Edition**.
-    * Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan)
-    * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
+- **Minecraft: Education Edition** requires Windows 10.
+- Early access to **Minecraft: Education Edition** is offered to education tenants that are managed by Azure Active Directory (Azure AD).
+    - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
+    * Office 365 Education, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan)
+    * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
 
-![teacher](images/teacher.png) 
+<!-- ![teacher](images/teacher.png) --> 
 
-[Learn how teachers can get and distribute **Minecraft Education Edition**](teacher-get-minecraft.md)
+[Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md)
 
   
-![IT administrator](images/school.png)
+<!-- ![IT administrator](images/school.png) -->
 
-[Learn how IT administrators can get and distribute **Minecraft Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
+[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
 

education/windows/school-get-minecraft.md

@@ -8,59 +8,57 @@ ms.sitesec: library
 author: jdeckerMS
 ---
 
-# For IT administrators: get Minecraft Education Edition
+# For IT administrators: get Minecraft: Education Edition
 
 **Applies to:**
 
 -   Windows 10  
 
-When you sign up for early access to [Minecraft Education Edition](http://education.minecraft.net), Minecraft will be added to the inventory in your Windows Store for Business, a private version of Windows Store associated with your Azure Active Directory (Azure AD) tenant. Your Store for Business is only displayed to members of your organization.
+When you sign up for early access to [Minecraft: Education Edition](http://education.minecraft.net), Minecraft will be added to the inventory in your Windows Store for Business, a private version of Windows Store associated with your Azure Active Directory (Azure AD) tenant. Your Store for Business is only displayed to members of your organization.
 
-> **Note**: If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 subscription when you request Minecraft Education Edition.
+> **Note**: If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans). 
 
 ## Add Minecraft to your Windows Store for Business 
 
-You can start with the Minecraft: Education Edition trial to get individual copies of the app. For more information, see [Minecraft: Education Edition - individual copies](#individual-copies). 
+You can start with the Minecraft: Education Edition trial to get individual copies of the app. For more information, see [Minecraft: Education Edition - direct purchase](#individual-copies). 
 
-If you’ve been approved and are part of the Enrollment for Education Solutions program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license)
+If you’ve been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume licenses for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license). 
 
-### <a href="" id="individual-copies"></a>Minecraft: Education Edition - individual copies
+### <a href="" id="individual-copies"></a>Minecraft: Education Edition - direct purchase
 
-1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **Get the app**.
+1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **GET STARTED**.
 
-    ![Click Get the app](images/it-get-app.png) 
+    <!-- ![Click Get the app](images/it-get-app.png) --> 
 
-2. Enter your email address.
+2. Enter your email address, and select Educator, Administrator, or Student. </br> If your email address isn't associated to an Azure AD or Office 365 Education tenant, you'll be asked to create one.
 
-    ![Enter school email address](images/enter-email.png)
-    
-    - If your email address isn't associated to an Azure AD or Office 365 tenant, you'll be asked to fill in a form. The information will be used to create an Office 365 subscription for your school.  
+    <!-- ![Enter school email address](images/enter-email.png) -->
     
 3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store.
 
-    ![You can get the app now](images/get-the-app.png)
+    <!-- ![You can get the app now](images/get-the-app.png) -->
 
 4. Sign in to Windows Store for Business with your email address.
 
 5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**.
 
-6. **Minecraft Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory.
+6. **Minecraft: Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory.
 
-    ![Get Minecraft app in Store](images/minecraft-get-the-app.png)
+    <!-- ![Get Minecraft app in Store](images/minecraft-get-the-app.png) -->
 
 Now that the app is in your Store for Business inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft).
 
-### <a href="" id="volume-license"></a>Minecraft: Education Edition - volume license
+### <a href="" id="volume-license"></a>Minecraft: Education Edition - volume licensing
 
-Qualified education institutions can purchase Minecraft: Education Edition volume licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this: 
+Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this: 
 
-- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the copies will be available in [Windows Store for Business](https://www.microsoft.com/business-store) inventory. 
+- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Windows Store for Business](https://www.microsoft.com/business-store) inventory. 
 - You’ll receive an email with a link to Windows Store for Business. 
 - Sign in to [Windows Store for Business](https://www.microsoft.com/business-store) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft)
 
 ## <a href="" id="distribute-minecraft"></a>Distribute Minecraft
 
-After Minecraft Education Edition is added to your Windows Store for Business, you have three options:
+After Minecraft: Education Edition is added to your Windows Store for Business inventory, you have three options:
 
 - You can install the app on your PC.
 - You can assign the app to others. 
@@ -68,11 +66,11 @@ After Minecraft Education Edition is added to your Windows Store for Business, y
 
 Admins can also add Minecraft: Education Edition to the private store. This allows people in your organization to install the app from the private store. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store). 
 
-Here's the page you'll see for individual copies of **Minecraft: Education Edition**. 
+Here's the page you'll see for Minecraft: Education Edition licenses purchased directly through the Windows Store for Business. 
 
 ![App distribution options - individual copies](images/mc-install-for-me-admin.png)
 
-Here's the page you'll see for volume licensed copies of of **Minecraft: Education Edition**.
+Here's the page you'll see for Minecraft: Education Edition licenses purchased through volume licensing.
 
 ![App distribution options - individual copies](images/wsfb-minecraft-vl.png)
 
@@ -87,17 +85,17 @@ You can install the app on your PC. This gives you a chance to test the app and
 3. Click **Install**.  
 
 ### Assign to others
-Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. You can assign the app to individuals, groups, or add it to your private store, where students and teachers in your organization can 
+Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. You can assign the app to individuals, groups, or add it to your private store, where students and teachers in your organization can download the app. 
 
 **To assign to others**
 1. Sign in to Windows Store for Business. 
 2. Click **Manage**.
 
     ![Minecraft Education Edition product page](images/minecraft-assign-to-others.png)
-4. Click **Assign to people**.
+3. Click **Assign to people**.
  
     ![Assign to people](images/minecraft-assign-to-people.png)
-5. Type the name, or email address of the student you want to assign the app to, and then click **Assign**.
+4. Type the name, or email address of the student you want to assign the app to, and then click **Assign**.
 
     You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student.
     
@@ -114,16 +112,16 @@ Enter email addresses for your students, and each student will get an email with
 
     ![Windows Store app with Minecraft page](images/minecraft-in-windows-store-app.png)
 
-    After installing the app, students can find Minecraft: Education Edition in Windows Store app under **My Library**.
+    After installing the app, students can find Minecraft: Education Edition in Windows Store app under **My Library**. Windows Store app is preinstalled with Windows 10.
 
     ![Windows Store app showing access to My Library](images/minecraft-private-store.png) 
 
-    When students click **My Libarary** they'll find apps assigned to them.
+    When students click **My Library** they'll find apps assigned to them.
 
     ![My Library for example student](images/minecraft-my-library.png) 
 
 ### Download for others
-Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for younger students, and for shared computers. Choose this option when:
+Download for others allows teachers or IT admins to download an app that they can install on PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
 - You have administrative permissions to install apps on the PC. 
 - You want to install this app on each of your student's Windows 10 (at least version 1511) PCs. 
 - Your students share Windows 10 computers, but sign in with their own Windows account. 
@@ -161,12 +159,12 @@ You'll download a .zip file, extract the files, and then use one of the files to
 6. **Restart**. Once installation is complete, restart each PC. Minecraft: Education Edition app is now ready for any student to use.
 
 
-## Manage Minecraft Education Edition
+## Manage Minecraft: Education Edition
 
 ### Access to Windows Store for Business
-By default, when a teacher with a work or school account in your edu tenant acquires Minecraft: Education Edition, they are automatically signed up for Window Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students. 
+By default, when a teacher with a work or school account acquires Minecraft: Education Edition, they are automatically signed up for Window Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students. 
 
-However, tenant admins can control whether or not teachers automatically sign up for Windows Store for Business, and get the **Basic Purachaser** role. You can configure this with the **Allow educators in my organization to sign up for the Windows Store for Business.** You'll find this on the **Permissions** page. 
+However, tenant admins can control whether or not teachers automatically sign up for Windows Store for Business, and get the **Basic Purchaser** role. You can configure this with the **Allow educators in my organization to sign up for the Windows Store for Business.** You'll find this on the **Permissions** page. 
 
 To prevent educators from automatically signing up for Windows Store for Business
 1.  In Windows Store for Business, click **Settings**, and then click **Permissions**. 
@@ -217,10 +215,10 @@ These apps will automatically be in your private store:
 
 As an admin, you can remove any of these apps from the private store if you'd prefer to control how apps are distributed.  
 
-## Need more copies of Minecraft: Education Edition?
+<!-- ## Need more copies of Minecraft: Education Edition?
 You can purchase more licenses by working with your channel partner. Licenses are available at a lower rate than the price for individual copies that are available through Windows Store for Business. Individual copies are also available through Windows Store for Business. 
 
-If you’ve purchased a volume license, be sure to let other basic purchasers in your organization know about the volume license. That should help prevent unnecessary purchases of individual copies.
+If you’ve purchased a volume license, be sure to let other basic purchasers in your organization know about the volume license. That should help prevent unnecessary purchases of individual copies. -->
 
 ## Learn more
 
@@ -230,6 +228,6 @@ If you’ve purchased a volume license, be sure to let other basic purchasers in
 
 ## Related topics
 
-[Get Minecraft Education Edition](get-minecraft-for-education.md)
+[Get Minecraft: Education Edition](get-minecraft-for-education.md)
 
-[For teachers get Minecraft Education Edition](teacher-get-minecraft.md)
+[For teachers get Minecraft: Education Edition](teacher-get-minecraft.md)

education/windows/teacher-get-minecraft.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 author: jdeckerMS
 ---
 
-# For teachers: get Minecraft Education Edition
+# For teachers: get Minecraft: Education Edition
 
 **Applies to:**
 
@@ -18,29 +18,29 @@ Learn how teachers can get and distribute Minecraft: Education Edition.
 
 ## Add Minecraft to your Windows Store for Business 
 
-1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **Get the app**.
+1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **GET STARTED**.
 
-    ![Click Get the app](images/teacher-get-app.png) 
+    <!-- ![Click Get the app](images/teacher-get-app.png) -->
 
 2. Enter your email address.
 
-    ![Enter school email address](images/enter-email.png)
+    <!-- ![Enter school email address](images/enter-email.png) -->
     
 3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store.
 
-    ![You can get the app now](images/get-the-app.png)
+    <!-- ![You can get the app now](images/get-the-app.png) -->
 
 4. Sign in to Windows Store for Business with your email address.
 
 5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**.
 
-6. **Minecraft Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft Education Edition** in your Store inventory.
+6. **Minecraft: Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft: Education Edition** in your Windows Store for Business inventory.
 
     ![Get Minecraft app in Store](images/minecraft-get-the-app.png)
     
 ## Distribute Minecraft
 
-After Minecraft Education Edition is added to your Windows Store for Business, you have three options:
+After Minecraft: Education Edition is added to your Windows Store for Business inventory, you have three options:
 
 - You can install the app on your PC.
 - You can assign the app to others.  
@@ -97,7 +97,7 @@ Students will receive an email with a link that will install the app on their PC
     ![My Library for example student](images/minecraft-my-library.png)  
 
 ### Download for others
-Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for younger students, and for shared computers. Choose this option when:
+Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
 - You have administrative permissions to install apps on the PC. 
 - You want to install this app on each of your student's Windows 10 (at least version 1511) PCs. 
 - Your students share Windows 10 computers, but sign in with their own Windows account. 
@@ -152,8 +152,8 @@ If you are still having trouble installing the app, you can get more help on our
 
 ## Related topics
 
-[Get Minecraft Education Edition](get-minecraft-for-education.md)
+[Get Minecraft: Education Edition](get-minecraft-for-education.md)
 
-[For IT admins: get Minecraft Education Edition](school-get-minecraft.md)
+[For IT admins: get Minecraft: Education Edition](school-get-minecraft.md)
 
 

education/windows/use-set-up-school-pcs-app.md

@@ -18,6 +18,8 @@ author: jdeckerMS
 
 Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
 
+[Download the Set up School PCs app from the Windows Store](https://www.microsoft.com/store/apps/9nblggh4ls40)
+
 ![Run app, turn on PC, insert USB key](images/app1.jpg)
 
 ## What does this app do?

mdop/agpm/choosing-which-version-of-agpm-to-install.md

@@ -13,7 +13,7 @@ ms.prod: w10
 # Choosing Which Version of AGPM to Install
 
 
-Each release of Microsoft Advanced Group Policy Management (AGPM) supports specific versions of the Windows operating system. We strongly recommend that you run the AGPM Client and AGPM Server on the same line of operating systems, for example, Windows 8.1 with Windows Server 2012 R2, Windows 8 with Windows Server 2012, and so on.
+Each release of Microsoft Advanced Group Policy Management (AGPM) supports specific versions of the Windows operating system. We strongly recommend that you run the AGPM Client and AGPM Server on the same line of operating systems. For example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.
 
 We recommend that you install the AGPM Server on the most recent version of the operating system in the domain. AGPM uses the Group Policy Management Console (GPMC) to back up and restore Group Policy Objects (GPOs). Because newer versions of the GPMC provide additional policy settings that are not available in earlier versions, you can manage more policy settings by using the most recent version of the operating system.
 
@@ -45,8 +45,8 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP3, and
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Windows 10</p></td>
-<td align="left"><p>Windows 10</p></td>
+<td align="left"><p>Windows Server 2016 or Windows 10</p></td>
+<td align="left"><p>Windows Server 2016 or Windows 10</p></td>
 <td align="left"><p>Supported</p></td>
 </tr>
 <tr class="even">
@@ -55,19 +55,19 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP3, and
 <td align="left"><p>Supported</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, Windows 8.1, or Windows 8</p></td>
-<td align="left"><p>Windows Server 2012 or Windows 8</p></td>
+<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, or Windows 8.1</p></td>
+<td align="left"><p>Windows Server 2012 or Windows 8.1</p></td>
 <td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1 or Windows 8</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with Service Pack 1 (SP1)</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
@@ -77,7 +77,7 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP3, and
 <tr class="odd">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
 </tr>
 </tbody>
 </table>
@@ -113,29 +113,29 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP2, and
 <td align="left"><p>Supported</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, Windows 8.1, or Windows 8</p></td>
-<td align="left"><p>Windows Server 2012 or Windows 8</p></td>
+<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, or Windows 8.1</p></td>
+<td align="left"><p>Windows Server 2012 or Windows 8.1</p></td>
 <td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1 or Windows 8</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with Service Pack 1 (SP1)</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
 <td align="left"><p>Not supported</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
 </tr>
 </tbody>
 </table>
@@ -164,29 +164,29 @@ Table 2 lists the operating systems on which you can install AGPM 4.0 SP1, and t
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Windows Server 2012 or Windows 8</p></td>
-<td align="left"><p>Windows Server 2012 or Windows 8</p></td>
+<td align="left"><p>Windows Server 2012</p></td>
+<td align="left"><p>Windows Server 2012</p></td>
 <td align="left"><p>Supported</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2008 R2, or Windows 7</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
 <td align="left"><p>Supported</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2008 R2, or Windows 7</p></td>
 </tr>
 </tbody>
 </table>

mdop/agpm/index.md

@@ -18,11 +18,11 @@ Microsoft Advanced Group Policy Management (AGPM) extends the capabilities of th
 ## AGPM Version Information
 
 
-[AGPM 4.0 SP3](agpm-40-sp3-navengl.md) supports Windows 10, Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
+[AGPM 4.0 SP3](agpm-40-sp3-navengl.md) supports Windows 10, Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
 
-[AGPM 4.0 SP2](agpm-40-sp2-navengl.md) supports Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
+[AGPM 4.0 SP2](agpm-40-sp2-navengl.md) supports Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
 
-[AGPM 4.0 SP1](agpm-40-sp1-navengl.md) supports Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
+[AGPM 4.0 SP1](agpm-40-sp1-navengl.md) supports Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
 
 [AGPM 4](agpm-4-navengl.md) supports Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
 

mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp3.md

@@ -88,6 +88,10 @@ If a user who has the Editor role submits a request to deploy a GPO, and the use
 
 **Workaround:** None.
 
+### Added mechanism to override AGPM default behavior of removing GPO permission changes
+
+As of HF02, AGPM has added a registry key to enable overriding the default AGPM GPO permission behavior. For more information, please see [Changes to Group Policy object permissions through AGPM are ignored](https://support.microsoft.com/kb/3174540)
+
 ## Related topics
 
 

mdop/agpm/whats-new-in-agpm-40-sp3.md

@@ -22,7 +22,7 @@ AGPM 4.0 SP3 supports the following features and functionality.
 
 ### Support for Windows 10
 
-AGPM 4.0 SP3 adds support for the Windows 10 operating systems.
+AGPM 4.0 SP3 adds support for the Windows 10 and Windows Server 2016 operating systems.
 
 ### Support for PowerShell
 
@@ -111,7 +111,7 @@ You can upgrade the AGPM Client or AGPM Server to AGPM 4.0 SP3 without being pr
 ## Supported configurations
 
 
-AGPM 4.0 SP3 supports the configurations in the following table. Although AGPM supports mixed configurations, we strongly recommend that you run the AGPM Client and AGPM Server on the same operating system line—for example, Windows 10 only, Windows 8.1 with Windows Server 2012 R2, and so on.
+AGPM 4.0 SP3 supports the configurations in the following table. Although AGPM supports mixed configurations, we strongly recommend that you run the AGPM Client and AGPM Server on the same operating system line—for example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.
 
 **AGPM 4.0 SP3 supported operating systems and policy settings**
 
@@ -130,7 +130,7 @@ AGPM 4.0 SP3 supports the configurations in the following table. Although AGPM
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Windows 10</p></td>
+<td align="left"><p>Windows Server 2016 or Windows 10</p></td>
 <td align="left"><p>Windows 10</p></td>
 <td align="left"><p>Supported</p></td>
 </tr>
@@ -140,29 +140,29 @@ AGPM 4.0 SP3 supports the configurations in the following table. Although AGPM
 <td align="left"><p>Supported</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, Windows 8.1, or Windows 8</p></td>
-<td align="left"><p>Windows Server 2012 or Windows 8</p></td>
+<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, or Windows 8.1</p></td>
+<td align="left"><p>Windows Server 2012</p></td>
 <td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1 or Windows 8</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with Service Pack 1 (SP1)</p></td>
-<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
 <td align="left"><p>Not supported</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
-<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
+<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
 </tr>
 </tbody>
 </table>
@@ -190,7 +190,7 @@ The following table describes the behavior of AGPM 4.0 SP3 Client and Server in
 
 **Remote Server Administration Tools**
 
-**Windows 10**
+**Windows 10 or Windows Server 2016**
 
 If the .NET Framework 4.5.1 is not enabled or installed, the installer blocks the installation.
 

mdop/appv-v5/app-v-51-supported-configurations.md

@@ -58,16 +58,21 @@ Microsoft provides support for the current service pack and, in some cases, the
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"><p>Microsoft Windows Server 2016</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="even">
 <td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>64-bit</p></td>
@@ -147,16 +152,21 @@ The following table lists the operating systems that are supported for the App-V
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"><p>Microsoft Windows Server 2016</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="even">
 <td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>64-bit</p></td>
@@ -195,16 +205,21 @@ The following table lists the operating systems that are supported for the App-V
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"><p>Microsoft Windows Server 2016</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="even">
 <td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>64-bit</p></td>
@@ -267,6 +282,8 @@ The following table lists the SQL Server versions that are supported for the App
 
 The following table lists the operating systems that are supported for the App-V 5.1 client installation.
 
+**Note:** With the Windows 10 Anniversary release (aka 1607 version), the App-V client is in-box and will block installation of any previous version of the App-V client
+
 <table>
 <colgroup>
 <col width="33%" />
@@ -282,7 +299,7 @@ The following table lists the operating systems that are supported for the App-V
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft Windows 10</p></td>
+<td align="left"><p>Microsoft Windows 10 (pre-1607 version)</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
@@ -292,11 +309,6 @@ The following table lists the operating systems that are supported for the App-V
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Microsoft Windows 8</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>32-bit or 64-bit</p></td>
-</tr>
-<tr class="even">
 <td align="left"><p>Windows 7</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>32-bit or 64-bit</p></td>
@@ -344,16 +356,21 @@ The following table lists the operating systems that are supported for App-V 5.1
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"><p>Microsoft Windows Server 2016</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="even">
 <td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>64-bit</p></td>
@@ -393,32 +410,32 @@ The following table lists the operating systems that are supported for the App-V
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"><p>Microsoft Windows Server 2016</p></td>
 <td align="left"></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
+<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="odd">
 <td align="left"><p>Microsoft Windows Server 2012</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td align="left"><p>Microsoft Windows 10</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>32-bit and 64-bit</p></td>
 </tr>
-<tr class="odd">
-<td align="left"><p>Microsoft Windows 8.1</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>32-bit and 64-bit</p></td>
-</tr>
 <tr class="even">
-<td align="left"><p>Microsoft Windows 8</p></td>
+<td align="left"><p>Microsoft Windows 8.1</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>32-bit and 64-bit</p></td>
 </tr>

mdop/appv-v5/release-notes-for-app-v-51.md

@@ -143,6 +143,44 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
 
 **Workaround**: Use a different filename
 
+## Intermittent "File Not Found" error when Mounting a Package
+
+
+Occassionally when mounting a package, a "File Not Found" (0x80070002) error is generated. Typically, this occurs when a folder in an App-V package contains many files ( i.e. 20K or more). This can cause streaming to take longer than expected and to time out which generates the "File Not Found" error.
+
+**Workaround**: Starting with HF06, a new registry key has been introduced to enable extending this time-out period.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="80%" />
+</colgroup>
+<tbody>
+<tr>
+<td align="left">Path</td>
+<td align="left">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Streaming</td>
+</tr>
+<tr>
+<td align="left">Setting</td>
+<td align="left">StreamResponseWaitTimeout</td>
+</tr>
+<tr>
+<td align="left">DataType</td>
+<td align="left">DWORD</td>
+</tr>
+<tr>
+<td align="left">Units</td>
+<td align="left">Seconds</td>
+</tr>
+<tr>
+<td align="left">Default</td>
+<td align="left">5<br />
+**Note**: this value is the default if the registry key is not defined or a value <=5 is specified.
+</td>
+</tr>
+</tbody>
+</table>
+
 ## Got a suggestion for App-V?
 
 

mdop/mbam-v25/about-mbam-25-sp1.md

@@ -88,7 +88,7 @@ For a list of all languages supported for client and server in MBAM 2.5 and MBAM
 
 ### Support for Windows 10
 
-MBAM 2.5 SP1 adds support for Windows 10, in addition to the same software that is supported in earlier versions of MBAM.
+MBAM 2.5 SP1 adds support for Windows 10 and Windows Server 2016, in addition to the same software that is supported in earlier versions of MBAM.
 
 Windows 10 is supported in both MBAM 2.5 and MBAM 2.5 SP1.
 
@@ -217,6 +217,7 @@ After installation, the service will now set the MBAM agent service to use delay
 
 The compliance calculation logic for "Locked Fixed Data" volumes has been changed to report the volumes as "Compliant," but with a Protector State and Encryption State of "Unknown" and with a Compliance Status Detail of "Volume is locked". Previously, locked volumes were reported as “Non-Compliant”, a Protector State of "Encrypted", an Encryption State of "Unknown", and a Compliance Status Detail of "An unknown error".
 
+
 ## How to Get MDOP Technologies
 
 

mdop/mbam-v25/mbam-25-supported-configurations.md

@@ -137,6 +137,8 @@ The following tables show the languages that are supported for the MBAM Client (
 
 ### MBAM Server operating system requirements
 
+We strongly recommend that you run the MBAM Client and MBAM Server on the same line of operating systems. For example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.
+
 The following table lists the operating systems that are supported for the MBAM Server installation.
 
 <table>
@@ -156,21 +158,27 @@ The following table lists the operating systems that are supported for the MBAM
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Windows Server 2008 R2</p></td>
-<td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
-<td align="left"><p>SP1</p></td>
+<td align="left"><p>Windows Server 2016</p></td>
+<td align="left"><p>Standard or Datacenter</p></td>
+<td align="left"></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
+<td align="left"><p>Windows Server 2012 R2</p></td>
+<td align="left"><p>Standard or Datacenter</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="odd">
 <td align="left"><p>Windows Server 2012</p></td>
 <td align="left"><p>Standard or Datacenter</p></td>
 <td align="left"></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows Server 2012 R2</p></td>
-<td align="left"><p>Standard or Datacenter</p></td>
-<td align="left"><p></p></td>
+<td align="left"><p>Windows Server 2008 R2</p></td>
+<td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
+<td align="left"><p>SP1</p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 </tbody>
@@ -441,6 +449,8 @@ The following table lists the server processor, RAM, and disk space requirements
 
 ### Client operating system requirements
 
+We strongly recommend that you run the MBAM Client and MBAM Server on the same line of operating systems. For example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.
+
 The following table lists the operating systems that are supported for MBAM Client installation. The same requirements apply to the Stand-alone and the Configuration Manager Integration topologies.
 
 <table>
@@ -472,20 +482,14 @@ The following table lists the operating systems that are supported for MBAM Clie
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows 8</p></td>
-<td align="left"><p>Enterprise</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>32-bit or 64-bit</p></td>
-</tr>
-<tr class="even">
 <td align="left"><p>Windows 7</p></td>
 <td align="left"><p>Enterprise or Ultimate</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>Windows To Go</p></td>
-<td align="left"><p>Windows 8, Windows 8.1, and Windows 10 Enterprise</p></td>
+<td align="left"><p>Windows 8.1 and Windows 10 Enterprise</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
@@ -532,30 +536,24 @@ The following table lists the operating systems that are supported for MBAM Grou
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Windows 8</p></td>
-<td align="left"><p>Enterprise, or Pro</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>32-bit or 64-bit</p></td>
-</tr>
-<tr class="even">
 <td align="left"><p>Windows 7</p></td>
 <td align="left"><p>Enterprise, or Ultimate</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>Windows Server 2012 R2</p></td>
 <td align="left"><p>Standard or Datacenter</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td align="left"><p>Windows Server 2012</p></td>
 <td align="left"><p>Standard or Datacenter</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>Windows Server 2008 R2</p></td>
 <td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
 <td align="left"><p>SP1</p></td>

mdop/mbam-v25/release-notes-for-mbam-25-sp1.md

@@ -118,6 +118,22 @@ If Internet Explorer Enhanced Security Configuration (ESC) is turned on, an "Acc
 
 **Workaround:** If the "Access Denied" error message appears when you try to view reports on the MBAM Server, you can set a Group Policy Object or change the default manually in your image to disable Enhanced Security Configuration. You can also alternatively view the reports from another computer on which ESC is not enabled.
 
+### Support for Bitlocker XTS-AES encryption algorithm
+Bitlocker added support for the XTS-AES encryption algorithm in Windows 10, version 1511. 
+As of HF02, MBAM now supports this Bitlocker option and is a client-only update.
+However, there are two known limitations:
+
+* MBAM will correctly report compliance status but the **Cipher Strength** field in MBAM reports will be empty. 
+MBAM pre-built reports and compliance charts won’t break but the **Cipher Strength** column will be empty for XTS machines. 
+Also, if a customer has a custom report that uses this particular field, they may have to make adjustments to accommodate this update.  
+
+* Customers must use the same encryption strength for OS and data volumes on the same machine.
+If different encryption strengths are used, MBAM will report the machine as **non-compliant**.
+
+### Self-Service Portal automatically adds "-" on Key ID entry
+As of HF02, the MBAM Self-Service Portal automatically adds the '-' on Key ID entry.  
+**Note:** The Server has to be reconfigured for the Javascript to take effect.
+
 ## Got a suggestion for MBAM?
 
 

mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md

@@ -70,7 +70,7 @@ If upon installation the user or administrator choses to participate in the Cust
 
 ### Monitor Application Settings
 
-The **Monitor Application Settings** task is used to synchronize settings for Windows apps. It is runs at logon but is delayed by 30 seconds to not affect the logon detrimentally. The Monitor Application Status task runs the UevAppMonitor.exe file, which is located in the UE-V Agent installation directory.
+The **Monitor Application Settings** task is used to synchronize settings for Windows apps. It is run at logon but is delayed by 30 seconds to not affect the logon detrimentally. The Monitor Application Status task runs the UevAppMonitor.exe file, which is located in the UE-V Agent installation directory.
 
 <table>
 <colgroup>
@@ -96,7 +96,7 @@ The **Monitor Application Settings** task is used to synchronize settings for Wi
 ### Sync Controller Application
 
 The **Sync Controller Application** task is used to start the Sync Controller to synchronize settings from the computer to the settings storage location. By default, the task runs every 30 minutes. At that time, local settings are synchronized to the settings storage location, and updated settings on the settings storage location are synchronized to the computer. The Sync Controller application runs the Microsoft.Uev.SyncController.exe, which is located in the UE-V Agent installation directory.
-
+**Note:** As per the **Monitor Application Settings** task, this task is run at logon but is delayed by 30 seconds to not affect the logon detrimentally.
 <table>
 <colgroup>
 <col width="50%" />
@@ -305,7 +305,7 @@ The following additional information applies to UE-V scheduled tasks:
 
 -   ll task sequence programs are located in the UE-V Agent installation folder, `%programFiles%\Microsoft User Experience Virtualization\Agent\[architecture]\`, by default.
 
--   The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to “SyncProvider” (UE-V 2 default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings do not synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute.  You can also increase the 30 min default to a higher amount if necessary.
+-   The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to “SyncProvider” (UE-V 2 default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings do not synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute.  You can also increase the 30 min default to a higher amount if necessary. If users complain that settings do not synchronize fast enough on logon, then you can remove the delay setting for the scheduled task. (You can find the delay setting in the **Edit Trigger** dialogue box)
 
 -   You do not need to disable the Template Auto Update scheduled task if you use another method to keep the clients’ templates in sync (i.e. Group Policy or Configuration Manager Baselines). Leaving the SettingsTemplateCatalog property value blank prevents UE-V from checking the settings catalog for custom templates. This scheduled task runs ApplySettingsCatalog.exe and will essentially return immediately.
 

windows/deploy/TOC.md

@@ -9,6 +9,7 @@
 #### [Prepare your environment](upgrade-analytics-prepare-your-environment.md)
 #### [Resolve application and driver issues](upgrade-analytics-resolve-issues.md)
 #### [Deploy Windows](upgrade-analytics-deploy-windows.md)
+#### [Review site discovery](upgrade-analytics-review-site-discovery.md)
 ### [Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)
 ## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
 ### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
@@ -44,6 +45,7 @@
 ### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 ## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
 ## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+## [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md)
 ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
 ## [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
 ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)

windows/deploy/change-history-for-deploy-windows-10.md

@@ -11,10 +11,18 @@ author: greg-lindsay
 # Change history for Deploy Windows 10
 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+## October 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) | New | 
+
 ## September 2016
 | New or changed topic | Description |
 |----------------------|-------------|
 | [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) | New | 
+| [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) | Updated with prerequisites for site discovery |
+| [Resolve application and driver issues](upgrade-analytics-resolve-issues.md) | Updated with app status info for Ready For Windows |
+| [Review site discovery](upgrade-analytics-review-site-discovery.md) | New |
 
 ## RELEASE: Windows 10, version 1607
 

windows/deploy/index.md

@@ -21,6 +21,7 @@ Learn about deploying Windows 10 for IT professionals.
 |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
 |[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |
 |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
+|[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
 |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
 |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
 | [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) | Create a provisioning package to apply commonly used settings to a PC running Windows 10. |

windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md

@@ -92,9 +92,10 @@ By default MDT stores the log files locally on the client. In order to capture a
 
 1.  On MDT01, log on as **CONTOSO\\Administrator**.
 2.  Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
+
     ``` syntax
     New-Item -Path E:\Logs -ItemType directory
-    New-SmbShare ?Name Logs$ ?Path E:\Logs -ChangeAccess EVERYONE
+    New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
     icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
     ```
 

windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md

@@ -40,30 +40,30 @@ In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with
 
 1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
 
-    1.  General
+    * General
 
-    2.  Name: Install Windows 10 Enterprise x64
+    * Name: Install Windows 10 Enterprise x64
 
-    3.  Limited Collection: All Systems
+    * Limited Collection: All Systems
 
-    4.  Membership rules:
+    * Membership rules:
 
-    5.  Direct rule
+    * Direct rule
 
-    6.  Resource Class: System Resource
+    * Resource Class: System Resource
 
-    7.  Attribute Name: Name
+    * Attribute Name: Name
 
-    8.  Value: PC0003
+    * Value: PC0003
 
-    9.  Select **Resources**
+    * Select **Resources**
 
-    10. Select **PC0003**
+    * Select **PC0003**
 
 2.  Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
 
-**Note**  
-It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
+    >[!NOTE] 
+    >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
 
  
 
@@ -82,8 +82,8 @@ Using the Configuration Manager console, in the Software Library workspace, sele
 
     -   Make available to the following: Configuration Manager clients, media and PXE
 
-    **Note**  
-    It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
+    >[!NOTE]  
+    >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
 
      
 
@@ -110,10 +110,8 @@ Now you can start the computer refresh on PC0003.
 
 1.  Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**.
 
-    **Note**  
-    The Client Notification feature is new in Configuration Manager.
-
-     
+    >[!NOTE]  
+    >The Client Notification feature is new in Configuration Manager.
 
 2.  On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**.
 

windows/deploy/refresh-a-windows-7-computer-with-windows-10.md

@@ -20,7 +20,7 @@ This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (L
 
 For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
 
-![figure 1](images/mdt-04-fig01.png)
+![The machines used in this topic](images/mdt-04-fig01.png "The machines used in this topic")
 
 Figure 1. The machines used in this topic.
 
@@ -28,15 +28,21 @@ Figure 1. The machines used in this topic.
 
 Even though a computer will appear, to the end user, to be upgraded, a computer refresh is not, technically, an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation.
 For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will:
+
 1.  Back up data and settings locally, in a backup folder.
+
 2.  Wipe the partition, except for the backup folder.
+
 3.  Apply the new operating system image.
+
 4.  Install other applications.
+
 5.  Restore data and settings.
+
 During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data.
 
-**Note**  
-In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
+>[!NOTE] 
+>In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
  
 ### Multi-user migration
 
@@ -45,8 +51,8 @@ by configuring command-line switches to ScanState (added as rules in MDT).
 
 As an example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
 
-**Note**  
-You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
+>[!NOTE] 
+>You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
  
 ### Support for additional settings
 
@@ -55,12 +61,15 @@ In addition to the command-line switches that control which profiles to migrate,
 ## <a href="" id="sec02"></a>Create a custom User State Migration Tool (USMT) template
 
 In this section, you learn to migrate additional data using a custom template. You configure the environment to use a custom USMT XML template that will:
+
 1.  Back up the **C:\\Data** folder (including all files and folders).
+
 2.  Scan the local disk for PDF documents (\*.pdf files) and restore them into the **C:\\Data\\PDF Documents** folder on the destination machine.
-The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
--   [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361)
--   [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script
--   [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363)
+    The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
+
+    * [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361)
+    * [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script
+    * [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363)
 
 ### Add the custom XML template
 
@@ -77,27 +86,30 @@ In order to use the custom MigContosoData.xml USMT template, you need to copy it
 
 After adding the additional USMT template and configuring the CustomSettings.ini file to use it, you are now ready to refresh a Windows 7 SP1 client to Windows 10. In these steps, we assume you have a Windows 7 SP1 client named PC0001 in your environment that is ready for a refresh to Windows 10.
 
-**Note**  
-MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+>[!NOTE]   
+>MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
  
 ### Upgrade (refresh) a Windows 7 SP1 client
 
 1.  On PC0001, log on as **CONTOSO\\Administrator**. Start the Lite Touch Deploy Wizard by executing **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. Complete the deployment guide using the following settings:
-    1.  Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
-    2.  Computer name: &lt;default&gt;
-    3.  Specify where to save a complete computer backup: Do not back up the existing computer
-        **Note**  
-        Skip this optional full WIM backup. The USMT backup will still run.
+    
+    * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
+    * Computer name: &lt;default&gt;
+    * Specify where to save a complete computer backup: Do not back up the existing computer
+      >[!NOTE]
+      >Skip this optional full WIM backup. The USMT backup will still run.
          
 2.  Select one or more applications to install: Install - Adobe Reader XI - x86
-3.  The setup now starts and does the following:
-    1.  Backs up user settings and data using USMT.
-    2.  Installs the Windows 10 Enterprise x64 operating system.
-    3.  Installs the added application(s).
-    4.  Updates the operating system via your local Windows Server Update Services (WSUS) server.
-    5.  Restores user settings and data using USMT.
 
-![figure 2](images/fig2-taskseq.png)
+3.  The setup now starts and does the following:
+    
+    * Backs up user settings and data using USMT.
+    * Installs the Windows 10 Enterprise x64 operating system.
+    * Installs the added application(s).
+    * Updates the operating system via your local Windows Server Update Services (WSUS) server.
+    * Restores user settings and data using USMT.
+
+![Start the computer refresh from the running Windows 7 client](images/fig2-taskseq.png "Start the computer refresh from the running Windows 7 client")
 
 Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
 
@@ -109,7 +121,6 @@ Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
 
 [Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
 
-
 [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
 
 [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)

windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md

@@ -32,9 +32,9 @@ In this topic, you will create a backup-only task sequence that you run on PC000
 
 3.  On the **General** page, assign the following settings and click **Next**:
 
-    1.  Task sequence name: Replace Task Sequence
+    * Task sequence name: Replace Task Sequence
 
-    2.  Task sequence comments: USMT backup only
+    * Task sequence comments: USMT backup only
 
 4.  On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
 
@@ -48,9 +48,11 @@ In this topic, you will create a backup-only task sequence that you run on PC000
 
 9.  On the **Confirmation** page, click **Finish**.
 
-10. Review the Replace Task Sequence. Note: This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
+10. Review the Replace Task Sequence. 
+>[!NOTE]
+>This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
 
-![figure 34](images/mdt-06-fig42.png)
+![The back-up only task sequence](images/mdt-06-fig42.png "The back-up only task sequence")
 
 Figure 34. The backup-only task sequence (named Replace Task Sequence).
 
@@ -67,13 +69,13 @@ This section walks you through the process of associating a blank machine, PC000
 
 4.  On the **Single Computer** page, use the following settings and then click **Next**:
 
-    1.  Computer Name: PC0006
+    * Computer Name: PC0006
 
-    2.  MAC Address: <the mac address from step 1>
+    * MAC Address: <the mac address from step 1>
 
-    3.  Source Computer: PC0004
+    * Source Computer: PC0004
 
-    ![figure 35](images/mdt-06-fig43.png)
+    ![Create the computer association](images/mdt-06-fig43.png "Create the computer association")
 
     Figure 35. Creating the computer association between PC0004 and PC0006.
 
@@ -96,25 +98,25 @@ This section walks you through the process of associating a blank machine, PC000
 
 1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings.
 
-    1.  General
+    * General
 
-    2.  Name: USMT Backup (Replace)
+    * Name: USMT Backup (Replace)
 
-    3.  Limited Collection: All Systems
+    * Limited Collection: All Systems
 
-    4.  Membership rules:
+    * Membership rules:
 
-    5.  Direct rule
+    * Direct rule
 
-    6.  Resource Class: System Resource
+    * Resource Class: System Resource
 
-    7.  Attribute Name: Name
+    * Attribute Name: Name
 
-    8.  Value: PC0004
+    * Value: PC0004
 
-    9.  Select **Resources**
+    * Select **Resources**
 
-    10. Select **PC0004**
+    * Select **PC0004**
 
 2.  Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection.
 
@@ -158,10 +160,8 @@ This section assumes that you have a machine named PC0004 with the Configuration
 
 2.  In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**.
 
-    **Note**  
-    You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
-
-     
+    >[!NOTE]  
+    >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
 
 3.  Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**.
 
@@ -173,8 +173,8 @@ This section assumes that you have a machine named PC0004 with the Configuration
 
 7.  Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
 
-**Note**  
-It may take a few minutes for the user state store location to be populated.
+    >[!NOTE]  
+    >It may take a few minutes for the user state store location to be populated.
 
  
 
@@ -183,21 +183,21 @@ It may take a few minutes for the user state store location to be populated.
 
 1.  Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
 
-    1.  Password: P@ssw0rd
+    * Password: P@ssw0rd
 
-    2.  Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
+    * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
 
 2.  The setup now starts and does the following:
 
-    1.  Installs the Windows 10 operating system
+    * Installs the Windows 10 operating system
 
-    2.  Installs the Configuration Manager client
+    * Installs the Configuration Manager client
 
-    3.  Joins it to the domain
+    * Joins it to the domain
 
-    4.  Installs the applications
+    * Installs the applications
 
-    5.  Restores the PC0004 backup
+    * Restores the PC0004 backup
 
 When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored.
 

windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md

@@ -19,7 +19,7 @@ author: mtniehaus
 A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it.
 For the purposes of this topic, we will use four machines: DC01, MDT01, PC0002, and PC0007. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. PC0002 is an old machine running Windows 7 SP1. It is going to be replaced by a new Windows 10 machine, PC0007. User State Migration Tool (USMT) will be used to backup and restore data and settings. MDT01, PC0002, and PC0007 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
 
-![figure 1](images/mdt-03-fig01.png)
+![The machines used in this topic](images/mdt-03-fig01.png "The machines used in this topic")
 
 Figure 1. The machines used in this topic.
 
@@ -30,11 +30,13 @@ When preparing for the computer replace, you need to create a folder in which to
 ### Configure the rules on the Microsoft Deployment Toolkit (MDT) Production share
 
 1.  On MDT01, using the Deployment Workbench, update the MDT Production deployment share rules.
+
 2.  Change the **SkipUserData=YES** option to **NO**, and click **OK**.
 
 ### Create and share the MigData folder
 
 1.  On MDT01, log on as **CONTOSO\\Administrator**.
+
 2.  Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
     ``` syntax
     New-Item -Path E:\MigData -ItemType directory
@@ -45,75 +47,89 @@ When preparing for the computer replace, you need to create a folder in which to
 ### Create a backup only (replace) task sequence
 
 1.  On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node and create a new folder named **Other**.
+
 2.  Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-    1.  Task sequence ID: REPLACE-001
-    2.  Task sequence name: Backup Only Task Sequence
-    3.  Task sequence comments: Run USMT to backup user data and settings
-    4.  Template: Standard Client Replace Task Sequence
+
+    * Task sequence ID: REPLACE-001
+    * Task sequence name: Backup Only Task Sequence
+    * Task sequence comments: Run USMT to backup user data and settings
+    * Template: Standard Client Replace Task Sequence
+
 3.  In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
 
-    ![figure 2](images/mdt-03-fig02.png)
+    ![The Backup Only Task Sequence action list](images/mdt-03-fig02.png "The Backup Only Task Sequence action list")
 
     Figure 2. The Backup Only Task Sequence action list.
 
 ## <a href="" id="sec02"></a>Perform the computer replace
 
 During a computer replace, these are the high-level steps that occur:
+
 1.  On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Window Imaging (WIM) backup.
+
 2.  On the new machine, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
 
 ### Execute the replace task sequence
 
 1.  On PC0002, log on as **CONTOSO\\Administrator**.
+
 2.  Verify that you have write access to the **\\\\MDT01\\MigData$** share.
+
 3.  Execute **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
+
 4.  Complete the Windows Deployment Wizard using the following settings:
+
     1.  Select a task sequence to execute on this computer: Backup Only Task Sequence
-        1.  Specify where to save your data and settings: Specify a location
-        2.  Location: \\\\MDT01\\MigData$\\PC0002
-        **Note**  
-        If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
+        * Specify where to save your data and settings: Specify a location
+        * Location: \\\\MDT01\\MigData$\\PC0002
+        >[!NOTE]  
+        >If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
          
     2.  Specify where to save a complete computer backup: Do not back up the existing computer
     3.  Password: P@ssw0rd
 
     The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the machine.
 
-    ![figure 3](images/mdt-03-fig03.png)
+    ![The new task sequence](images/mdt-03-fig03.png "The new task sequence")
 
     Figure 3. The new task sequence running the Capture User State action on PC0002.
 
 5.  On MDT01, verify that you have an USMT.MIG compressed backup file in the **E:\\MigData\\PC0002\\USMT** folder.
 
-    ![figure 4](images/mdt-03-fig04.png)
+    ![The USMT backup](images/mdt-03-fig04.png "The USMT backup")
 
     Figure 4. The USMT backup of PC0002.
 
 ### Deploy the PC0007 virtual machine
 
 1.  Create a virtual machine with the following settings:
-    1.  Name: PC0007
-    2.  Location: C:\\VMs
-    3.  Generation: 2
-    4.  Memory: 2048 MB
-    5.  Hard disk: 60 GB (dynamic disk)
+
+    * Name: PC0007
+    * Location: C:\\VMs
+    * Generation: 2
+    * Memory: 2048 MB
+    * Hard disk: 60 GB (dynamic disk)
+
 2.  Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server.
 
-    ![figure 5](images/mdt-03-fig05.png)
+    ![The initial PXE boot process](images/mdt-03-fig05.png "The initial PXE boot process")
 
     Figure 5. The initial PXE boot process of PC0005.
 
 3.  After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
-    1.  Password: P@ssw0rd
-    2.  Select a task sequence to execute on this computer:
-        1.  Windows 10 Enterprise x64 RTM Custom Image
-        2.  Computer Name: PC0007
-        3.  Applications: Select the Install - Adobe Reader XI - x86 application.
+
+    * Password: P@ssw0rd
+    * Select a task sequence to execute on this computer:
+        * Windows 10 Enterprise x64 RTM Custom Image
+        * Computer Name: PC0007
+        * Applications: Select the Install - Adobe Reader XI - x86 application.
+
 4.  The setup now starts and does the following:
-    1.  Installs the Windows 10 Enterprise operating system.
-    2.  Installs the added application.
-    3.  Updates the operating system via your local Windows Server Update Services (WSUS) server.
-    4.  Restores the USMT backup from PC0002.
+
+    * Installs the Windows 10 Enterprise operating system.
+    * Installs the added application.
+    * Updates the operating system via your local Windows Server Update Services (WSUS) server.
+    * Restores the USMT backup from PC0002.
 
 ## Related topics
 

windows/deploy/resolve-windows-10-upgrade-errors.md

@@ -0,0 +1,896 @@
+---
+title: Resolve Windows 10 upgrade errors
+description: Resolve Windows 10 upgrade errors
+ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+localizationpriority: high
+---
+
+# Resolve Windows 10 upgrade errors
+
+**Applies to**
+-   Windows 10
+
+This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
+
+## In this topic
+
+The following sections and procedures are provided in this guide:
+
+- [The Windows 10 upgrade process](#the-windows-10-upgrade-process): An explanation of phases used during the upgrade process.<BR>
+- [Quick fixes](#quick-fixes): Steps you can take to eliminate many Windows upgrade errors.<BR>
+- [Upgrade error codes](#upgrade-error-codes): The components of an error code are explained.
+    - [Result codes](#result-codes): Information about result codes.
+    - [Extend codes](#extend-codes): Information about extend codes.
+- [Log files](#log-files): A list and description of log files useful for troubleshooting.
+    - [Log entry structure](#log-entry-structure): The format of a log entry is described.
+    - [Analyze log files](#analyze-log-files): General procedures for log file analysis, and an example.
+- [Resolution procedures](#resolution-procedures): Causes and mitigation procedures associated with specific error codes.
+    - [0xC1900101](#0xC1900101): Information about the 0xC1900101 result code.
+    - [0x800xxxxx](#0x800xxxxx): Information about result codes that start with 0x800.
+    - [Other result codes](#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
+    - [Other error codes](#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
+
+## The Windows 10 upgrade process
+
+The Windows Setup application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. When performing an operating system upgrade, Windows Setup uses the following phases:
+
+1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Installation components are gathered.
+2. **Safe OS phase**: A recovery partition is configured and updates are installed. An OS rollback is prepared if needed.
+        - Example error codes: 0x2000C, 0x20017
+3. **First boot phase**: Initial settings are applied.
+        - Example error codes: 0x30018, 0x3000D
+4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**.
+        - Example error: 0x4000D, 0x40017
+5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful.
+        - Example error: 0x50000
+
+**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown):
+
+![Upgrade process](images/upgrade-process.png)
+
+DU = Driver/device updates.<BR>
+OOBE = Out of box experience.<BR>
+WIM = Windows image (Microsoft)
+
+## Quick fixes
+
+The following steps can resolve many Windows upgrade problems.
+
+<OL>
+<LI>Check all hard drives for errors and attempt repairs. To automatically repair hard drives, open an elevated command prompt, switch to the drive you wish to repair, and type the following command. You will be required to reboot the computer if the hard drive being repaired is also the system drive.
+<UL>
+<LI>chkdsk /F</LI>
+</UL>
+</LI>
+<LI>Attept to restore and repair system files by typing the following commands at an elevated command prompt. It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image).
+<UL>
+<LI>DISM.exe /Online /Cleanup-image /Restorehealth</LI>
+<LI>sfc /scannow</LI>
+</UL>
+</LI>
+<LI>Update Windows so that all available recommended updates are installed.</LI>
+<LI>Uninstall non-Microsoft antivirus software.
+  <UL> 
+  <LI>Use Windows Defender for protection during the upgrade. 
+  <LI>Verify compatibility information and re-install antivirus applications after the upgrade.</LI></LI>
+  </UL>
+<LI>Uninstall all nonessential software.</LI>
+<LI>Remove nonessential external hardware, such as docks and USB devices.</LI> 
+<LI>Update firmware and drivers.</LI>
+<LI>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</LI>
+<LI>Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS.
+</OL>
+
+
+
+## Upgrade error codes
+
+If the upgrade process is not successful, Windows Setup will return two codes:
+
+1. **A result code**: The result code corresponds to a specific Win32 error.
+2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred.  
+
+>For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**.
+
+Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/en-us/kb/3159635) then only a result code might be returned.
+
+### Result codes
+
+>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. <BR>To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](#resolution-procedures) section later in this topic.
+
+Result codes can be matched to the type of error encountered. To match a result code to an error:
+
+1. Identify the error code type, either Win32 or NTSTATUS, using the first hexidecimal digit:
+        <BR>8 = Win32 error code (ex: 0x**8**0070070)
+        <BR>C = NTSTATUS value (ex: 0x**C**1900107)
+2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits correspond to the last 16 bits of the [HRESULT](https://msdn.microsoft.com/en-us/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/en-us/library/cc231200.aspx) structure.
+3. Based on the type of error code determined in the first step, match the 4 digits derived from the second step to either a [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx), or an [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx). 
+
+For example:
+- 0x80070070 = Win32 = 0070 = 0x00000070 = ERROR_DISK_FULL
+- 0xC1900107 = NTSTATUS = 0107 = 0x00000107 = STATUS_SOME_NOT_MAPPED
+
+Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot. 
+
+### Extend codes
+
+>Important: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update.
+
+Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation:
+
+1. Use the first digit to identify the phase (ex: 0x4000D  = 4).
+2. Use the last two digits to identify the operation (ex: 0x4000D  = 0D).
+3. Match the phase and operation to values in the tables provided below.
+
+The following tables provide the corresponding phase and operation for values of an extend code:
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD colspan=2 align="center" valign="top" BGCOLOR="#a0e4fa"><B>Extend code: phase</B></TD>
+<TR><TD style='padding:0in 4pt 0in 4pt'><b>Hex</b><TD style='padding:0in 5.4pt 0in 5.4pt'><span style='padding:0in 1pt 0in 1pt;'><b>Phase</b>
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>0<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_UNKNOWN
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_DOWNLEVEL
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>2<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_SAFE_OS
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>3<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_FIRST_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>4<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OOBE_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>5<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_UNINSTALL
+</TABLE>
+
+<TABLE border=0 cellspacing=0 cellpadding=0 style='border-collapse:collapse;border:none'>
+<TR><TD colspan=2 align="center" valign="top" BGCOLOR="#a0e4fa"><B>Extend code: operation</B></TD>
+<TR><TD align="left" valign="top" style='border:dotted #A6A6A6 1.0pt;'>
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt'><b>Hex</b><TD style='padding:0in 4pt 0in 4pt'><span style='padding:0in 5.4pt 0in 5.4pt;'><b>Operation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>0<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_UNKNOWN
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_COPY_PAYLOAD
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>2<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_DOWNLOAD_UPDATES
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>3<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_UPDATES
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>4<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>5<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>6<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_REPLICATE_OC
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>7<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_DRVIERS
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>8<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_SAFE_OS
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>9<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_ROLLBACK
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>A<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_FIRST_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>B<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_OOBE_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>C<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_APPLY_IMAGE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>D<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_MIGRATE_DATA
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>E<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_SET_PRODUCT_KEY
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>F<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ADD_UNATTEND
+</TABLE>
+</TD>
+<TD align="left" valign="top" style='border:dotted #A6A6A6 1.0pt;'>
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt'><b>Hex</b><TD style='padding:0in 4pt 0in 4pt'><b>Operation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>10<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ADD_DRIVER
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>11<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ENABLE_FEATURE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>12<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_DISABLE_FEATURE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>13<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>14<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_REGISTER_SYNC_PROCESS
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>15<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_CREATE_FILE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>16<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_CREATE_REGISTRY
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>17<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>18<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_SYSPREP
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>19<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_OOBE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1A<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_BEGIN_FIRST_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1B<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_END_FIRST_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1C<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_BEGIN_OOBE_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1D<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_END_OOBE_BOOT
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1E<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PRE_OOBE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1F<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_POST_OOBE
+<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>20<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE
+</TABLE>
+</TD>
+</TR>
+</TABLE>
+
+For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**).
+
+## Log files
+
+Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code. 
+
+<P>The following table describes some log files and how to use them for troubleshooting purposes:
+
+<TABLE>
+<TR>
+<td BGCOLOR="#a0e4fa"><B>Log file<td BGCOLOR="#a0e4fa"><B>Phase: Location<td BGCOLOR="#a0e4fa"><B>Description<td BGCOLOR="#a0e4fa"><B>When to use
+
+<TR><TD rowspan=5>setupact.log<TD>Down-Level:<BR>$Windows.~BT\Sources\Panther<TD>Contains information about setup actions during the downlevel phase. 
+<TD>All down-level failures and starting point for rollback investigations.<BR> This is the most important log for diagnosing setup issues.
+<TR><TD>OOBE:<BR>$Windows.~BT\Sources\Panther\UnattendGC
+<TD>Contains information about actions during the OOBE phase.<TD>Investigating rollbacks that failed during OOBE phase and operations – 0x4001C, 0x4001D, 0x4001E, 0x4001F.
+<TR><TD>Rollback:<BR>$Windows.~BT\Sources\Rollback<TD>Contains information about actions during rollback.<TD>Investigating generic rollbacks - 0xC1900101.
+<TR><TD>Pre-initialization (prior to downlevel):<BR>Windows</TD><TD>Contains information about initializing setup.<TD>If setup fails to launch.
+<TR><TD>Post-upgrade (after OOBE):<BR>Windows\Panther<TD>Contains information about setup actions during the installation.<TD>Investigate post-upgrade related issues.
+
+<TR><TD>setuperr.log<TD>Same as setupact.log<TD>Contains information about setup errors during the installation.<TD>Review all errors encountered during the installation phase.
+
+<TR><TD>miglog.xml<TD>Post-upgrade (after OOBE):<BR>Windows\Panther<TD>Contains information about what was migrated during the installation.<TD>Identify post upgrade data migration issues.
+
+<TR><TD>BlueBox.log<TD>Down-Level:<BR>Windows\Logs\Mosetup<TD>Contains information communication between setup.exe and Windows Update.<TD>Use during WSUS and WU down-level failures or for 0xC1900107.
+
+<TR><TD>Supplemental rollback logs:<BR>
+Setupmem.dmp<BR>
+setupapi.dev.log<BR>
+Event logs (*.evtx)
+
+
+<TD>$Windows.~BT\Sources\Rollback<TD>Additional logs collected during rollback.
+<TD>
+Setupmem.dmp: If OS bugchecks during upgrade, setup will attempt to extract a mini-dump.<BR>
+Setupapi: Device install issues - 0x30018<BR>
+Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.
+
+</TABLE>
+
+### Log entry structure
+
+A setupact.log or setuperr.log entry includes the following elements:
+
+<OL>
+<LI><B>The date and time</B> - 2016-09-08 09:20:05.
+<LI><B>The log level</B> - Info, Warning, Error, Fatal Error.
+<LI><B>The logging component</B> - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS.
+<UL>
+<LI>The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are particularly useful for troubleshooting Windows Setup errors.
+</UL>
+<LI><B>The message</B> - Operation completed successfully.
+</OL>
+
+See the following example:
+
+| Date/Time | Log level | Component | Message |
+|------|------------|------------|------------|
+|2016-09-08 09:23:50,|  Warning |         MIG  |   Could not replace object C:\Users\name\Cookies. Target Object cannot be removed.|
+
+
+### Analyze log files
+
+<P>To analyze Windows Setup log files:
+
+<OL>
+<LI>Determine the Windows Setup error code.
+<LI>Based on the [extend code](#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate.
+<LI>Open the log file in a text editor, such as notepad.
+<LI>Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
+<LI>To find the last occurrence of the result code:
+  <OL type="a">
+  <LI>Scroll to the bottom of the file and click after the last character.
+  <LI>Click **Edit**.
+  <LI>Click **Find**.
+  <LI>Type the result code.
+  <LI>Under **Direction** select **Up**.
+  <LI>Click **Find Next**.
+  </OL>
+<LI> When you have located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed just prior to generating the result code.
+<LI> Search for the following important text strings:
+  <UL>
+  <LI><B>Shell application requested abort</B>
+  <LI><B>Abandoning apply due to error for object</B>
+  </UL>
+<LI> Decode Win32 errors that appear in this section.
+<LI> Write down the timestamp for the observed errors in this section.
+<LI> Search other log files for additional information matching these timestamps or errors.
+</OL>
+
+For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file:
+
+>Some lines in the text below are shortened to enhance readability. The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just "CN."
+
+<P><B>setuperr.log</B> content:
+
+<pre style="font-size: 10px; overflow-y: visible">
+27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
+27:08, Error                  Gather failed. Last error: 0x00000000
+27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
+27:09, Error           SP     CMigrateFramework: Gather framework failed. Status: 44
+27:09, Error           SP     Operation failed: Migrate framework (Full). Error: 0x8007042B[gle=0x000000b7]
+27:09, Error           SP     Operation execution failed: 13. hr = 0x8007042B[gle=0x000000b7]
+27:09, Error           SP     CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7]
+</PRE>
+
+The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]** (shown below):
+
+<pre style="font-size: 10px; overflow-y: visible">
+27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+</PRE>
+
+</B>The error 0x00000570 is a [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable.
+
+Therefore, Windows Setup failed because it was not able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**.  This file is a local system certificate and can be safely deleted. Searching the setupact.log file for additional details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure:
+
+<P><B>setupact.log</B> content:
+
+<pre style="font-size: 10px; overflow-y: visible">
+27:00, Info                   Gather started at 10/5/2016 23:27:00
+27:00, Info [0x080489] MIG    Setting system object filter context (System)
+27:00, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
+27:00, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
+27:00, Info            SP     ExecuteProgress: Elapsed events:1 of 4, Percent: 12
+27:00, Info [0x0802c6] MIG    Processing GATHER for migration unit: <System>\UpgradeFramework (CMXEAgent)
+27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
+27:08, Info            SP     ExecuteProgress: Elapsed events:2 of 4, Percent: 25
+27:08, Info            SP     ExecuteProgress: Elapsed events:3 of 4, Percent: 37
+27:08, Info [0x080489] MIG    Setting system object filter context (System)
+27:08, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
+27:08, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
+27:08, Info            MIG    COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress.
+27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened-
+27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object.
+27:08, Error                  Gather failed. Last error: 0x00000000
+27:08, Info                   Gather ended at 10/5/2016 23:27:08 with result 44
+27:08, Info                   Leaving MigGather method
+27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
+</PRE>
+
+<P>This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file. Note: In this example, the full, unshortened file name is  C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f. 
+
+## Resolution procedures
+
+### 0xC1900101
+
+A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:<BR>
+
+- The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp, 
+- Event logs: $Windows.~bt\Sources\Rollback\*.evtx 
+- The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log
+
+The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018).  To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/en-us/kb/929135) before initiating the upgrade process. 
+
+<P>See the following general troubleshooting procedures associated with a result code of 0xC1900101:
+
+
+<TABLE border=1 cellspacing=0 cellpadding=0>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x20004</B>
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation
+<BR>This is generally caused by out-of-date drivers. 
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Uninstall antivirus applications.
+<BR>Remove all unused SATA devices.
+<BR>Remove all unused devices and drivers.
+<BR>Update drivers and BIOS.
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x2000c</B>
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.
+<BR>This is generally caused by out-of-date drivers. 
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
+<BR>Contact your hardware vendor to obtain updated device drivers.
+<BR>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. 
+</TABLE>
+</TD>
+</TR>
+
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x20017
+
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A driver has caused an illegal operation.
+<BR>Windows was not able to migrate the driver, resulting in a rollback of the operating system.
+<P>This is a safeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. 
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+Ensure that all that drivers are updated.<BR>
+Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
+<BR>For more information, see [Understanding Failures and Log Files](https://technet.microsoft.com/en-us/library/ee851579.aspx).
+<BR>Update or uninstall the problem drivers.
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x30018</B>
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A device driver has stopped responding to setup.exe during the upgrade process.
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
+<BR>Contact your hardware vendor to obtain updated device drivers.
+<BR>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. 
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x3000D</B>
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
+<BR>This can occur due to a problem with a display driver.
+
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
+<BR>Update or uninstall the display driver.
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x4000D</B>
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A rollback occurred due to a driver configuration issue.
+<P>Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.  
+
+<P>This can occur due to incompatible drivers.  
+
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+<P>Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors. 
+<p>Review the rollback log and determine the stop code.
+<BR>The rollback log is located in the **C:\$Windows.~BT\Sources\Panther** folder.  An example analysis is shown below. This example is not representative of all cases:
+<p>Info SP     Crash 0x0000007E detected
+<BR>Info SP       Module name           : 
+<BR>Info SP       Bugcheck parameter 1  : 0xFFFFFFFFC0000005
+<BR>Info SP       Bugcheck parameter 2  : 0xFFFFF8015BC0036A
+<BR>Info SP       Bugcheck parameter 3  : 0xFFFFD000E5D23728
+<BR>Info SP       Bugcheck parameter 4  : 0xFFFFD000E5D22F40
+<BR>Info SP     Cannot recover the system.
+<BR>Info SP     Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
+
+
+<P>Typically there is a a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:<BR>
+
+1. Make sure you have enough disk space.<BR>
+2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.<BR>
+3. Try changing video adapters.<BR>
+4. Check with your hardware vendor for any BIOS updates.<BR>
+5. Disable BIOS memory options such as caching or shadowing.
+</p>
+</TABLE>
+</TD>
+</TR>
+
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x40017</B>
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows 10 upgrade failed after the second reboot.
+<BR>This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers.
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Clean boot into Windows, and then attempt the upgrade to Windows 10.<BR>
+
+For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135).
+
+<P>Ensure you select the option to "Download and install updates (recommended)."
+</TABLE>
+</TD>
+</TR>
+
+</TABLE>
+
+### 0x800xxxxx
+
+Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
+
+<P>See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
+
+<TABLE border=1 cellspacing=0 cellpadding=0>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+8000405 - 0x20007
+
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+An unspecified error occurred with a driver during the SafeOS phase.
+
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+This error has more than one possible cause. Attempt [quick fixes](#quick-fixes), and if not successful, [analyze log files](#analyze-log-files) in order to determine the problem and solution.
+
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+800704B8 - 0x3001A
+
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+An extended error has occurred during the first boot phase.
+
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/en-us/kb/929135).
+
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+8007042B - 0x4000D
+
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+The installation failed during the second boot phase while attempting the MIGRATE_DATA operation. 
+<BR>This issue can occur due to file system, application, or driver issues.
+
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+[Analyze log files](#analyze-log-files) in order to determine the file, application, or driver that is not able to be migrated. Disconnect, update, remove, or replace the device or object.
+
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+8007001F - 0x4000D
+
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+General failure, a device attached to the system is not functioning.  
+
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+[Analyze log files](#analyze-log-files) in order to determine the device that is not functioning properly. Disconnect, update, or replace the device.
+
+</TABLE>
+</TD>
+</TR>
+
+<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+8007042B - 0x4001E
+
+</TABLE>
+
+<P><TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+The installation failed during the second boot phase while attempting the PRE_OOBE operation.
+
+</TABLE>
+</TD>
+
+<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<TABLE cellspacing=0 cellpadding=0>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+This error has more than one possible cause. Attempt [quick fixes](#quick-fixes), and if not successful, [analyze log files](#analyze-log-files) in order to determine the problem and solution.
+
+</TABLE>
+</TD>
+</TR>
+
+</TABLE>
+
+
+### Other result codes
+
+<table>
+
+<tr>
+<td BGCOLOR="#a0e4fa"><B>Error code</th>
+<td BGCOLOR="#a0e4fa"><B>Cause</th>
+<td BGCOLOR="#a0e4fa"><B>Mitigation</th>
+</tr>
+
+<tr>
+<td>0xC1800118</td>
+<td>WSUS has downloaded content that it cannot use due to a missing decryption key.</td>
+<td>See [Steps to resolve error 0xC1800118](https://blogs.technet.microsoft.com/wsus/2016/09/21/resolving-error-0xc1800118/) for information.</td>
+</tr>
+
+<tr>
+<td>0xC1900200</td>
+<td>Setup.exe has detected that the machine does not meet the minimum system requirements.</td>
+<td>Ensure the system you are trying to upgrade meets the minimum system requirements. <P>See [Windows 10 specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications)  for information.</td>
+</tr>
+
+
+<tr>
+<td>0x80090011</td>
+<td>A device driver error occurred during user data migration.</td>
+<td>Contact your hardware vendor and get all the device drivers updated. It is recommended to have an active internet connection during upgrade process. 
+<P>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</td>
+</tr>
+<tr>
+<td>0xC7700112</td>
+<td>Failure to complete writing data to the system drive, possibly due to write access failure on the hard disk.</td>
+<td>This issue is resolved in the latest version of Upgrade Assistant. 
+<P>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</td>
+</tr>
+
+<tr>
+<td>0x80190001</td>
+<td>An unexpected error was encountered while attempting to download files required for upgrade.</td>
+<td>To resolve this issue, download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10).
+</td>
+</tr>
+<tr>
+<td>0x80246007</td>
+<td>The update was not downloaded successfully.</td>
+<td>Attempt other methods of upgrading the operating system.<BR>
+Download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10). 
+<BR>Attempt to upgrade using .ISO or USB.<BR>
+**Note**: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx).
+</td>
+</tr>
+<tr>
+<td>0xC1900201</td>
+<td>The system did not pass the minimum requirements to install the update.</td>
+<td>Contact the hardware vendor to get the latest updates.</td>
+</tr>
+<tr>
+<td>0x80240017</td>
+<td>The upgrade is unavailable for this edition of Windows.</td>
+<td>Administrative policies enforced by your organization might be preventing the upgrade. Contact your IT administrator.</td>
+</tr>
+
+<tr>
+<td>0x80070020</td>
+<td>The existing process cannot access the file because it is being used by another process.</td>
+<td>Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135).</td>
+</tr>
+<tr>
+<td>0x80070522</td>
+<td>The user doesn’t have required privilege or credentials to upgrade.</td>
+<td>Ensure that you have signed in as a local administrator or have local administrator privileges.</td>
+</tr>
+<tr>
+<td>0xC1900107</td>
+<td>A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade.
+</td>
+<td>Reboot the device and run setup again. If restarting device does not resolve the issue, then use the Disk Cleanup utility and cleanup the temporary as well as the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/en-us/instantanswers/8fef4121-711b-4be1-996f-99e02c7301c2/disk-cleanup-in-windows-10).</td>
+</tr>
+<tr>
+<td>0xC1900209</td>
+<td>The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.</td>
+<td>Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](https://blogs.technet.microsoft.com/mniehaus/2015/08/23/windows-10-pre-upgrade-validation-using-setup-exe/) for more information.
+
+<P>You can also download the [Windows Assessment and Deployment Kit (ADK) for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526740) and install Application Compatibility Tools.
+</td>
+</tr>
+
+
+<tr>
+<td>0x8007002 </td>
+<td>This error is specific to upgrades using System Center Configuration Manager 2012 R2 SP1 CU3 (5.00.8238.1403)</td>
+<td>Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)
+
+<P>The error 80072efe means that the connection with the server was terminated abnormally.
+
+<P>To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.
+</td>
+</tr>
+
+</table>
+
+### Other error codes
+
+<TABLE>
+
+<TR><td BGCOLOR="#a0e4fa">Error Codes<td BGCOLOR="#a0e4fa">Cause<td BGCOLOR="#a0e4fa">Mitigation</TD></TR>
+<TR><TD>0x80070003- 0x20007
+<TD>This is a failure during SafeOS phase driver installation. 
+
+<TD>[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
+</TD></TR>
+<TR><TD>0x8007025D - 0x2000C
+<TD>This error occurs if the ISO file's metadata is corrupt.<TD>"Re-download the ISO/Media and re-attempt the upgrade.
+
+Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/en-us/software-download/windows10).
+
+</TD></TR>
+<TR><TD>0x80070490 - 0x20007<TD>An incompatible device driver is present.
+
+<TD>[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
+
+</TD></TR>
+<TR><TD>0xC1900101 - 0x2000c
+<TD>An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.
+<TD>Run checkdisk to repair the file system. For more information, see the [quick fixes](#quick-fixes) section in this guide.
+<P>Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.</TD></TR>
+<TR><TD>0xC1900200 - 0x20008
+
+<TD>The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10.
+
+<TD>See [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications) and verify the computer meets minimum requirements.
+
+<BR>Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).</TD></TR>
+<TR><TD>0x80070004 - 0x3000D
+<TD>This is a problem with data migration during the first boot phase. There are multiple possible causes.
+
+<TD>[Analyze log files](#analyze-log-files) to determine the issue.</TD></TR>
+<TR><TD>0xC1900101 - 0x4001E
+<TD>Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.
+<TD>This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xC1900101) section of this guide and review general troubleshooting procedures described in that section.</TD></TR>
+<TR><TD>0x80070005 - 0x4000D
+<TD>The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data.
+<TD>[Analyze log files](#analyze-log-files) to determine the data point that is reporting access denied.</TD></TR>
+<TR><TD>0x80070004 - 0x50012
+<TD>Windows Setup failed to open a file. 
+<TD>[Analyze log files](#analyze-log-files) to determine the data point that is reporting access problems.</TD></TR>
+<TR><TD>0xC190020e 
+<BR>0x80070070 - 0x50011
+<BR>0x80070070 - 0x50012
+<BR>0x80070070 - 0x60000
+<TD>These errors indicate the computer does not have enough free space available to install the upgrade.
+<TD>To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/en-us/help/17421/windows-free-up-drive-space) before proceeding with the upgrade.
+ 
+<P>Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS.  Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.
+</TD></TR>
+
+</TABLE>
+
+
+
+
+## Related topics
+
+[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx)
+<BR>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
+<BR>[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+<BR>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+<BR>[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)

windows/deploy/upgrade-analytics-get-started.md

@@ -95,10 +95,15 @@ The compatibility update KB scans your computers and enables application usage t
 | **Operating System** | **KBs** |
 |----------------------|-----------------------------------------------------------------------------|
 | Windows 8.1          | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2976978><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513.   |
-| Windows 7 SP1        | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2952664><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513. |
+| Windows 7 SP1        | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2952664><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2952664 must be installed before you can download and install KB3150513. |
 
 IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time.
 
+| **Site discovery** | **KB** |
+|----------------------|-----------------------------------------------------------------------------|
+| [Review site discovery](upgrade-analytics-review-site-discovery.md)         | Site discovery requires the [July 2016 security update for Internet Explorer](https://support.microsoft.com/en-us/kb/3170106) (KB3170106) or later.  |
+
+
 ### Automate data collection
 
 To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes.
@@ -151,9 +156,19 @@ To run the Upgrade Analytics deployment script:
 
 3.  For troubleshooting, set isVerboseLogging to $true to generate log information that can help with diagnosing issues. By default, isVerboseLogging is set to $false. Ensure the Diagnostics folder is installed in the same directory as the script to use this mode.
 
-4.  Notify users if they need to restart their computers. By default, this is set to off.
+4.  To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
 
-5.  After you finish editing the parameters in RunConfig.bat, run the script as an administrator.
+    > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
+    >
+    > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
+    >
+    > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
+    >
+    > *IEOptInLevel = 3 Data collection is enabled for all sites*
+
+5.  Notify users if they need to restart their computers. By default, this is set to off.
+
+6.  After you finish editing the parameters in RunConfig.bat, run the script as an administrator.
 
 ## Seeing data from computers in Upgrade Analytics
 

windows/deploy/upgrade-analytics-resolve-issues.md

@@ -22,6 +22,12 @@ Upgrade decisions include:
 
 The blades in the **Resolve issues** section are:
 
+- Review applications with known issues
+- Review applications with no known issues
+- Review drivers with known issues
+
+As you review applications with known issues, you can also see ISV support of applications for [Ready for Windows](https://www.readyforwindows.com/).
+
 ## Review applications with known issues
 
 Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**.
@@ -67,14 +73,39 @@ For applications assessed as **Fix available**, review the table below for detai
 | Fix available      | Yes                               | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but won’t migrate.                                                                                    | Remove the application before upgrading and reinstall on the new operating system.<br>             |
 | Fix available      | Yes                               | Disk encryption blocking upgrade                         | The application’s encryption features are blocking the upgrade.                                                                                                    | Disable the encryption feature before upgrading and enable it again after upgrading.<br>           |
 
+### ISV support for applications with Ready for Windows
+
+[Ready for Windows](https://www.readyforwindows.com/) lists software solutions that are supported and in use for Windows 10. This site leverages data about application adoption from commercial Windows 10 installations and helps IT managers upgrade to Windows 10 with confidence. For more information, see [Ready for Windows Frequently Asked Questions](https://developer.microsoft.com/windows/ready-for-windows/#/faq/). 
+
+Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example:
+
+![Upgrade analytics Ready for Windows status](images/upgrade-analytics-ready-for-windows-status.png)
+
+If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance.
+
+![Upgrade analytics Ready for Windows status guidance precedence](images/upgrade-analytics-ready-for-windows-status-guidance-precedence.png)
+
+If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows. 
+
+![Name publisher rollup](images/upgrade-analytics-namepub-rollup.png)
+
+The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses)
+
+| Ready for Windows Status | Query rollup level | What this means | Guidance |
+|-------------------|--------------------------|-----------------|----------|
+|Supported version available    | Granular | The software provider has declared support for one or more versions of this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10. |
+|  Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. | 
+| Adopted   | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. |
+| Insufficient Data | Granular | Too few commercial Windows 10 devices are sharing information about this version of this application for Microsoft to categorize its adoption. | N/A |
+| Contact developer | Granular | There may be compatibility issues with this version of the application, so Microsoft recommends contacting the software provider to learn more. | Check [Ready for Windows](https://www.readyforwindows.com/) for additional information.|
+|Supported version available | NamePublisher | The software provider has declared support for this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10.|
+|Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.|
+| Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A |
+
 ## Review applications with no known issues
 
 Applications with no issues known to Microsoft are listed, grouped by upgrade decision.
 
-<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
-<img src="media/image7.png" width="197" height="336" />
--->
-
 ![Review applications with no known issues](images/upgrade-analytics-apps-no-known-issues.png)
 
 Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**.
@@ -95,10 +126,6 @@ To change an application's upgrade decision:
 
 Drivers that won’t migrate to the new operating system are listed, grouped by availability.
 
-<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
-<img src="media/image8.png" width="197" height="316" />
--->
-
 ![Review drivers with known issues](images/upgrade-analytics-drivers-known.png)
 
 Availability categories are explained in the table below.

windows/deploy/upgrade-analytics-review-site-discovery.md

@@ -0,0 +1,68 @@
+---
+title: Review site discovery
+description: Explains how to review internet web site discovery with Upgrade Analytics.
+ms.prod: w10
+author: Justinha
+---
+
+# Review site discovery
+
+This section of the Upgrade Analytics workflow provides an inventory of web sites that are being used by client computers that run Internet Explorer on Windows 8.1 and Windows 7 in your environment. This inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. Data from Microsoft Edge is not collected. 
+
+> Note: Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
+
+## Install prerequisite security update for Internet Explorer
+
+Ensure the following prerequisites are met before using site discovery:
+
+1. Install the latest Internet Explorer 11 Cumulative Update. This update provides the capability for site discovery and is available in the [July 2016 cumulative update](https://support.microsoft.com/kb/3170106) and later.
+2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)).
+3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Analytics deployment script](upgrade-analytics-get-started.md#run-the-upgrade-analytics-deployment-script) to allow Internet Explorer data collection before you run it. 
+
+    If necessary, you can also enable it by creating the following registry entry. 
+
+    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection 
+
+    Entry name: IEDataOptIn
+
+    Data type: DWORD
+
+    Values:
+
+    > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
+    >
+    > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
+    >
+    > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
+    >
+    > *IEOptInLevel = 3 Data collection is enabled for all sites*
+
+    For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://msdn.microsoft.com/library/ms537183.aspx). 
+
+    ![Create the IEDataOptIn registry key](images/upgrade-analytics-create-iedataoptin.png)
+
+## Review most active sites
+
+This blade indicates the most visited sites by computers in your environment. Review this list to determine which web applications and sites are used most frequently. The number of visits is based on the total number of views, and not by the number of unique devices accessing a page.
+
+For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL. 
+
+![Most active sites](Images/upgrade-analytics-most-active-sites.png) 
+
+Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name. 
+
+![Site domain detail](images/upgrade-analytics-site-domain-detail.png)
+
+## Review document modes in use 
+
+This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes).
+
+![Site activity by document mode](images/upgrade-analytics-site-activity-by-doc-mode.png)
+
+## Run browser-related queries 
+
+You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries. 
+
+![](images/upgrade-analytics-query-activex-name.png)
+
+

windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md

@@ -23,4 +23,6 @@ The Upgrade Analytics workflow gives you compatibility and usage information abo
 
 3.  [Identifying computers that are upgrade ready](upgrade-analytics-deploy-windows.md)
 
+4.  [Review site discovery](upgrade-analytics-review-site-discovery.md)
+
 

windows/deploy/windows-10-upgrade-paths.md

@@ -19,9 +19,11 @@ author: greg-lindsay
 
 This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).
 
+>**Windows 10 LTSB**: The upgrade paths displayed below do not apply to Windows 10 LTSB. In-place upgrade from Windows 7 or Windows 8.1 to Windows 10 LTSB is not supported.
+
 >**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.  
 
->**Free upgrade**: Some upgrade paths qualify for a free upgrade using Windows Update. For a list of upgrade paths that are available as part of the free upgrade offer, see [Free upgrade paths](#Free-upgrade-paths).
+>**Free upgrade**: The Windows 10 free upgrade offer expired on July 29, 2016. For more information, see [Free upgrade paths](#Free-upgrade-paths).
 
 ✔ = Full upgrade is supported including personal data, settings, and applications.<BR>
 D = Edition downgrade; personal data is maintained, applications and settings are removed.

windows/keep-secure/TOC.md

@@ -38,7 +38,15 @@
 #### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
 ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
-## [VPN profile options](vpn-profile-options.md)
+## [VPN technical guide](vpn-guide.md)
+### [VPN connection types](vpn-connection-type.md)
+### [VPN routing decisions](vpn-routing.md)
+### [VPN authentication options](vpn-authentication.md)
+### [VPN and conditional access](vpn-conditional-access.md)
+### [VPN name resolution](vpn-name-resolution.md)
+### [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+### [VPN security features](vpn-security-features.md)
+### [VPN profile options](vpn-profile-options.md)
 ## [Windows security baselines](windows-security-baselines.md)
 ## [Security technologies](security-technologies.md)
 ### [Access Control Overview](access-control.md)

windows/keep-secure/change-history-for-keep-windows-10-secure.md

@@ -12,6 +12,12 @@ author: brianlic-msft
 # Change history for Keep Windows 10 secure
 This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+## October 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic |
+
 ## September 2016
 
 | New or changed topic | Description |
@@ -20,7 +26,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
 |[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
 | [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) | Clarified how convenience PIN works in Windows 10, version 1607, on domain-joined PCs |
-| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq ezxample and added a new Windows PowerShell example for creating a self-signed certficate |
+| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq example and added a new Windows PowerShell example for creating a self-signed certificate |
 
 ## August 2016
 |New or changed topic | Description |

windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md

@@ -33,15 +33,54 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
 
 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
-    a.  Click **Endpoint Management** on the **Navigation pane**.
+    a.  Select **Endpoint Management** on the **Navigation pane**.
 
-    b.  Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file.
+    b.  Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
+
+      ![Endpoint onboarding](images/atp-onboard-mdm.png)
 
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named  *WindowsDefenderATP.onboarding*.
 
 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
 
-Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
+  a. Select **Policy** > **Configuration Policies** > **Add**.
+  ![Microsoft Intune Configuration Policies](images/atp-intune-add-policy.png)
+
+  b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
+  ![Microsoft Intune Configuration Policies](images/atp-intune-new-policy.png)
+
+  c. Type a name and description for the policy.
+  ![Microsoft Intune Create Policy](images/atp-intune-policy-name.png)
+
+  d. Under OMA-URI settings, select **Add...**.
+  ![Microsoft Intune add OMC-URI](images/atp-intune-add-oma.png)
+
+  e. Type the following values then select **OK**:
+  
+  ![Microsoft Intune save policy](images/atp-intune-oma-uri-setting.png)
+
+  - **Setting name**: Type a name for the setting.
+  - **Setting description**: Type a description for the setting.
+  - **Data type**: Select **String**.
+  - **OMA-URI**:  *./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding*
+  - **Value**: Copy and paste the contents of the *WindowsDefenderATP.onboarding* file you downloaded.
+
+
+  f. Save the policy.
+
+  ![Microsoft Intune save policy](images/atp-intune-save-policy.png)
+
+  g. Deploy the policy.
+
+  ![Microsoft Intune deploy policy](images/atp-intune-deploy-policy.png)
+
+  h. Select the device group to deploy the policy to:
+
+  ![Microsoft Intune manage deployment](images/atp-intune-manage-deployment.png)
+
+When the policy is deployed and is propagated, endpoints will be shown in the **Machines view**.
+
+You can use the following onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
 - Onboarding
 - Health Status for onboarded machines
 - Configuration for onboarded machines
@@ -49,10 +88,10 @@ Onboarding - Use the onboarding policies to deploy configuration settings on end
 Policy | OMA-URI | Type | Value | Description
 :---|:---|:---|:---|:---
 Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file |  Onboarding
-Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE |  Windows Defender ATP service is running
- | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
-  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
- Configuration for onboarded machines  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
+Health Status for onboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE |  Windows Defender ATP service is running
+Health Status for onboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
+Health Status for onboarded machines: Organization ID | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
+Configuration for onboarded machines  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
 
 
 > [!NOTE]
@@ -83,8 +122,8 @@ Offboarding - Use the offboarding policies to remove configuration settings on e
 Policy | OMA-URI | Type | Value | Description
 :---|:---|:---|:---|:---
 Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding
- Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
-  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
+ Health Status for offboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
+Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
 
 > [!NOTE]
 > The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.

windows/keep-secure/credential-guard.md

@@ -40,89 +40,64 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-
 
 ## Hardware and software requirements
 
-The PC must meet the following hardware and software requirements to use Credential Guard:
+To deploy Credential Guard, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements. Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. 
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Requirement</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Windows 10 Enterprise</p></td>
-<td align="left"><p>The PC must be running Windows 10 Enterprise.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>UEFI firmware version 2.3.1 or higher and Secure Boot</p></td>
-<td align="left"><p>To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby) Windows Hardware Compatibility Program requirement.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Virtualization extensions</p></td>
-<td align="left"><p>The following virtualization extensions are required to support virtualization-based security:</p>
-<ul>
-<li>Intel VT-x or AMD-V</li>
-<li>Second Level Address Translation</li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>x64 architecture</p></td>
-<td align="left"><p>The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>A VT-d or AMD-Vi IOMMU (Input/output memory management unit)</p></td>
-<td align="left"><p>In Windows 10, an IOMMU enhances system resiliency against memory attacks. ¹</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Trusted Platform Module (TPM) version 1.2 or 2.0</p></td>
-<td align="left"><p>TPM 1.2 and 2.0 provides protection for encryption keys used by virtualization-based security to protect Credential Guard secrets where all other keys are stored. See the following table to determine which TPM versions are supported on your OS.</p>
-<table>
-<th>OS version</th>
-<th>Required TPM</th>
-<tr>
-<td>Windows 10 version 1507</td>
-<td>TPM 2.0</td>
-</tr>
-<tr>
-<td>Windows 10 version 1511, Windows Server 2016, or later</td>
-<td>TPM 2.0 or TPM 1.2</td>
-</tr>
-</table>
-<div class="alert">
-<strong>Note</strong>  If you don't have a TPM installed, Credential Guard will still be enabled, but the virtualization-based security keys used to protect Credential Guard secrets will not bound to the TPM. Instead, the keys will be protected in a UEFI Boot Service variable.
-</div>
-</td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Secure firmware update process</p></td>
-<td align="left"><p>To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.</p><p>Credential Guard relies on the security of the underlying hardware and firmware. It is critical to keep the firmware updated with the latest security fixes.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>The firmware is updated for [Secure MOR implementation](http://msdn.microsoft.com/library/windows/hardware/mt270973.aspx)</p></td>
-<td align="left"><p>Credential Guard requires the secure MOR bit to help prevent certain memory attacks.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Physical PC</p></td>
-<td align="left"><p>For PCs running Windows 10, version 1511 and Windows 10, version 1507, you cannot run Credential Guard on a virtual machine.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Virtual machine</p></td>
-<td align="left"><p>For PCs running Windows 10, version 1607 or Windows Server 2016, you can run Credential Guard on a Generation 2 virtual machine.</p></td>
-</tr>
-</tr>
-<tr class="even">
-<td align="left"><p>Hypervisor</p></td>
-<td align="left"><p>You must use the Windows hypervisor.</p></td>
-</tr>
-</tbody>
-</table>
- 
-¹ If you choose the **Secure Boot and DMA protection** option in the Group Policy setting, an IOMMU is required. The **Secure Boot** Group Policy option enables Credential Guard on devices without an IOMMU.
+You can deploy Credential Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
+
+The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
+
+> [!NOTE]  
+> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.<br>
+> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).
+
+
+## Credential Guard requirements for baseline protections
+
+|Baseline Protections - requirement           | Description                                        |
+|---------------------------------------------|----------------------------------------------------|
+| Hardware: **64-bit CPU**              | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
+| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>- VT-x (Intel) or<br>- AMD-V<br>And:<br>- Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Hardware: **IOMMU** (input/output memory management unit)  |  **Requirement**: VT-D or AMD Vi IOMMU<br><br>**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
+| Hardware: **Trusted Platform Module (TPM)**  |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br><br>**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
+| Firmware: **Secure firmware update process**      | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Firmware: **Secure MOR implementation**  |  **Requirement**: Secure MOR implementation<br><br>**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
+| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
+
+> [!IMPORTANT]
+> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide.
+
+## Credential Guard requirements for improved security
+
+The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
+
+### 2015 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
+
+| Protections for Improved Security - requirement         | Description                                        |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- BIOS password or stronger authentication must be supported.<br>- In the BIOS configuration, BIOS authentication must be set.<br>- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+
+<br>
+
+### 2016 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1607, and Windows Server 2016)
+
+> [!IMPORTANT]
+> The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Credential Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
+
+| Protections for Improved Security - requirement         | Description                                        |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).<br><br>**Security benefits**:<br>- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>- HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.<br><br>**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.<br><br>**Security benefits**:<br>- Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+
+<br>
+
+### 2017 Additional Qualification Requirements for Credential Guard (announced as options for future Windows operating systems for 2017) 
+
+| Protections for Improved Security - requirement         | Description                                        |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **UEFI NX Protections**  | **Requirements**:<br>- All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.<br><br>UEFI Runtime Services:<br>- Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.<br>- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.<br>- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware. |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |
 
 ## Manage Credential Guard