diff --git a/.gitignore b/.gitignore
index 604950802e..a39f55da7b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,4 +12,4 @@ Tools/NuGet/
packages.config
# User-specific files
-.vs/
\ No newline at end of file
+.vs/
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000000..a2c95fc155
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,395 @@
+Attribution 4.0 International
+
+=======================================================================
+
+Creative Commons Corporation ("Creative Commons") is not a law firm and
+does not provide legal services or legal advice. Distribution of
+Creative Commons public licenses does not create a lawyer-client or
+other relationship. Creative Commons makes its licenses and related
+information available on an "as-is" basis. Creative Commons gives no
+warranties regarding its licenses, any material licensed under their
+terms and conditions, or any related information. Creative Commons
+disclaims all liability for damages resulting from their use to the
+fullest extent possible.
+
+Using Creative Commons Public Licenses
+
+Creative Commons public licenses provide a standard set of terms and
+conditions that creators and other rights holders may use to share
+original works of authorship and other material subject to copyright
+and certain other rights specified in the public license below. The
+following considerations are for informational purposes only, are not
+exhaustive, and do not form part of our licenses.
+
+ Considerations for licensors: Our public licenses are
+ intended for use by those authorized to give the public
+ permission to use material in ways otherwise restricted by
+ copyright and certain other rights. Our licenses are
+ irrevocable. Licensors should read and understand the terms
+ and conditions of the license they choose before applying it.
+ Licensors should also secure all rights necessary before
+ applying our licenses so that the public can reuse the
+ material as expected. Licensors should clearly mark any
+ material not subject to the license. This includes other CC-
+ licensed material, or material used under an exception or
+ limitation to copyright. More considerations for licensors:
+ wiki.creativecommons.org/Considerations_for_licensors
+
+ Considerations for the public: By using one of our public
+ licenses, a licensor grants the public permission to use the
+ licensed material under specified terms and conditions. If
+ the licensor's permission is not necessary for any reason--for
+ example, because of any applicable exception or limitation to
+ copyright--then that use is not regulated by the license. Our
+ licenses grant only permissions under copyright and certain
+ other rights that a licensor has authority to grant. Use of
+ the licensed material may still be restricted for other
+ reasons, including because others have copyright or other
+ rights in the material. A licensor may make special requests,
+ such as asking that all changes be marked or described.
+ Although not required by our licenses, you are encouraged to
+ respect those requests where reasonable. More_considerations
+ for the public:
+ wiki.creativecommons.org/Considerations_for_licensees
+
+=======================================================================
+
+Creative Commons Attribution 4.0 International Public License
+
+By exercising the Licensed Rights (defined below), You accept and agree
+to be bound by the terms and conditions of this Creative Commons
+Attribution 4.0 International Public License ("Public License"). To the
+extent this Public License may be interpreted as a contract, You are
+granted the Licensed Rights in consideration of Your acceptance of
+these terms and conditions, and the Licensor grants You such rights in
+consideration of benefits the Licensor receives from making the
+Licensed Material available under these terms and conditions.
+
+
+Section 1 -- Definitions.
+
+ a. Adapted Material means material subject to Copyright and Similar
+ Rights that is derived from or based upon the Licensed Material
+ and in which the Licensed Material is translated, altered,
+ arranged, transformed, or otherwise modified in a manner requiring
+ permission under the Copyright and Similar Rights held by the
+ Licensor. For purposes of this Public License, where the Licensed
+ Material is a musical work, performance, or sound recording,
+ Adapted Material is always produced where the Licensed Material is
+ synched in timed relation with a moving image.
+
+ b. Adapter's License means the license You apply to Your Copyright
+ and Similar Rights in Your contributions to Adapted Material in
+ accordance with the terms and conditions of this Public License.
+
+ c. Copyright and Similar Rights means copyright and/or similar rights
+ closely related to copyright including, without limitation,
+ performance, broadcast, sound recording, and Sui Generis Database
+ Rights, without regard to how the rights are labeled or
+ categorized. For purposes of this Public License, the rights
+ specified in Section 2(b)(1)-(2) are not Copyright and Similar
+ Rights.
+
+ d. Effective Technological Measures means those measures that, in the
+ absence of proper authority, may not be circumvented under laws
+ fulfilling obligations under Article 11 of the WIPO Copyright
+ Treaty adopted on December 20, 1996, and/or similar international
+ agreements.
+
+ e. Exceptions and Limitations means fair use, fair dealing, and/or
+ any other exception or limitation to Copyright and Similar Rights
+ that applies to Your use of the Licensed Material.
+
+ f. Licensed Material means the artistic or literary work, database,
+ or other material to which the Licensor applied this Public
+ License.
+
+ g. Licensed Rights means the rights granted to You subject to the
+ terms and conditions of this Public License, which are limited to
+ all Copyright and Similar Rights that apply to Your use of the
+ Licensed Material and that the Licensor has authority to license.
+
+ h. Licensor means the individual(s) or entity(ies) granting rights
+ under this Public License.
+
+ i. Share means to provide material to the public by any means or
+ process that requires permission under the Licensed Rights, such
+ as reproduction, public display, public performance, distribution,
+ dissemination, communication, or importation, and to make material
+ available to the public including in ways that members of the
+ public may access the material from a place and at a time
+ individually chosen by them.
+
+ j. Sui Generis Database Rights means rights other than copyright
+ resulting from Directive 96/9/EC of the European Parliament and of
+ the Council of 11 March 1996 on the legal protection of databases,
+ as amended and/or succeeded, as well as other essentially
+ equivalent rights anywhere in the world.
+
+ k. You means the individual or entity exercising the Licensed Rights
+ under this Public License. Your has a corresponding meaning.
+
+
+Section 2 -- Scope.
+
+ a. License grant.
+
+ 1. Subject to the terms and conditions of this Public License,
+ the Licensor hereby grants You a worldwide, royalty-free,
+ non-sublicensable, non-exclusive, irrevocable license to
+ exercise the Licensed Rights in the Licensed Material to:
+
+ a. reproduce and Share the Licensed Material, in whole or
+ in part; and
+
+ b. produce, reproduce, and Share Adapted Material.
+
+ 2. Exceptions and Limitations. For the avoidance of doubt, where
+ Exceptions and Limitations apply to Your use, this Public
+ License does not apply, and You do not need to comply with
+ its terms and conditions.
+
+ 3. Term. The term of this Public License is specified in Section
+ 6(a).
+
+ 4. Media and formats; technical modifications allowed. The
+ Licensor authorizes You to exercise the Licensed Rights in
+ all media and formats whether now known or hereafter created,
+ and to make technical modifications necessary to do so. The
+ Licensor waives and/or agrees not to assert any right or
+ authority to forbid You from making technical modifications
+ necessary to exercise the Licensed Rights, including
+ technical modifications necessary to circumvent Effective
+ Technological Measures. For purposes of this Public License,
+ simply making modifications authorized by this Section 2(a)
+ (4) never produces Adapted Material.
+
+ 5. Downstream recipients.
+
+ a. Offer from the Licensor -- Licensed Material. Every
+ recipient of the Licensed Material automatically
+ receives an offer from the Licensor to exercise the
+ Licensed Rights under the terms and conditions of this
+ Public License.
+
+ b. No downstream restrictions. You may not offer or impose
+ any additional or different terms or conditions on, or
+ apply any Effective Technological Measures to, the
+ Licensed Material if doing so restricts exercise of the
+ Licensed Rights by any recipient of the Licensed
+ Material.
+
+ 6. No endorsement. Nothing in this Public License constitutes or
+ may be construed as permission to assert or imply that You
+ are, or that Your use of the Licensed Material is, connected
+ with, or sponsored, endorsed, or granted official status by,
+ the Licensor or others designated to receive attribution as
+ provided in Section 3(a)(1)(A)(i).
+
+ b. Other rights.
+
+ 1. Moral rights, such as the right of integrity, are not
+ licensed under this Public License, nor are publicity,
+ privacy, and/or other similar personality rights; however, to
+ the extent possible, the Licensor waives and/or agrees not to
+ assert any such rights held by the Licensor to the limited
+ extent necessary to allow You to exercise the Licensed
+ Rights, but not otherwise.
+
+ 2. Patent and trademark rights are not licensed under this
+ Public License.
+
+ 3. To the extent possible, the Licensor waives any right to
+ collect royalties from You for the exercise of the Licensed
+ Rights, whether directly or through a collecting society
+ under any voluntary or waivable statutory or compulsory
+ licensing scheme. In all other cases the Licensor expressly
+ reserves any right to collect such royalties.
+
+
+Section 3 -- License Conditions.
+
+Your exercise of the Licensed Rights is expressly made subject to the
+following conditions.
+
+ a. Attribution.
+
+ 1. If You Share the Licensed Material (including in modified
+ form), You must:
+
+ a. retain the following if it is supplied by the Licensor
+ with the Licensed Material:
+
+ i. identification of the creator(s) of the Licensed
+ Material and any others designated to receive
+ attribution, in any reasonable manner requested by
+ the Licensor (including by pseudonym if
+ designated);
+
+ ii. a copyright notice;
+
+ iii. a notice that refers to this Public License;
+
+ iv. a notice that refers to the disclaimer of
+ warranties;
+
+ v. a URI or hyperlink to the Licensed Material to the
+ extent reasonably practicable;
+
+ b. indicate if You modified the Licensed Material and
+ retain an indication of any previous modifications; and
+
+ c. indicate the Licensed Material is licensed under this
+ Public License, and include the text of, or the URI or
+ hyperlink to, this Public License.
+
+ 2. You may satisfy the conditions in Section 3(a)(1) in any
+ reasonable manner based on the medium, means, and context in
+ which You Share the Licensed Material. For example, it may be
+ reasonable to satisfy the conditions by providing a URI or
+ hyperlink to a resource that includes the required
+ information.
+
+ 3. If requested by the Licensor, You must remove any of the
+ information required by Section 3(a)(1)(A) to the extent
+ reasonably practicable.
+
+ 4. If You Share Adapted Material You produce, the Adapter's
+ License You apply must not prevent recipients of the Adapted
+ Material from complying with this Public License.
+
+
+Section 4 -- Sui Generis Database Rights.
+
+Where the Licensed Rights include Sui Generis Database Rights that
+apply to Your use of the Licensed Material:
+
+ a. for the avoidance of doubt, Section 2(a)(1) grants You the right
+ to extract, reuse, reproduce, and Share all or a substantial
+ portion of the contents of the database;
+
+ b. if You include all or a substantial portion of the database
+ contents in a database in which You have Sui Generis Database
+ Rights, then the database in which You have Sui Generis Database
+ Rights (but not its individual contents) is Adapted Material; and
+
+ c. You must comply with the conditions in Section 3(a) if You Share
+ all or a substantial portion of the contents of the database.
+
+For the avoidance of doubt, this Section 4 supplements and does not
+replace Your obligations under this Public License where the Licensed
+Rights include other Copyright and Similar Rights.
+
+
+Section 5 -- Disclaimer of Warranties and Limitation of Liability.
+
+ a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+ EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+ AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+ IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+ WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+ ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+ KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+ ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+ b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+ TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+ NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+ INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+ COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+ USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+ ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+ DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+ IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+ c. The disclaimer of warranties and limitation of liability provided
+ above shall be interpreted in a manner that, to the extent
+ possible, most closely approximates an absolute disclaimer and
+ waiver of all liability.
+
+
+Section 6 -- Term and Termination.
+
+ a. This Public License applies for the term of the Copyright and
+ Similar Rights licensed here. However, if You fail to comply with
+ this Public License, then Your rights under this Public License
+ terminate automatically.
+
+ b. Where Your right to use the Licensed Material has terminated under
+ Section 6(a), it reinstates:
+
+ 1. automatically as of the date the violation is cured, provided
+ it is cured within 30 days of Your discovery of the
+ violation; or
+
+ 2. upon express reinstatement by the Licensor.
+
+ For the avoidance of doubt, this Section 6(b) does not affect any
+ right the Licensor may have to seek remedies for Your violations
+ of this Public License.
+
+ c. For the avoidance of doubt, the Licensor may also offer the
+ Licensed Material under separate terms or conditions or stop
+ distributing the Licensed Material at any time; however, doing so
+ will not terminate this Public License.
+
+ d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
+ License.
+
+
+Section 7 -- Other Terms and Conditions.
+
+ a. The Licensor shall not be bound by any additional or different
+ terms or conditions communicated by You unless expressly agreed.
+
+ b. Any arrangements, understandings, or agreements regarding the
+ Licensed Material not stated herein are separate from and
+ independent of the terms and conditions of this Public License.
+
+
+Section 8 -- Interpretation.
+
+ a. For the avoidance of doubt, this Public License does not, and
+ shall not be interpreted to, reduce, limit, restrict, or impose
+ conditions on any use of the Licensed Material that could lawfully
+ be made without permission under this Public License.
+
+ b. To the extent possible, if any provision of this Public License is
+ deemed unenforceable, it shall be automatically reformed to the
+ minimum extent necessary to make it enforceable. If the provision
+ cannot be reformed, it shall be severed from this Public License
+ without affecting the enforceability of the remaining terms and
+ conditions.
+
+ c. No term or condition of this Public License will be waived and no
+ failure to comply consented to unless expressly agreed to by the
+ Licensor.
+
+ d. Nothing in this Public License constitutes or may be interpreted
+ as a limitation upon, or waiver of, any privileges and immunities
+ that apply to the Licensor or You, including from the legal
+ processes of any jurisdiction or authority.
+
+
+=======================================================================
+
+Creative Commons is not a party to its public
+licenses. Notwithstanding, Creative Commons may elect to apply one of
+its public licenses to material it publishes and in those instances
+will be considered the “Licensor.” The text of the Creative Commons
+public licenses is dedicated to the public domain under the CC0 Public
+Domain Dedication. Except for the limited purpose of indicating that
+material is shared under a Creative Commons public license or as
+otherwise permitted by the Creative Commons policies published at
+creativecommons.org/policies, Creative Commons does not authorize the
+use of the trademark "Creative Commons" or any other trademark or logo
+of Creative Commons without its prior written consent including,
+without limitation, in connection with any unauthorized modifications
+to any of its public licenses or any other arrangements,
+understandings, or agreements concerning use of licensed material. For
+the avoidance of doubt, this paragraph does not form part of the
+public licenses.
+
+Creative Commons may be contacted at creativecommons.org.
\ No newline at end of file
diff --git a/LICENSE-CODE b/LICENSE-CODE
new file mode 100644
index 0000000000..b17b032a43
--- /dev/null
+++ b/LICENSE-CODE
@@ -0,0 +1,17 @@
+The MIT License (MIT)
+Copyright (c) Microsoft Corporation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
+associated documentation files (the "Software"), to deal in the Software without restriction,
+including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial
+portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT
+NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file
diff --git a/README.md b/README.md
index 8864d2a10e..01059ee91d 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,8 @@
+## Microsoft Open Source Code of Conduct
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
+
# Windows IT professional documentation
Welcome! This repository houses the docs that are written for IT professionals for the following products:
diff --git a/ThirdPartyNotices b/ThirdPartyNotices
new file mode 100644
index 0000000000..a0bd09d68f
--- /dev/null
+++ b/ThirdPartyNotices
@@ -0,0 +1,15 @@
+##Legal Notices
+Microsoft and any contributors grant you a license to the Microsoft documentation and other content
+in this repository under the [Creative Commons Attribution 4.0 International Public License](https://creativecommons.org/licenses/by/4.0/legalcode),
+see the [LICENSE](LICENSE) file, and grant you a license to any code in the repository under the [MIT License](https://opensource.org/licenses/MIT), see the
+[LICENSE-CODE](LICENSE-CODE) file.
+
+Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation
+may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries.
+The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks.
+Microsoft's general trademark guidelines can be found at http://go.microsoft.com/fwlink/?LinkID=254653.
+
+Privacy information can be found at https://privacy.microsoft.com/en-us/
+
+Microsoft and any contributors reserve all others rights, whether under their respective copyrights, patents,
+or trademarks, whether by implication, estoppel or otherwise.
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
index 1949a24903..1717c9f622 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -11,6 +11,11 @@ ms.sitesec: library
# Change history for Internet Explorer 11
This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
+## March 2017
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to add the Allow VBScript to run in Internet Explorer and the Hide the button (next to the New Tab button) that opens Microsoft Edge settings. |
+
## November 2016
|New or changed topic | Description |
|----------------------|-------------|
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index d63465dbe0..149ef61a09 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -16,63 +16,33 @@ Internet Explorer 11 gives you some new Group Policy settings to help you manag
|Policy |Category Path |Supported on |Explanation |
|-------|--------------|-------------|------------|
-|Turn off loading websites and content in the background to optimize performance |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.If you enable this policy setting, IE doesn't load any websites or content in the background.
If you disable this policy setting, IE preemptively loads websites and content in the background.
If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. |
-|Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.
If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. |
-|Turn off phone number detection |Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing |IE11 on Windows 10 |This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.
If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.
If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.
If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. |
-|Allow IE to use the SPDY/3 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.
If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.
If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.
If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced* tab of the **Internet Options** dialog box. The default is on.
**Note**
We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting. |
|Allow IE to use the HTTP2 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.
If you enable this policy setting, IE uses the HTTP2 network protocol.
If you disable this policy setting, IE won't use the HTTP2 network protocol.
If you don't configure this policy setting, users can turn this behavior on or off, using the **Internet Explorer Advanced Internet Options** settings. The default is on. |
+|Allow IE to use the SPDY/3 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.
If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.
If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.
If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced* tab of the **Internet Options** dialog box. The default is on.
**Note**
We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting. |
+|Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.
If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. |
+|Allow only approved domains to use the TDC ActiveX control |
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
|IE11 in Windows 10 |This policy setting determines whether users can run the Tabular Data Control (TDC) ActiveX control, based on security zone. By default, the TDC ActiveX Control is disabled in the **Internet** and **Restricted Sites** security zones.If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.
If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone. |
+|Allow SSL3 Fallback |Administrative Templates\Windows Components\Internet Explorer\Security Features |Internet Explorer 11 on Windows 10 |This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.
If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.
If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.
**Important:**
By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks. |
+|Allow VBScript to run in Internet Explorer|
- Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Internet Zone
- Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Intranet Zone
- Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Local Machine Zone
- Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Internet Zone
- Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Intranet Zone
- Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Local Machine Zone
- Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Restricted Sites Zone
- Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Trusted Sites Zone
- Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Restricted Sites Zone
- Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Trusted Sites Zone
|Internet Explorer 11|This policy setting lets you decide whether VBScript can run on pages in specific Internet Explorer zones.If you enable this policy setting (default), you must also pick one of the following options from the Options box:
- Enable. VBScript runs on pages in specific zones, without any interaction.
- Prompt. Employees are prompted whether to allow VBScript to run in the zone.
- Disable. VBScript is prevented from running in the zone.
If you disable or don’t configure this policy setting, VBScript runs without any interaction in the specified zone.|
+|Always send Do Not Track header |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 |This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.
If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.
**In Internet Explorer 9 and 10:**
If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.
**In at least IE11:**
If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.
If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced* tab of the **Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. |
|Don't run antimalware programs against ActiveX controls
(Internet, Restricted Zones) |
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
|IE11 on Windows 10 |This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. |
|Don't run antimalware programs against ActiveX controls
(Intranet, Trusted, Local Machine Zones) |
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
|IE11 on Windows 10 |This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. |
-|Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.
**Important**
When using 64-bit processes, some ActiveX controls and toolbars might not be available. |
-|Turn off sending UTF-8 query strings for URLs |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.
If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:
- **0.** Never encode query strings.
- **1.** Only encode query strings for URLs that aren't in the Intranet zone.
- **2.** Only encode query strings for URLs that are in the Intranet zone.
- **3.** Always encode query strings.
If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. |
-|Turn off sending URL path as UTF-8 |User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding |At least Windows Internet Explorer 7 |This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.
If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.
If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.
If you don't configure this policy setting, users can turn this behavior on or off. |
-|Turn off the flip ahead with page prediction feature |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 on Windows 8 |This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.
If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.
**Note**
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. |
-|Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data |Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History |At least Windows Internet Explorer 9 |**In Internet Explorer 9 and Internet Explorer 10:**
This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.
**In IE11:**
This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.
If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.
If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.
If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. |
-|Always send Do Not Track header |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 |This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.
If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.
**In Internet Explorer 9 and 10:**
If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.
**In at least IE11:**
If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.
If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced* tab of the **Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. |
-|Turn off the ability to launch report site problems using a menu option |Administrative Templates\Windows Components\Internet Explorer\Browser menus |Internet Explorer 11 |This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.
If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.
If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. |
-|Allow only approved domains to use the TDC ActiveX control |
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
|IE11 in Windows 10 |This policy setting determines whether users can run the Tabular Data Control (TDC) ActiveX control, based on security zone. By default, the TDC ActiveX Control is disabled in the **Internet** and **Restricted Sites** security zones.If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.
If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone. |
-|Turn on Site Discovery XML output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
-|Turn on Site Discovery WMI output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+|Hide the button (next to the New Tab button) that opens Microsoft Edge |User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\ |IE11 on Windows 10, Windows Insider Program |This policy setting lets you decide whether employees can see the open Microsoft Edge button, which appears next to the New Tab button.
If you enable this policy setting, the button to open Microsoft Edge from Internet Explorer will be hidden.
If you disable this policy setting, the button to open Microsoft Edge from Internet Explorer appears.
If you don't configure this policy setting, the button to open Microsoft Edge from Internet Explorer can be configured by your employees. |
+|Let users turn on and use Enterprise Mode from the **Tools** menu |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.
If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.
If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. |
|Limit Site Discovery output by Domain |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.
**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
|Limit Site Discovery output by Zone |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to control which zones are included in the discovery function of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all specified security zones.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all security zones.
To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:
- 0 – Restricted Sites zone
- 0 – Internet zone
- 0 – Trusted Sites zone
- 0 – Local Intranet zone
- 0 – Local Machine zone
**Example 1:** Include only the Local Intranet zone (binary representation: 00010), based on:
- 0 – Restricted Sites zone
- 0 – Internet zone
- 0 – Trusted Sites zone
- 1 – Local Intranet zone
- 0 – Local Machine zone
**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones (binary representation: 10110), based on:
- 1 – Restricted Sites zone
- 0 – Internet zone
- 1 – Trusted Sites zone
- 1 – Local Intranet zone
- 1 – Local Machine zone
**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
-|Allow SSL3 Fallback |Administrative Templates\Windows Components\Internet Explorer\Security Features |Internet Explorer 11 on Windows 10 |This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.
If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.
If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.**Important:**
By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks. |
-|Turn off automatic download of the ActiveX VersionList |Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management |At least Windows Internet Explorer 8 |This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.
If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.
If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.
**Important:**
Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking (https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) topic. |
-|Let users turn on and use Enterprise Mode from the **Tools** menu |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.
If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.
If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. |
-|Use the Enterprise Mode IE website list |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1511 |This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.
If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.
If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. |
+|Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data |Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History |At least Windows Internet Explorer 9 |**In Internet Explorer 9 and Internet Explorer 10:**
This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.
**In IE11:**
This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.
If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.
If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.
If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. |
|Send all sites not included in the Enterprise Mode Site List to Microsoft Edge |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether to open all sites that aren’t specified to open in IE11 by the Enterprise Mode site list, to open in Microsoft Edge.
If you enable this policy setting, you must also enable the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode site list.
If you disable or don't configure this policy setting, all sites will open based on the currently active browser.
**Note:**
If you’ve also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. |
|Show message when opening sites in Microsoft Edge using Enterprise Mode |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.
If you enable this policy setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.
If you disable or don't configure this policy setting, the default app behavior occurs and no additional page appears. |
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+|Turn off automatic download of the ActiveX VersionList |Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management |At least Windows Internet Explorer 8 |This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.
If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.
If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.
**Important:**
Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking (https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) topic. |
+|Turn off loading websites and content in the background to optimize performance |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.
If you enable this policy setting, IE doesn't load any websites or content in the background.
If you disable this policy setting, IE preemptively loads websites and content in the background.
If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. |
+|Turn off phone number detection |Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing |IE11 on Windows 10 |This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.
If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.
If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.
If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. |
+|Turn off sending URL path as UTF-8 |User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding |At least Windows Internet Explorer 7 |This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.
If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.
If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.
If you don't configure this policy setting, users can turn this behavior on or off. |
+|Turn off sending UTF-8 query strings for URLs |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.
If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:
- **0.** Never encode query strings.
- **1.** Only encode query strings for URLs that aren't in the Intranet zone.
- **2.** Only encode query strings for URLs that are in the Intranet zone.
- **3.** Always encode query strings.
If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. |
+|Turn off the ability to launch report site problems using a menu option |Administrative Templates\Windows Components\Internet Explorer\Browser menus |Internet Explorer 11 |This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.
If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.
If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. |
+|Turn off the flip ahead with page prediction feature |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 on Windows 8 |This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.
If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.
**Note**
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. |
+|Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.
**Important**
When using 64-bit processes, some ActiveX controls and toolbars might not be available. |
+|Turn on Site Discovery WMI output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+|Turn on Site Discovery XML output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+|Use the Enterprise Mode IE website list |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1511 |This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.
If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.
If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. |
## Removed Group Policy settings
IE11 no longer supports these Group Policy settings:
diff --git a/devices/surface-hub/images/sh-55-rpc-ports.png b/devices/surface-hub/images/sh-55-rpc-ports.png
index dfea48ef96..7df98f2277 100644
Binary files a/devices/surface-hub/images/sh-55-rpc-ports.png and b/devices/surface-hub/images/sh-55-rpc-ports.png differ
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 8905e5b36c..6510d41971 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -25,7 +25,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
```PowerShell
Set-ExecutionPolicy Unrestricted
$org='contoso.microsoft.com'
- $cred=Get-Credential $admin@$org
+ $cred=Get-Credential admin@$org
$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $sess
```
@@ -51,7 +51,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
```PowerShell
- $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
+ $easPolicy = New-MobileDeviceMailboxPolicy -Name "SurfaceHubs" -PasswordEnabled $false -AllowNonProvisionableDevices $True
```
Once you have a compatible policy, then you will need to apply the policy to the device account.
@@ -112,6 +112,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool*
```
OR by setting a variable
+
```PowerShell
$strRegistrarPool = (Get-CsOnlineUser -Identity ‘alice@contoso.com’).RegistrarPool
```
@@ -120,7 +121,11 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool yourRegistrarPool -SipAddressType EmailAddress
+ ```
+
OR using the $strRegistarPool variable from above
+
+ ```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool $strRegistrarPool -SipAddressType EmailAddress
```
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index d229e05de5..16fd8c71d1 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -267,6 +267,9 @@ The current volume level is a range from 0 to 100.
Changes to volume levels can be sent by a room control system, or other system.
+>[!NOTE]
+>The Volume command will only control the volume for embedded or Replacement PC mode, not from [Guest sources](connect-and-display-with-surface-hub.md).
+
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index 4a39f0775e..2b7f54801b 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -18,6 +18,9 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d
[Microsoft Surface Data Eraser](https://www.microsoft.com/download/details.aspx?id=46703) is a tool that boots from a USB stick and allows you to perform a secure wipe of all data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot from USB. The USB stick is easy to create by using the provided wizard, the Microsoft Surface Data Eraser wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data wiping capabilities and practices Microsoft uses during the service process for Surface, see [Protecting your data if you send your Surface in for service](https://www.microsoft.com/surface/support/security-sign-in-and-accounts/data-wiping-policy).
+>[!IMPORTANT]
+>Microsoft Surface Data Eraser uses the NVM Express (NVMe) format command to erase data as authorized in [NIST Special Publication 800-88 Revision 1](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf).
+
Compatible Surface devices include:
- Surface Studio
diff --git a/education/windows/index.md b/education/windows/index.md
index bf4146606d..6ee2d1946a 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -1,6 +1,6 @@
---
title: Windows 10 for Education (Windows 10)
-description: Learn how to use Windows 10 in schools.
+description: Learn how to use Windows 10 in schools.
keywords: Windows 10, education
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/license.md b/license.md
deleted file mode 100644
index 0e5cb57b99..0000000000
--- a/license.md
+++ /dev/null
@@ -1,7 +0,0 @@
-Copyright (c) Microsoft Corporation. Distributed under the following terms:
-
-1. Microsoft and any contributors to this project each grants you a license, under its respective copyrights, to the documentation under the [Creative Commons Attribution 3.0 United States License](http://creativecommons.org/licenses/by/3.0/us/legalcode). In addition, with respect to any sample code contained in the documentation, Microsoft and any such contributors grants you an additional license, under its respective intellectual property rights, to use the code to develop or design your software for Microsoft Windows.
-
-2. Microsoft, Windows, and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. This license does not grant you rights to use any names, logos, or trademarks. For Microsoft’s general trademark guidelines, go to [https://go.microsoft.com/fwlink/?LinkID=254653](https://go.microsoft.com/fwlink/?LinkID=254653).
-
-3. Microsoft and any contributors reserves all others rights, whether under copyrights, patents, or trademarks, or by implication, estoppel or otherwise.
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
index 8b3704c3a9..bd506092d0 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
@@ -441,14 +441,14 @@ After you download the Office 2016 applications through the Office Deployment To
PACKAGEGUID (optional) |
By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
->**Note** Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
+
+ >**Note** Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
|
-
2. Use the /packager command to convert the Office applications to an Office 2016 App-V package.
For example:
diff --git a/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md b/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md
index 34ae20a4f8..e61be318ba 100644
--- a/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md
+++ b/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md
@@ -29,7 +29,8 @@ Use the following procedure to view and configure default package extensions.
5. To edit other application extensions, modify the configuration file and click **Import and Overwrite this Configuration**. Select the modified file and click **Open**. In the dialog box, click **Overwrite** to complete the process.
->**Note** If the upload fails and the size of your configuration file is above 4MB, you will need to increase the maximum file size allowed by the server. This can be done by adding the maxRequestLength attribute with a value greater than the size of your configuration file (in KB) to the httpRuntime element on line 26 of C:\Program Files\Microsoft Application Virtualization Server\ManagementService\Web.config. For example, changing' ' to '' will increase the maximum size to 8MB
+>**Note** If the upload fails and the size of your configuration file is above 4MB, you will need to increase the maximum file size allowed by the server. This can be done by adding the maxRequestLength attribute with a value greater than the size of your configuration file (in KB) to the httpRuntime element on line 26 of `C:\Program Files\Microsoft Application Virtualization Server\ManagementService\Web.config`.
+For example, changing `` to `` will increase the maximum size to 8MB
**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
diff --git a/mdop/appv-v5/planning-for-using-app-v-with-office51.md b/mdop/appv-v5/planning-for-using-app-v-with-office51.md
index c6edab05da..0f34f1b356 100644
--- a/mdop/appv-v5/planning-for-using-app-v-with-office51.md
+++ b/mdop/appv-v5/planning-for-using-app-v-with-office51.md
@@ -28,82 +28,15 @@ Use the following information to plan how to deploy Office by using Microsoft Ap
You can use the App-V 5.1 Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office 2013 package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group.
-**Note**
+>**Note**
Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack.
## Supported versions of Microsoft Office
-
-The following table lists the versions of Microsoft Office that App-V supports, methods of Office package creation, supported licensing, and supported deployments.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Office 365 ProPlus
-Also supported:
- |
-
-App-V 5.0 App-V 5.0 SP1 App-V 5.0 SP2 App-V 5.0 SP3 App-V 5.1 |
-Office Deployment Tool |
-Subscription |
-
-Desktop Personal VDI Pooled VDI RDS |
-
-
-Office Professional Plus 2013
-Also supported:
- |
-
-App-V 5.0 App-V 5.0 SP1 App-V 5.0 SP2 App-V 5.0 SP3 App-V 5.1 |
-Office Deployment Tool |
-Volume Licensing |
-
-Desktop Personal VDI Pooled VDI RDS |
-
-
-
+See [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/en-us/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click) for a list of supported Office products.
+>**Note** You must use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. You cannot use the App-V Sequencer.
@@ -149,7 +82,7 @@ The Office documentation provides extensive guidance on coexistence for Windows
The following tables summarize the supported coexistence scenarios. They are organized according to the version and deployment method you’re starting with and the version and deployment method you are migrating to. Be sure to fully test all coexistence solutions before deploying them to a production audience.
-**Note**
+>**Note**
Microsoft does not support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service.
diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md
index 38e3354323..fbda4e7ce2 100644
--- a/windows/deploy/TOC.md
+++ b/windows/deploy/TOC.md
@@ -1,4 +1,5 @@
# [Deploy Windows 10](index.md)
+## [What's new in Windows 10 deployment](deploy-whats-new.md)
## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
## [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md)
### [Upgrade Readiness architecture](upgrade-readiness-architecture.md)
@@ -18,25 +19,26 @@
### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-#### [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
-#### [MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
-#### [Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
+#### [Key features in MDT](key-features-in-mdt.md)
+#### [MDT Lite Touch components](mdt-lite-touch-components.md)
+#### [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
### [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-### [Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+### [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-### [Configure MDT settings](configure-mdt-2013-settings.md)
-#### [Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+### [Perform an in-place upgrade to Windows 10 with MDT](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+### [Configure MDT settings](configure-mdt-settings.md)
+#### [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
#### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-#### [Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+#### [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
#### [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
#### [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-#### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
-#### [Use web services in MDT](use-web-services-in-mdt-2013.md)
-#### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+#### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+#### [Use web services in MDT](use-web-services-in-mdt.md)
+#### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
## [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-### [Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+### [Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
### [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
### [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
@@ -48,8 +50,7 @@
### [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
## [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md)
## [Convert MBR partition to GPT](mbr-to-gpt.md)
## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
diff --git a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
index 8fb81af58a..47176515eb 100644
--- a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -48,7 +48,7 @@ For the purposes of this topic, we will use CM01, a machine running Windows Serv
## Related topics
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
diff --git a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 878c230d72..5be734a75b 100644
--- a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -81,7 +81,7 @@ This section illustrates how to add drivers for Windows 10 through an example in
## Related topics
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
diff --git a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md
index d8b4505c51..06cc51df9b 100644
--- a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md
+++ b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md
@@ -1,132 +1,7 @@
---
title: Assign applications using roles in MDT (Windows 10)
-description: This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer.
-ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7
-keywords: settings, database, deploy
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
+redirect_url: assign-applications-using-roles-in-mdt
---
-# Assign applications using roles in MDT
-
-This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this topic, the application we are adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together.
-
-## Create and assign a role entry in the database
-
-1. On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**.
-2. In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings:
- 1. Role name: Standard PC
- 2. Applications / Lite Touch Applications:
- 3. Install - Adobe Reader XI - x86
-
-
-
-Figure 12. The Standard PC role with the application added
-
-## Associate the role with a computer in the database
-
-After creating the role, you can associate it with one or more computer entries.
-1. Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**.
-2. In the **Computers** node, double-click the **PC00075** entry, and add the following setting:
- - Roles: Standard PC
-
-
-
-Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database).
-
-## Verify database access in the MDT simulation environment
-
-When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications are not installed, but you can see which applications would be installed if you did a full deployment of the computer.
-1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
-2. Modify the C:\\MDT\\CustomSettings.ini file to look like the following:
-
- ``` syntax
- [Settings]
- Priority=CSettings, CRoles, RApplications, Default
- [Default]
- _SMSTSORGNAME=Contoso
- OSInstall=Y
- UserDataLocation=AUTO
- TimeZoneName=Pacific Standard Time
- AdminPassword=P@ssw0rd
- JoinDomain=contoso.com
- DomainAdmin=CONTOSO\MDT_JD
- DomainAdminPassword=P@ssw0rd
- MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
- SLShare=\\MDT01\Logs$
- ScanStateArgs=/ue:*\* /ui:CONTOSO\*
- USMTMigFiles001=MigApp.xml
- USMTMigFiles002=MigUser.xml
- HideShell=YES
- ApplyGPOPack=NO
- SkipAppsOnUpgrade=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=NO
- SkipDomainMembership=YES
- SkipUserData=NO
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=NO
- SkipBitLocker=YES
- SkipSummary=YES
- SkipCapture=YES
- SkipFinalSummary=NO
- EventService=http://MDT01:9800
- [CSettings]
- SQLServer=MDT01
- Instance=SQLEXPRESS
- Database=MDT
- Netlib=DBNMPNTW
- SQLShare=Logs$
- Table=ComputerSettings
- Parameters=UUID, AssetTag, SerialNumber, MacAddress
- ParameterCondition=OR
- [CRoles]
- SQLServer=MDT01
- Instance=SQLEXPRESS
- Database=MDT
- Netlib=DBNMPNTW
- SQLShare=Logs$
- Table=ComputerRoles
- Parameters=UUID, AssetTag, SerialNumber, MacAddress
- ParameterCondition=OR
- [RApplications]
- SQLServer=MDT01
- Instance=SQLEXPRESS
- Database=MDT
- Netlib=DBNMPNTW
- SQLShare=Logs$
- Table=RoleApplications
- Parameters=Role
- Order=Sequence
- ```
-
-3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
-
- ``` syntax
- Set-Location C:\MDT
- .\Gather.ps1
-
- ```
-
-
-
-Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe Reader XI application that would have been installed if you deployed this machine.
-
-## Related topics
-
-[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
-
[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
-
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
[Use web services in MDT](use-web-services-in-mdt-2013.md)
-
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
diff --git a/windows/deploy/assign-applications-using-roles-in-mdt.md b/windows/deploy/assign-applications-using-roles-in-mdt.md
new file mode 100644
index 0000000000..c2d8ed9f1b
--- /dev/null
+++ b/windows/deploy/assign-applications-using-roles-in-mdt.md
@@ -0,0 +1,132 @@
+---
+title: Assign applications using roles in MDT (Windows 10)
+description: This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer.
+ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7
+keywords: settings, database, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# Assign applications using roles in MDT
+
+This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this topic, the application we are adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together.
+
+## Create and assign a role entry in the database
+
+1. On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**.
+2. In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings:
+ 1. Role name: Standard PC
+ 2. Applications / Lite Touch Applications:
+ 3. Install - Adobe Reader XI - x86
+
+
+
+Figure 12. The Standard PC role with the application added
+
+## Associate the role with a computer in the database
+
+After creating the role, you can associate it with one or more computer entries.
+1. Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**.
+2. In the **Computers** node, double-click the **PC00075** entry, and add the following setting:
+ - Roles: Standard PC
+
+
+
+Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database).
+
+## Verify database access in the MDT simulation environment
+
+When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications are not installed, but you can see which applications would be installed if you did a full deployment of the computer.
+1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
+2. Modify the C:\\MDT\\CustomSettings.ini file to look like the following:
+
+ ``` syntax
+ [Settings]
+ Priority=CSettings, CRoles, RApplications, Default
+ [Default]
+ _SMSTSORGNAME=Contoso
+ OSInstall=Y
+ UserDataLocation=AUTO
+ TimeZoneName=Pacific Standard Time
+ AdminPassword=P@ssw0rd
+ JoinDomain=contoso.com
+ DomainAdmin=CONTOSO\MDT_JD
+ DomainAdminPassword=P@ssw0rd
+ MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
+ SLShare=\\MDT01\Logs$
+ ScanStateArgs=/ue:*\* /ui:CONTOSO\*
+ USMTMigFiles001=MigApp.xml
+ USMTMigFiles002=MigUser.xml
+ HideShell=YES
+ ApplyGPOPack=NO
+ SkipAppsOnUpgrade=NO
+ SkipAdminPassword=YES
+ SkipProductKey=YES
+ SkipComputerName=NO
+ SkipDomainMembership=YES
+ SkipUserData=NO
+ SkipLocaleSelection=YES
+ SkipTaskSequence=NO
+ SkipTimeZone=YES
+ SkipApplications=NO
+ SkipBitLocker=YES
+ SkipSummary=YES
+ SkipCapture=YES
+ SkipFinalSummary=NO
+ EventService=http://MDT01:9800
+ [CSettings]
+ SQLServer=MDT01
+ Instance=SQLEXPRESS
+ Database=MDT
+ Netlib=DBNMPNTW
+ SQLShare=Logs$
+ Table=ComputerSettings
+ Parameters=UUID, AssetTag, SerialNumber, MacAddress
+ ParameterCondition=OR
+ [CRoles]
+ SQLServer=MDT01
+ Instance=SQLEXPRESS
+ Database=MDT
+ Netlib=DBNMPNTW
+ SQLShare=Logs$
+ Table=ComputerRoles
+ Parameters=UUID, AssetTag, SerialNumber, MacAddress
+ ParameterCondition=OR
+ [RApplications]
+ SQLServer=MDT01
+ Instance=SQLEXPRESS
+ Database=MDT
+ Netlib=DBNMPNTW
+ SQLShare=Logs$
+ Table=RoleApplications
+ Parameters=Role
+ Order=Sequence
+ ```
+
+3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
+
+ ``` syntax
+ Set-Location C:\MDT
+ .\Gather.ps1
+
+ ```
+
+
+
+Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe Reader XI application that would have been installed if you deployed this machine.
+
+## Related topics
+
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+
[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
[Use web services in MDT](use-web-services-in-mdt.md)
+
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+
+
diff --git a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
index 010284c04f..5d6bf1b687 100644
--- a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
@@ -26,12 +26,12 @@ Figure 1. The machines used in this topic.
## Replicate deployment shares
-Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) 2013 use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content.
+Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content.
**Note**
Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target.
-### Linked deployment shares in MDT 2013 Update 2
+### Linked deployment shares in MDT
LDS is a built-in feature in MDT for replicating content. However, LDS works best with strong connections such as LAN connections with low latency. For most WAN links, DFS-R is the better option.
@@ -211,15 +211,14 @@ Now you should have a solution ready for deploying the Windows 10 client to the
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-2013-settings.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md
index d2629f839f..73511978ee 100644
--- a/windows/deploy/change-history-for-deploy-windows-10.md
+++ b/windows/deploy/change-history-for-deploy-windows-10.md
@@ -14,6 +14,9 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc
## March 2017
| New or changed topic | Description |
|----------------------|-------------|
+| [What's new in Windows 10 deployment](deploy-whats-new.md) | New |
+| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. |
+| [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. |
| [Convert MBR partition to GPT](mbr-to-gpt.md) | New |
## February 2017
diff --git a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md
index c95b0fc69e..f50d92c65e 100644
--- a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md
+++ b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md
@@ -1,69 +1,4 @@
---
title: Configure MDT for UserExit scripts (Windows 10)
-description: In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address.
-ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7
-keywords: rules, script
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
+redirect_url: configure-mdt-for-userexit-scripts
---
-
-# Configure MDT for UserExit scripts
-
-In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address.
-
-## Configure the rules to call a UserExit script
-
-You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder).
-
-``` syntax
-[Settings]
-Priority=Default
-[Default]
-OSINSTALL=YES
-UserExit=Setname.vbs
-OSDComputerName=#SetName("%MACADDRESS%")#
-```
-
-The UserExit=Setname.vbs calls the script and then assigns the computer name to what the SetName function in the script returns. In this sample the %MACADDRESS% variable is passed to the script
-
-## The Setname.vbs UserExit script
-
-The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address.
-
-``` syntax
-Function UserExit(sType, sWhen, sDetail, bSkip)
- UserExit = Success
-End Function
-Function SetName(sMac)
- Dim re
- Set re = new RegExp
- re.IgnoreCase = true
- re.Global = true
- re.Pattern = ":"
- SetName = "PC" & re.Replace(sMac, "")
-End Function
-```
-The first three lines of the script make up a header that all UserExit scripts have. The interesting part is the lines between Function and End Function. Those lines add a prefix (PC), remove the colons from the MAC Address, and return the value to the rules by setting the SetName value.
-
-**Note**
-The purpose of this sample is not to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process.
-
-## Related topics
-
-[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
-
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
-
-[Use web services in MDT](use-web-services-in-mdt-2013.md)
-
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
diff --git a/windows/deploy/configure-mdt-2013-settings.md b/windows/deploy/configure-mdt-2013-settings.md
index 46c1e30220..9549517323 100644
--- a/windows/deploy/configure-mdt-2013-settings.md
+++ b/windows/deploy/configure-mdt-2013-settings.md
@@ -1,46 +1,5 @@
---
title: Configure MDT settings (Windows 10)
-description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) 2013 is its extension capabilities; there is virtually no limitation to what you can do in terms of customization.
-ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
-keywords: customize, customization, deploy, features, tools
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
+redirect_url: configure-mdt-settings
---
-# Configure MDT settings
-
-One of the most powerful features in Microsoft Deployment Toolkit (MDT) 2013 is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
-For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-
-
-Figure 1. The machines used in this topic.
-
-## In this section
-
-- [Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
-- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-- [Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
-- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
-- [Use web services in MDT](use-web-services-in-mdt-2013.md)
-- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
-
-## Related topics
-
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
diff --git a/windows/deploy/configure-mdt-deployment-share-rules.md b/windows/deploy/configure-mdt-deployment-share-rules.md
index 97a448f5da..bfcbdd5e6b 100644
--- a/windows/deploy/configure-mdt-deployment-share-rules.md
+++ b/windows/deploy/configure-mdt-deployment-share-rules.md
@@ -106,16 +106,16 @@ MachineObjectOU=OU=Laptops,OU=Contoso,DC=contoso,DC=com
## Related topics
-[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-[Use web services in MDT](use-web-services-in-mdt-2013.md)
+[Use web services in MDT](use-web-services-in-mdt.md)
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deploy/configure-mdt-for-userexit-scripts.md b/windows/deploy/configure-mdt-for-userexit-scripts.md
new file mode 100644
index 0000000000..c168bda59d
--- /dev/null
+++ b/windows/deploy/configure-mdt-for-userexit-scripts.md
@@ -0,0 +1,69 @@
+---
+title: Configure MDT for UserExit scripts (Windows 10)
+description: In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address.
+ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7
+keywords: rules, script
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# Configure MDT for UserExit scripts
+
+In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address.
+
+## Configure the rules to call a UserExit script
+
+You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder).
+
+``` syntax
+[Settings]
+Priority=Default
+[Default]
+OSINSTALL=YES
+UserExit=Setname.vbs
+OSDComputerName=#SetName("%MACADDRESS%")#
+```
+
+The UserExit=Setname.vbs calls the script and then assigns the computer name to what the SetName function in the script returns. In this sample the %MACADDRESS% variable is passed to the script
+
+## The Setname.vbs UserExit script
+
+The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address.
+
+``` syntax
+Function UserExit(sType, sWhen, sDetail, bSkip)
+ UserExit = Success
+End Function
+Function SetName(sMac)
+ Dim re
+ Set re = new RegExp
+ re.IgnoreCase = true
+ re.Global = true
+ re.Pattern = ":"
+ SetName = "PC" & re.Replace(sMac, "")
+End Function
+```
+The first three lines of the script make up a header that all UserExit scripts have. The interesting part is the lines between Function and End Function. Those lines add a prefix (PC), remove the colons from the MAC Address, and return the value to the rules by setting the SetName value.
+
+**Note**
+The purpose of this sample is not to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process.
+
+## Related topics
+
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+
+[Use web services in MDT](use-web-services-in-mdt.md)
+
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deploy/configure-mdt-settings.md b/windows/deploy/configure-mdt-settings.md
new file mode 100644
index 0000000000..f5e67fc5c6
--- /dev/null
+++ b/windows/deploy/configure-mdt-settings.md
@@ -0,0 +1,46 @@
+---
+title: Configure MDT settings (Windows 10)
+description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization.
+ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
+keywords: customize, customization, deploy, features, tools
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# Configure MDT settings
+
+One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
+For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+
+
+
+Figure 1. The machines used in this topic.
+
+## In this section
+
+- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+- [Use web services in MDT](use-web-services-in-mdt.md)
+- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+
+## Related topics
+
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
diff --git a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index bfb8f98424..acdd78a794 100644
--- a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -17,7 +17,7 @@ author: mtniehaus
- Windows 10
-In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) 2013 Update 2 wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
+In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
@@ -86,7 +86,7 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
## Related topics
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
diff --git a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
index f259ac4131..98e1ddb768 100644
--- a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -59,9 +59,9 @@ This section walks you through the process of creating a System Center 2012 R2 C
6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
-7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT 2013**. Then click **Next**.
+7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**.
-8. On the **MDT Details** page, assign the name **MDT 2013** and click **Next**.
+8. On the **MDT Details** page, assign the name **MDT** and click **Next**.
9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**.
@@ -160,14 +160,14 @@ While creating the task sequence with the MDT wizard, a few operating system dep
1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**.
-2. Select the **MDT 2013** and **Windows 10 x64 Settings** packages, right-click and select **Move**.
+2. Select the **MDT** and **Windows 10 x64 Settings** packages, right-click and select **Move**.
3. In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**.
## Related topics
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
diff --git a/windows/deploy/create-a-windows-10-reference-image.md b/windows/deploy/create-a-windows-10-reference-image.md
index 7f4671ccf1..03ce967435 100644
--- a/windows/deploy/create-a-windows-10-reference-image.md
+++ b/windows/deploy/create-a-windows-10-reference-image.md
@@ -16,7 +16,7 @@ author: mtniehaus
**Applies to**
- Windows 10
-Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT) 2013 Update 2. You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution.
+Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution.
For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, PC0001 is a Windows 10 Enterprise x64 client, and MDT01 is a Windows Server 2012 R2 standard server. HV01 is a Hyper-V host server, but HV01 could be replaced by PC0001 as long as PC0001 has enough memory and is capable of running Hyper-V. MDT01, HV01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation.
**Note**
@@ -69,11 +69,11 @@ Figure 3. Permissions configured for the MDT\_BA user.
## Add the setup files
-This section will show you how to populate the MDT 2013 Update 2 deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
+This section will show you how to populate the MDT deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
### Add the Windows 10 installation files
-MDT 2013 supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft.
+MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft.
**Note**
Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.
@@ -124,7 +124,7 @@ You can customize Office 2013. In the volume license versions of Office 2013, th
### Add the Microsoft Office Professional Plus 2013 x86 installation files
-After adding the Microsoft Office Professional Plus 2013 x86 application, you then automate its setup by running the Office Customization Tool. In fact, MDT 2013 detects that you added the Office Professional Plus 2013 x86 application and creates a shortcut for doing this.
+After adding the Microsoft Office Professional Plus 2013 x86 application, you then automate its setup by running the Office Customization Tool. In fact, MDT detects that you added the Office Professional Plus 2013 x86 application and creates a shortcut for doing this.
You also can customize the Office installation using a Config.xml file. But we recommend that you use the Office Customization Tool as described in the following steps, as it provides a much richer way of controlling Office 2013 settings.
1. Using the Deployment Workbench in the MDT Build Lab deployment share, expand the **Applications / Microsoft** node, and double-click **Install - Microsoft Office 2013 Pro Plus x86**.
2. In the **Office Products** tab, click **Office Customization Tool**, and click **OK** in the **Information** dialog box.
@@ -633,7 +633,7 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
@@ -641,4 +641,4 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-2013-settings.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 30ed33ca81..7bbe55f078 100644
--- a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -71,7 +71,7 @@ The following steps show you how to create the Adobe Reader XI application. This
## Related topics
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
diff --git a/windows/deploy/deploy-a-windows-10-image-using-mdt.md b/windows/deploy/deploy-a-windows-10-image-using-mdt.md
index 05f3667cb6..d7f9b691ff 100644
--- a/windows/deploy/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deploy/deploy-a-windows-10-image-using-mdt.md
@@ -1,6 +1,6 @@
---
-title: Deploy a Windows 10 image using MDT 2013 Update 2 (Windows 10)
-description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.
+title: Deploy a Windows 10 image using MDT (Windows 10)
+description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c
keywords: deployment, automate, tools, configure
ms.prod: w10
@@ -11,12 +11,12 @@ ms.pagetype: mdt
author: mtniehaus
---
-# Deploy a Windows 10 image using MDT 2013 Update 2
+# Deploy a Windows 10 image using MDT
**Applies to**
- Windows 10
-This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. You will prepare for this by creating a MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. You will then configure the deployment share, create a new task sequence, add applications, add drivers, add rules, and configure Active Directory permissions for deployment.
+This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). You will prepare for this by creating a MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. You will then configure the deployment share, create a new task sequence, add applications, add drivers, add rules, and configure Active Directory permissions for deployment.
For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0005. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0005 is a blank machine to which you deploy Windows 10. MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation.
@@ -119,7 +119,7 @@ Figure 3. The Adobe Reader application added to the Deployment Workbench.
## Step 5: Prepare the drivers repository
-In order to deploy Windows 10 with MDT 2013 Update 2 successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
+In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
- Lenovo ThinkPad T420
- Dell Latitude E6440
- HP EliteBook 8560w
@@ -131,7 +131,7 @@ You should only add drivers to the Windows PE images if the default drivers don'
### Create the driver source structure in the file system
-The key to successful management of drivers for MDT 2013 Update 2, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use.
+The key to successful management of drivers for MDT, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use.
1. On MDT01, using File Explorer, create the **E:\\Drivers** folder.
2. In the **E:\\Drivers** folder, create the following folder structure:
@@ -151,9 +151,9 @@ The key to successful management of drivers for MDT 2013 Update 2, as well as fo
**Note**
Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
-### Create the logical driver structure in MDT 2013 Update 2
+### Create the logical driver structure in MDT
-When you import drivers to the MDT 2013 Update 2 driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench.
+When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench.
1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node.
2. In the **Out-Of-Box Drivers** node, create the following folder structure:
1. WinPE x86
@@ -450,7 +450,7 @@ troubleshoot MDT deployments, as well as troubleshoot Windows itself.
### Add DaRT 10 to the boot images
-If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#bkmk-update-deployment). To enable the remote connection feature in MDT 2013 Update 2, you need to do the following:
+If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#bkmk-update-deployment). To enable the remote connection feature in MDT, you need to do the following:
- Install DaRT 10 (part of MDOP 2015 R1).
- Copy the two tools CAB files (Toolsx86.cab and Toolsx64.cab) to the deployment share.
- Configure the deployment share to add DaRT.
@@ -519,7 +519,7 @@ At this point, you should have a solution ready for deploying the Windows 10 cl
2. Installs the added application.
3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
-### Use the MDT 2013 monitoring feature
+### Use the MDT monitoring feature
Now that you have enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node.
@@ -545,7 +545,7 @@ Multicast deployment allows for image deployment with reduced network load durin
### Requirements
-Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT 2013 setup for multicast, the network needs to be configured to support multicast. In general, this means involving the organization networking team to make sure that
+Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to be configured to support multicast. In general, this means involving the organization networking team to make sure that
Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3.
### Set up MDT for multicast
@@ -651,4 +651,4 @@ Figure 14. The partitions when deploying an UEFI-based machine.
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-2013-settings.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deploy/deploy-whats-new.md b/windows/deploy/deploy-whats-new.md
new file mode 100644
index 0000000000..9d6a1b0d15
--- /dev/null
+++ b/windows/deploy/deploy-whats-new.md
@@ -0,0 +1,123 @@
+---
+title: What's new in Windows 10 deployment
+description: Changes and new features related to Windows 10 deployment
+keywords: deployment, automate, tools, configure, news
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# What's new in Windows 10 deployment
+
+**Applies to**
+- Windows 10
+
+
+## In this topic
+
+This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization.
+
+- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index).
+- For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history).
+
+
+## Windows 10 Enterprise upgrade
+
+Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
+
+For more information, see [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
+
+
+## Deployment solutions and tools
+
+### Upgrade Readiness
+
+The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+
+Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
+
+The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
+
+For more information about Upgrade Readiness, see the following topics:
+
+- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/)
+- [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md)
+
+
+### Update Compliance
+
+Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
+
+Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
+
+For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](../manage/update-compliance-monitor.md).
+
+
+### MBR2GPT
+
+MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
+
+There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+
+For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
+
+
+### Microsoft Deployment Toolkit (MDT)
+
+MDT build 884 is available, including support for:
+- Deployment and upgrade of Windows 10, version 1607 (including Enterprise LTSB and Education editions) and Windows Server 2016.
+- The Windows ADK for Windows 10, version 1607.
+- Integration with Configuration Manager version 1606.
+
+For more information about MDT, see the [MDT resource page](https://technet.microsoft.com/en-US/windows/dn475741).
+
+
+### Windows Assessment and Deployment Kit (ADK)
+
+The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. See the following topics:
+
+- [What's new in ADK kits and tools](https://msdn.microsoft.com/windows/hardware/commercialize/what-s-new-in-kits-and-tools)
+- [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
+
+
+## Testing and validation guidance
+
+### Windows 10 deployment proof of concept (PoC)
+
+The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup.
+
+For more information, see the following guides:
+
+- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
+- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
+- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+
+
+## Troubleshooting guidance
+
+[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The topic provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
+
+
+## Online content change history
+
+The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10.
+
+[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
+
[Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
+
[Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
+
[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
+
+
+## Related topics
+
+[Overview of Windows as a service](../manage/waas-overview.md)
+
[Windows 10 deployment considerations](../plan/windows-10-deployment-considerations.md)
+
[Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info.aspx)
+
[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications)
+
[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
+
[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+
+
\ No newline at end of file
diff --git a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
index 1a6a52fffb..3994cbff66 100644
--- a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -40,7 +40,7 @@ Figure 32. Typing in the computer name.
## Related topics
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
diff --git a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
index 37ca1c3630..29ef0d6793 100644
--- a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
+++ b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
@@ -17,7 +17,7 @@ author: mtniehaus
- Windows 10
-If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2.
+If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
@@ -28,7 +28,7 @@ Figure 1. The machines used in this topic.
## In this section
-- [Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+- [Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
@@ -69,11 +69,11 @@ Operating system deployment with Configuration Manager is part of the normal sof
- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
-- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT 2013 Update 2 Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
-- **Drivers.** Like MDT 2013 Update 2 Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
+- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
-- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT 2013 Update 2 Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT 2013 Update 2 provides additional task sequence templates to Configuration Manager.
+- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
**Note** Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
diff --git a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
index b5bd6bcf7a..3cdcb17cd1 100644
--- a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -1,6 +1,6 @@
---
title: Deploy Windows 10 with the Microsoft Deployment Toolkit (Windows 10)
-description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.
+description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT).
ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb
keywords: deploy, tools, configure, script
ms.prod: w10
@@ -16,10 +16,10 @@ ms.pagetype: mdt
**Applies to**
- Windows 10
-This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.
+This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT).
The Microsoft Deployment Toolkit is a unified collection of tools, processes, and guidance for automating desktop and server deployment. In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the Windows Assessment and Deployment Kit (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
-MDT 2013 Update 2 supports the deployment of Windows 10, as well as Windows 7, Windows 8, Windows 8.1, and Windows Server 2012 R2. It also includes support for zero-touch installation (ZTI) with Microsoft System Center 2012 R2 Configuration Manager.
+MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8, Windows 8.1, and Windows Server 2012 R2. It also includes support for zero-touch installation (ZTI) with Microsoft System Center 2012 R2 Configuration Manager.
To download the latest version of MDT, visit the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
@@ -27,11 +27,11 @@ To download the latest version of MDT, visit the [MDT resource page](https://go.
- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-- [Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-- [Configure MDT settings](configure-mdt-2013-settings.md)
+- [Configure MDT settings](configure-mdt-settings.md)
## Proof-of-concept environment
diff --git a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index 635e1c0291..1cd99cefee 100644
--- a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -138,7 +138,7 @@ This sections provides steps to help you create a deployment for the task sequen
## Configure Configuration Manager to prompt for the computer name during deployment (optional)
-You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](configure-mdt-2013-settings.md).
+You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](configure-mdt-settings.md).
This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names.
@@ -162,7 +162,7 @@ This section provides steps to help you configure the All Unknown Computers coll
## Related topics
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
diff --git a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
index 33998a9cbe..7e5bf105f1 100644
--- a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
@@ -1,6 +1,6 @@
---
title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
-description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 in particular, as part of a Windows operating system deployment.
+description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment.
ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
keywords: deploy, image, feature, install, tools
ms.prod: w10
@@ -16,9 +16,9 @@ author: mtniehaus
**Applies to**
- Windows 10
-This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 in particular, as part of a Windows operating system deployment. MDT is one of the most important tools available to IT professionals today. You can use it to create reference images or as a complete deployment solution. MDT 2013 Update 2 also can be used to extend the operating system deployment features available in Microsoft System Center 2012 R2 Configuration Manager.
+This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. MDT is one of the most important tools available to IT professionals today. You can use it to create reference images or as a complete deployment solution. MDT also can be used to extend the operating system deployment features available in Microsoft System Center 2012 R2 Configuration Manager.
-In addition to familiarizing you with the features and options available in MDT 2013 Update 2, this topic will walk you through the process of preparing for deploying Windows 10 using MDT by configuring Active Directory, creating an organizational unit (OU) structure, creating service accounts, configuring log files and folders, and installing the tools needed to view the logs and continue with the deployment process.
+In addition to familiarizing you with the features and options available in MDT, this topic will walk you through the process of preparing for deploying Windows 10 using MDT by configuring Active Directory, creating an organizational unit (OU) structure, creating service accounts, configuring log files and folders, and installing the tools needed to view the logs and continue with the deployment process.
For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see
[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
@@ -29,9 +29,9 @@ Figure 1. The machines used in this topic.
## In this section
-- [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
-- [MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
-- [Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
+- [Key features in MDT](key-features-in-mdt.md)
+- [MDT Lite Touch components](mdt-lite-touch-components.md)
+- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
## Related topics
@@ -39,7 +39,7 @@ Figure 1. The machines used in this topic.
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
@@ -47,4 +47,4 @@ Figure 1. The machines used in this topic.
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-2013-settings.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deploy/images/ur-arch-diagram.png b/windows/deploy/images/ur-arch-diagram.png
new file mode 100644
index 0000000000..9c1da1227c
Binary files /dev/null and b/windows/deploy/images/ur-arch-diagram.png differ
diff --git a/windows/deploy/images/ur-overview.PNG b/windows/deploy/images/ur-overview.PNG
index f1818d7073..cf9563ece5 100644
Binary files a/windows/deploy/images/ur-overview.PNG and b/windows/deploy/images/ur-overview.PNG differ
diff --git a/windows/deploy/images/ur-settings.PNG b/windows/deploy/images/ur-settings.PNG
new file mode 100644
index 0000000000..d1724cb821
Binary files /dev/null and b/windows/deploy/images/ur-settings.PNG differ
diff --git a/windows/deploy/index.md b/windows/deploy/index.md
index 6660898fad..1b0542594d 100644
--- a/windows/deploy/index.md
+++ b/windows/deploy/index.md
@@ -16,13 +16,12 @@ Learn about deploying Windows 10 for IT professionals.
|Topic |Description |
|------|------------|
+|[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
|[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
|[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
|[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
-|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. |
-|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
-|[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |
-|[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
+|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
+|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
|[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
diff --git a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md
index 149ba5e250..8ca7faeb78 100644
--- a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md
+++ b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md
@@ -1,116 +1,4 @@
---
title: Integrate Configuration Manager with MDT 2013 Update 2 (Windows 10)
-description: This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
-ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
-ms.pagetype: mdt
-keywords: deploy, image, customize, task sequence
-ms.prod: w10
-localizationpriority: high
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: mtniehaus
+redirect_url: integrate-configuration-manager-with-mdt
---
-
-# Integrate Configuration Manager with MDT 2013 Update 2
-
-**Applies to**
-- Windows 10
-
-This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
-MDT 2013 is a free, supported download from Microsoft that adds approximately 280 enhancements to Windows operating system deployment with System Center 2012 R2 Configuration Manager SP1. It is, therefore, recommended that you utilize MDT when deploying the Windows operating system with Configuration Manager SP1. In addition to integrating MDT with Configuration Manager, we also recommend using MDT Lite Touch to create the Windows 10 reference images used in Configuration Manager. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
-
-## Why integrate MDT 2013 Update 2 with Configuration Manager
-
-As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT 2013 Update 2 adds to Configuration Manager.
-
-### MDT enables dynamic deployment
-
-When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
-
-The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
-- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
-
- ``` syntax
- [Settings]
- Priority=Model
- [HP EliteBook 8570w]
- Packages001=PS100010:Install HP Hotkeys
- ```
-- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
-
- ``` syntax
- [Settings]
- Priority= ByLaptopType, ByDesktopType
- [ByLaptopType]
- Subsection=Laptop-%IsLaptop%
- [ByDesktopType]
- Subsection=Desktop-%IsDesktop%
- [Laptop-True]
- Packages001=PS100012:Install Cisco VPN Client
- OSDComputerName=LT-%SerialNumber%
- MachineObjectOU=ou=laptops,ou=Contoso,dc=contoso,dc=com
- [Desktop-True]
- OSDComputerName=DT-%SerialNumber%
- MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com
- ```
-
-
-
-Figure 2. The Gather action in the task sequence is reading the rules.
-
-### MDT adds an operating system deployment simulation environment
-
-When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](configure-mdt-2013-settings.md).
-
-
-
-Figure 3. The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1).
-
-### MDT adds real-time monitoring
-
-With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
-
-
-
-Figure 4. View the real-time monitoring data with PowerShell.
-
-### MDT adds an optional deployment wizard
-
-For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer.
-
-
-
-Figure 5. The optional UDI wizard open in the UDI Wizard Designer.
-
-MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager.
-
-## Why use MDT Lite Touch to create reference images
-
-You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
-- In a deployment project, it is typically much faster to create a reference image using MDT Lite Touch than Configuration Manager.
-- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center 2012 R2 Virtual Machine Manager (SCVMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
-- Microsoft System Center 2012 R2 performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
-- The Configuration Manager task sequence does not suppress user interface interaction.
-- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured.
-- MDT Lite Touch does not require any infrastructure and is easy to delegate.
-
-## Related topics
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deploy/integrate-configuration-manager-with-mdt.md b/windows/deploy/integrate-configuration-manager-with-mdt.md
new file mode 100644
index 0000000000..2b4560ff12
--- /dev/null
+++ b/windows/deploy/integrate-configuration-manager-with-mdt.md
@@ -0,0 +1,116 @@
+---
+title: Integrate Configuration Manager with MDT (Windows 10)
+description: This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
+ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
+ms.pagetype: mdt
+keywords: deploy, image, customize, task sequence
+ms.prod: w10
+localizationpriority: high
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mtniehaus
+---
+
+# Integrate Configuration Manager with MDT
+
+**Applies to**
+- Windows 10
+
+This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
+MDT is a free, supported download from Microsoft that adds approximately 280 enhancements to Windows operating system deployment with System Center 2012 R2 Configuration Manager SP1. It is, therefore, recommended that you utilize MDT when deploying the Windows operating system with Configuration Manager SP1. In addition to integrating MDT with Configuration Manager, we also recommend using MDT Lite Touch to create the Windows 10 reference images used in Configuration Manager. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+
+## Why integrate MDT with Configuration Manager
+
+As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
+
+### MDT enables dynamic deployment
+
+When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
+
+The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
+- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
+
+ ``` syntax
+ [Settings]
+ Priority=Model
+ [HP EliteBook 8570w]
+ Packages001=PS100010:Install HP Hotkeys
+ ```
+- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
+
+ ``` syntax
+ [Settings]
+ Priority= ByLaptopType, ByDesktopType
+ [ByLaptopType]
+ Subsection=Laptop-%IsLaptop%
+ [ByDesktopType]
+ Subsection=Desktop-%IsDesktop%
+ [Laptop-True]
+ Packages001=PS100012:Install Cisco VPN Client
+ OSDComputerName=LT-%SerialNumber%
+ MachineObjectOU=ou=laptops,ou=Contoso,dc=contoso,dc=com
+ [Desktop-True]
+ OSDComputerName=DT-%SerialNumber%
+ MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com
+ ```
+
+
+
+Figure 2. The Gather action in the task sequence is reading the rules.
+
+### MDT adds an operating system deployment simulation environment
+
+When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](configure-mdt-settings.md).
+
+
+
+Figure 3. The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1).
+
+### MDT adds real-time monitoring
+
+With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
+
+
+
+Figure 4. View the real-time monitoring data with PowerShell.
+
+### MDT adds an optional deployment wizard
+
+For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer.
+
+
+
+Figure 5. The optional UDI wizard open in the UDI Wizard Designer.
+
+MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager.
+
+## Why use MDT Lite Touch to create reference images
+
+You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
+- In a deployment project, it is typically much faster to create a reference image using MDT Lite Touch than Configuration Manager.
+- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center 2012 R2 Virtual Machine Manager (SCVMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
+- Microsoft System Center 2012 R2 performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
+- The Configuration Manager task sequence does not suppress user interface interaction.
+- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured.
+- MDT Lite Touch does not require any infrastructure and is easy to delegate.
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deploy/key-features-in-mdt-2013.md b/windows/deploy/key-features-in-mdt-2013.md
index 0264a106c0..d62060296d 100644
--- a/windows/deploy/key-features-in-mdt-2013.md
+++ b/windows/deploy/key-features-in-mdt-2013.md
@@ -1,62 +1,4 @@
---
title: Key features in MDT 2013 Update 2 (Windows 10)
-description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0.
-ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868
-keywords: deploy, feature, tools, upgrade, migrate, provisioning
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
----
-
-# Key features in MDT 2013 Update 2
-
-**Applies to**
-- Windows 10
-
-The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment.
-
-MDT 2013 has many useful features, the most important of which are:
-- **Windows Client support.** Supports Windows 7, Windows 8, Windows 8.1, and Windows 10.
-- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
-- **Additional operating systems support.** Supports Windows Thin PC and Windows Embedded POSReady 7, as well as Windows 8.1 Embedded Industry.
-- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
-- **GPT support.** Supports deployment to machines that require the new GUID (globally unique identifier) partition table (GPT) format. This is related to UEFI.
-- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts.
-
- 
-
- Figure 2. The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
-
-- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard.
-- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER).
-- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence.
-- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file.
-- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard.
-- **Monitoring.** Allows you to see the status of currently running deployments.
-- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM).
-- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure.
-- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
-- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
-
- 
-
- Figure 3. The offline USMT backup in action.
-
-- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features.
-- **Microsoft System Center 2012 Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence.
-- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image.
-- **Support for Office 2013.** Provides added support for deploying Microsoft Office Professional Plus 2013.
-- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
-- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
-- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
-
-## Related topics
-
-[Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
-
-[MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
-
-
+redirect_url: key-features-in-mdt
+---
\ No newline at end of file
diff --git a/windows/deploy/key-features-in-mdt.md b/windows/deploy/key-features-in-mdt.md
new file mode 100644
index 0000000000..faeb651733
--- /dev/null
+++ b/windows/deploy/key-features-in-mdt.md
@@ -0,0 +1,62 @@
+---
+title: Key features in MDT (Windows 10)
+description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0.
+ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868
+keywords: deploy, feature, tools, upgrade, migrate, provisioning
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# Key features in MDT
+
+**Applies to**
+- Windows 10
+
+The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment.
+
+MDT has many useful features, the most important of which are:
+- **Windows Client support.** Supports Windows 7, Windows 8, Windows 8.1, and Windows 10.
+- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
+- **Additional operating systems support.** Supports Windows Thin PC and Windows Embedded POSReady 7, as well as Windows 8.1 Embedded Industry.
+- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
+- **GPT support.** Supports deployment to machines that require the new GUID (globally unique identifier) partition table (GPT) format. This is related to UEFI.
+- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts.
+
+ 
+
+ Figure 2. The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
+
+- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard.
+- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER).
+- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence.
+- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file.
+- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard.
+- **Monitoring.** Allows you to see the status of currently running deployments.
+- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM).
+- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure.
+- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
+- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
+
+ 
+
+ Figure 3. The offline USMT backup in action.
+
+- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features.
+- **Microsoft System Center 2012 Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence.
+- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image.
+- **Support for Office 2013.** Provides added support for deploying Microsoft Office Professional Plus 2013.
+- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
+- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
+- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+## Related topics
+
+[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+
+[MDT Lite Touch components](mdt-lite-touch-components.md)
+
+
diff --git a/windows/deploy/mbr-to-gpt.md b/windows/deploy/mbr-to-gpt.md
index 5775e4b633..e0c160b723 100644
--- a/windows/deploy/mbr-to-gpt.md
+++ b/windows/deploy/mbr-to-gpt.md
@@ -378,7 +378,6 @@ In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is
## Related topics
-[Using MBR2GPT with Configuration Manager OSD](https://miketerrill.net/tag/mbr2gpt/)
-
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
+[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
diff --git a/windows/deploy/mdt-2013-lite-touch-components.md b/windows/deploy/mdt-2013-lite-touch-components.md
index 2234092338..5afed1bb8b 100644
--- a/windows/deploy/mdt-2013-lite-touch-components.md
+++ b/windows/deploy/mdt-2013-lite-touch-components.md
@@ -1,119 +1,4 @@
---
title: MDT 2013 Update 2 Lite Touch components (Windows 10)
-description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 2 that support Lite Touch Installation (LTI) for Windows 10.
-ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089
-keywords: deploy, install, deployment, boot, log, monitor
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
----
-
-# MDT 2013 Update 2 Lite Touch components
-
-**Applies to**
-- Windows 10
-
-This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 2 that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc.
-When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command.
-
-
-
-Figure 4. If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task.
-
-## Deployment shares
-
-A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Microsoft System Center 2012 R2 Configuration Manager deploys the image in the production environment.
-
-## Rules
-
-The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed:
-- Computer name
-- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object
-- Whether to enable BitLocker
-- Regional settings
-You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117).
-
-
-
-Figure 5. Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
-
-## Boot images
-
-Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment
-share on the server and start the deployment.
-
-## Operating systems
-
-Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments.
-
-## Applications
-
-Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps.
-
-## Driver repository
-
-You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image.
-
-## Packages
-
-With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts.
-
-## Task sequences
-
-Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence.
-
-You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows:
-- **Gather.** Reads configuration settings from the deployment server.
-- **Format and Partition.** Creates the partition(s) and formats them.
-- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository.
-- **Apply Operating System.** Uses ImageX to apply the image.
-- **Windows Update.** Connects to a WSUS server and updates the machine.
-
-## Task sequence templates
-
-MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence.
-- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer.
-
- **Note**
- It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot.
-
-- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
-- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
-- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action).
-- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers.
-- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature.
-- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments.
-- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file.
-- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers.
-- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
-
-## Selection profiles
-
-Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to:
-- Control which drivers and packages are injected into the Lite Touch (and generic) boot images.
-- Control which drivers are injected during the task sequence.
-- Control what is included in any media that you create.
-- Control what is replicated to other deployment shares.
-- Filter which task sequences and applications are displayed in the Deployment Wizard.
-
-## Logging
-
-MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well.
-
-**Note**
-The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717).
-
-## Monitoring
-
-On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench.
-
-## Related topics
-
-[Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
-
-[Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
-
-
+redirect_url: mdt-lite-touch-components
+---
\ No newline at end of file
diff --git a/windows/deploy/mdt-lite-touch-components.md b/windows/deploy/mdt-lite-touch-components.md
new file mode 100644
index 0000000000..2b004d7fbb
--- /dev/null
+++ b/windows/deploy/mdt-lite-touch-components.md
@@ -0,0 +1,117 @@
+---
+title: MDT Lite Touch components (Windows 10)
+description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10.
+ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089
+keywords: deploy, install, deployment, boot, log, monitor
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# MDT Lite Touch components
+
+**Applies to**
+- Windows 10
+
+This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc.
+When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command.
+
+
+
+Figure 4. If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task.
+
+## Deployment shares
+
+A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Microsoft System Center 2012 R2 Configuration Manager deploys the image in the production environment.
+
+## Rules
+
+The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed:
+- Computer name
+- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object
+- Whether to enable BitLocker
+- Regional settings
+You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+
+
+Figure 5. Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
+
+## Boot images
+
+Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment
+share on the server and start the deployment.
+
+## Operating systems
+
+Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments.
+
+## Applications
+
+Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps.
+
+## Driver repository
+
+You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image.
+
+## Packages
+
+With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts.
+
+## Task sequences
+
+Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence.
+
+You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows:
+- **Gather.** Reads configuration settings from the deployment server.
+- **Format and Partition.** Creates the partition(s) and formats them.
+- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository.
+- **Apply Operating System.** Uses ImageX to apply the image.
+- **Windows Update.** Connects to a WSUS server and updates the machine.
+
+## Task sequence templates
+
+MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence.
+- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer.
+
+ **Note**
+ It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot.
+
+- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
+- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
+- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action).
+- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers.
+- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature.
+- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments.
+- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file.
+- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers.
+- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
+
+## Selection profiles
+
+Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to:
+- Control which drivers and packages are injected into the Lite Touch (and generic) boot images.
+- Control which drivers are injected during the task sequence.
+- Control what is included in any media that you create.
+- Control what is replicated to other deployment shares.
+- Filter which task sequences and applications are displayed in the Deployment Wizard.
+
+## Logging
+
+MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well.
+
+**Note**
+The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717).
+
+## Monitoring
+
+On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench.
+
+## Related topics
+
+[Key features in MDT](key-features-in-mdt.md)
+
+[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
diff --git a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
index a2caee8ea8..ecb875e202 100644
--- a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
@@ -52,7 +52,7 @@ To monitor an operating system deployment conducted through System Center 2012 R
## Related topics
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
index 546035f735..600b8e9783 100644
--- a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
+++ b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
@@ -1,122 +1,4 @@
---
title: Prepare for deployment with MDT 2013 Update 2 (Windows 10)
-description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 2.
-ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
-keywords: deploy, system requirements
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
+redirect_url: prepare-for-windows-deployment-with-mdt
---
-
-# Prepare for deployment with MDT 2013 Update 2
-
-**Applies to**
-- Windows 10
-
-This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 2. It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the files system and in Active Directory.
-
-For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-## System requirements
-
-MDT 2013 Update 2 requires the following components:
-- Any of the following operating systems:
- - Windows 7
- - Windows 8
- - Windows 8.1
- - Windows 10
- - Windows Server 2008 R2
- - Windows Server 2012
- - Windows Server 2012 R2
-- Windows Assessment and Deployment Kit (ADK) for Windows 10
-- Windows PowerShell
-- Microsoft .NET Framework
-
-## Install Windows ADK for Windows 10
-
-These steps assume that you have the MDT01 member server installed and configured and that you have downloaded [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803) to the E:\\Downloads\\ADK folder.
-1. On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**.
-2. Start the **ADK Setup** (E:\\Downloads\\ADK\\adksetup.exe), and on the first wizard page, click **Continue**.
-3. On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings:
- 1. Deployment Tools
- 2. Windows Preinstallation Environment (Windows PE)
- 3. User State Migration Tool (UMST)
-
-## Install MDT 2013 Update 2
-
-These steps assume that you have downloaded [MDT 2013 Update 2](https://go.microsoft.com/fwlink/p/?LinkId=618117 ) to the E:\\Downloads\\MDT 2013 folder on MDT01.
-
-1. On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**.
-2. Install **MDT** (E:\\Downloads\\MDT 2013\\MicrosoftDeploymentToolkit2013\_x64.msi) with the default settings.
-
-## Create the OU structure
-
-If you do not have an organizational unit (OU) structure in your Active Directory, you should create one. In this section, you create an OU structure and a service account for MDT 2013 Update 2.
-1. On DC01, using Active Directory User and Computers, in the contoso.com domain level, create a top-level OU named **Contoso**.
-2. In the **Contoso** OU, create the following OUs:
- 1. Accounts
- 2. Computers
- 3. Groups
-3. In the **Contoso / Accounts** OU, create the following underlying OUs:
- 1. Admins
- 2. Service Accounts
- 3. Users
-4. In the **Contoso / Computers** OU, create the following underlying OUs:
- 1. Servers
- 2. Workstations
-5. In the **Contoso / Groups** OU, create the following OU:
- - Security Groups
-
-
-
-Figure 6. A sample of how the OU structure will look after all the OUs are created.
-
-## Create the MDT service account
-
-When creating a reference image, you need an account for MDT. The MDT Build Account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.
-1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
-2. Select the **Service Accounts** OU and create the **MDT\_BA** account using the following settings:
- 1. Name: MDT\_BA
- 2. User logon name: MDT\_BA
- 3. Password: P@ssw0rd
- 4. User must change password at next logon: Clear
- 5. User cannot change password: Selected
- 6. Password never expires: Selected
-
-## Create and share the logs folder
-
-By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
-
-1. On MDT01, log on as **CONTOSO\\Administrator**.
-2. Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
-
- ``` syntax
- New-Item -Path E:\Logs -ItemType directory
- New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
- icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
- ```
-
-
-
-Figure 7. The Sharing tab of the E:\\Logs folder after sharing it with PowerShell.
-
-## Use CMTrace to read log files (optional)
-
-The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace (CMTrace), which is available as part [of Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You can use Notepad, but CMTrace formatting makes the logs easier to read.
-
-
-
-Figure 8. An MDT log file opened in Notepad.
-
-
-
-
-Figure 9. The same log file, opened in CMTrace, is much easier to read.
-## Related topics
-
-[Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
-
-[MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt.md b/windows/deploy/prepare-for-windows-deployment-with-mdt.md
new file mode 100644
index 0000000000..9274e2a90d
--- /dev/null
+++ b/windows/deploy/prepare-for-windows-deployment-with-mdt.md
@@ -0,0 +1,122 @@
+---
+title: Prepare for deployment with MDT (Windows 10)
+description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
+ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
+keywords: deploy, system requirements
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# Prepare for deployment with MDT
+
+**Applies to**
+- Windows 10
+
+This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the files system and in Active Directory.
+
+For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+
+## System requirements
+
+MDT requires the following components:
+- Any of the following operating systems:
+ - Windows 7
+ - Windows 8
+ - Windows 8.1
+ - Windows 10
+ - Windows Server 2008 R2
+ - Windows Server 2012
+ - Windows Server 2012 R2
+- Windows Assessment and Deployment Kit (ADK) for Windows 10
+- Windows PowerShell
+- Microsoft .NET Framework
+
+## Install Windows ADK for Windows 10
+
+These steps assume that you have the MDT01 member server installed and configured and that you have downloaded [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803) to the E:\\Downloads\\ADK folder.
+1. On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**.
+2. Start the **ADK Setup** (E:\\Downloads\\ADK\\adksetup.exe), and on the first wizard page, click **Continue**.
+3. On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings:
+ 1. Deployment Tools
+ 2. Windows Preinstallation Environment (Windows PE)
+ 3. User State Migration Tool (UMST)
+
+## Install MDT
+
+These steps assume that you have downloaded [MDT](https://go.microsoft.com/fwlink/p/?LinkId=618117 ) to the E:\\Downloads\\MDT folder on MDT01.
+
+1. On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**.
+2. Install **MDT** (E:\\Downloads\\MDT\\MicrosoftDeploymentToolkit\_x64.msi) with the default settings.
+
+## Create the OU structure
+
+If you do not have an organizational unit (OU) structure in your Active Directory, you should create one. In this section, you create an OU structure and a service account for MDT.
+1. On DC01, using Active Directory User and Computers, in the contoso.com domain level, create a top-level OU named **Contoso**.
+2. In the **Contoso** OU, create the following OUs:
+ 1. Accounts
+ 2. Computers
+ 3. Groups
+3. In the **Contoso / Accounts** OU, create the following underlying OUs:
+ 1. Admins
+ 2. Service Accounts
+ 3. Users
+4. In the **Contoso / Computers** OU, create the following underlying OUs:
+ 1. Servers
+ 2. Workstations
+5. In the **Contoso / Groups** OU, create the following OU:
+ - Security Groups
+
+
+
+Figure 6. A sample of how the OU structure will look after all the OUs are created.
+
+## Create the MDT service account
+
+When creating a reference image, you need an account for MDT. The MDT Build Account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.
+1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
+2. Select the **Service Accounts** OU and create the **MDT\_BA** account using the following settings:
+ 1. Name: MDT\_BA
+ 2. User logon name: MDT\_BA
+ 3. Password: P@ssw0rd
+ 4. User must change password at next logon: Clear
+ 5. User cannot change password: Selected
+ 6. Password never expires: Selected
+
+## Create and share the logs folder
+
+By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+
+1. On MDT01, log on as **CONTOSO\\Administrator**.
+2. Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
+
+ ``` syntax
+ New-Item -Path E:\Logs -ItemType directory
+ New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
+ icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
+ ```
+
+
+
+Figure 7. The Sharing tab of the E:\\Logs folder after sharing it with PowerShell.
+
+## Use CMTrace to read log files (optional)
+
+The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace (CMTrace), which is available as part [of Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You can use Notepad, but CMTrace formatting makes the logs easier to read.
+
+
+
+Figure 8. An MDT log file opened in Notepad.
+
+
+
+
+Figure 9. The same log file, opened in CMTrace, is much easier to read.
+## Related topics
+
+[Key features in MDT](key-features-in-mdt.md)
+
+[MDT Lite Touch components](mdt-lite-touch-components.md)
diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index ea62cd3903..7e6facd287 100644
--- a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -154,15 +154,15 @@ Figure 7. The E:\\Sources\\OSD folder structure.
## Integrate Configuration Manager with MDT
-To extend the Configuration Manager console with MDT 2013 Update 2 wizards and templates, you install MDT 2013 Update 2 in the default location and run the integration setup. In these steps, we assume you have downloaded MDT 2013 Update 2 to the C:\\Setup\\MDT2013 folder on CM01.
+To extend the Configuration Manager console with MDT wizards and templates, you install MDT in the default location and run the integration setup. In these steps, we assume you have downloaded MDT to the C:\\Setup\\MDT2013 folder on CM01.
1. On CM01, log on as Administrator in the CONTOSO domain using the password **P@ssw0rd**.
2. Make sure the Configuration Manager Console is closed before continuing.
-3. Using File Explorer, navigate to the **C:\\Setup\\MDT 2013** folder.
+3. Using File Explorer, navigate to the **C:\\Setup\\MDT** folder.
-4. Run the MDT 2013 setup (MicrosoftDeploymentToolkit2013\_x64.msi), and use the default options in the setup wizard.
+4. Run the MDT setup (MicrosoftDeploymentToolkit2013\_x64.msi), and use the default options in the setup wizard.
5. From the Start screen, run Configure ConfigManager Integration with the following settings:
@@ -172,7 +172,7 @@ To extend the Configuration Manager console with MDT 2013 Update 2 wizards and t
-Figure 8. Set up the MDT 2013 Update 2 integration with Configuration Manager.
+Figure 8. Set up the MDT integration with Configuration Manager.
## Configure the client settings
@@ -248,7 +248,7 @@ Configuration Manager has many options for starting a deployment, but starting v
## Related topics
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
diff --git a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 6f41793f47..9e7878aea9 100644
--- a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -120,7 +120,7 @@ Now you can start the computer refresh on PC0003.
## Related topics
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
diff --git a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
index 91eb3986c7..671ef7c573 100644
--- a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
@@ -1,6 +1,6 @@
---
title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
-description: This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
+description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
keywords: reinstallation, customize, template, script, restore
ms.prod: w10
@@ -16,7 +16,7 @@ author: mtniehaus
**Applies to**
- Windows 10
-This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version.
+This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version.
For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
@@ -119,10 +119,10 @@ Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-2013-settings.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 397914bb14..18d714b7ee 100644
--- a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -38,7 +38,7 @@ In this topic, you will create a backup-only task sequence that you run on PC000
4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
-5. On the **MDT Package** page, browse and select the **OSD / MDT 2013** package. Then click **Next**.
+5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**.
6. On the **USMT Package** page, browse and select the O**SD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
@@ -204,7 +204,7 @@ When the process is complete, you will have a new Windows 10 machine in your dom
## Related topics
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
index a3e51c36b6..28c9c32005 100644
--- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -138,10 +138,10 @@ During a computer replace, these are the high-level steps that occur:
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-[Configure MDT settings](configure-mdt-2013-settings.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deploy/resolve-windows-10-upgrade-errors.md
index b49144c4ca..a16acec410 100644
--- a/windows/deploy/resolve-windows-10-upgrade-errors.md
+++ b/windows/deploy/resolve-windows-10-upgrade-errors.md
@@ -1,6 +1,6 @@
---
-title: Resolve Windows 10 upgrade errors
-description: Resolve Windows 10 upgrade errors
+title: Resolve Windows 10 upgrade errors - Windows IT Pro
+description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback
ms.prod: w10
@@ -11,7 +11,7 @@ author: greg-lindsay
localizationpriority: high
---
-# Resolve Windows 10 upgrade errors
+# Resolve Windows 10 upgrade errors : Technical information for IT Pros
**Applies to**
- Windows 10
@@ -251,13 +251,15 @@ See the following example:
### Analyze log files
+>The following instructions are meant for IT professionals. Also see the [Upgrade error codes](#upgrade-error-codes) section in this guide to familiarize yourself with [result codes](#result-codes) and [extend codes](#extend-codes).
+
To analyze Windows Setup log files:
-- Determine the Windows Setup error code.
+
- Determine the Windows Setup error code. This code should be returned by Windows Setup if it is not successful with the upgrade process.
- Based on the [extend code](#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate.
- Open the log file in a text editor, such as notepad.
-
- Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
+
- Using the [result code](#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
- To find the last occurrence of the result code:
- Scroll to the bottom of the file and click after the last character.
diff --git a/windows/deploy/set-up-mdt-2013-for-bitlocker.md b/windows/deploy/set-up-mdt-2013-for-bitlocker.md
index 16b405ad57..1e417fd432 100644
--- a/windows/deploy/set-up-mdt-2013-for-bitlocker.md
+++ b/windows/deploy/set-up-mdt-2013-for-bitlocker.md
@@ -1,159 +1,5 @@
---
title: Set up MDT for BitLocker (Windows 10)
-ms.assetid: 386e6713-5c20-4d2a-a220-a38d94671a38
-description:
-keywords: disk, encryption, TPM, configure, secure, script
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
+redirect_url: set-up-mdt-for-bitlocker
---
-# Set up MDT for BitLocker
-
-This topic will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:
-- A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you also can use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password.
-- Multiple partitions on the hard drive.
-
-To configure your environment for BitLocker, you will need to do the following:
-
-1. Configure Active Directory for BitLocker.
-2. Download the various BitLocker scripts and tools.
-3. Configure the operating system deployment task sequence for BitLocker.
-4. Configure the rules (CustomSettings.ini) for BitLocker.
-
-**Note**
-Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
-
-For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-## Configure Active Directory for BitLocker
-
-To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.
-
-**Note**
-Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
-
-In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
-
-
-
-Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.
-
-### Add the BitLocker Drive Encryption Administration Utilities
-
-The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):
-
-1. On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, click **Add roles and features**.
-2. On the **Before you begin** page, click **Next**.
-3. On the **Select installation type** page, select **Role-based or feature-based installation**, and click **Next**.
-4. On the **Select destination server** page, select **DC01.contoso.com** and click **Next**.
-5. On the **Select server roles** page, click **Next**.
-6. On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then click **Next**:
- 1. BitLocker Drive Encryption Administration Utilities
- 2. BitLocker Drive Encryption Tools
- 3. BitLocker Recovery Password Viewer
-7. On the **Confirm installation selections** page, click **Install** and then click **Close**.
-
-
-
-Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.
-
-### Create the BitLocker Group Policy
-
-Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.
-1. On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**.
-2. Assign the name **BitLocker Policy** to the new Group Policy.
-3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings:
- Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives
- 1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings:
- 1. Allow data recovery agent (default)
- 2. Save BitLocker recovery information to Active Directory Domain Services (default)
- 3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives
- 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy.
- 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy.
- Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services
- 4. Enable the **Turn on TPM backup to Active Directory Domain Services** policy.
-
-**Note**
-If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
-
-### Set permissions in Active Directory for BitLocker
-
-In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01.
-1. On DC01, start an elevated PowerShell prompt (run as Administrator).
-2. Configure the permissions by running the following command:
-
- ``` syntax
- cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
- ```
-
-
-
-Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.
-
-## Add BIOS configuration tools from Dell, HP, and Lenovo
-
-If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.
-
-### Add tools from Dell
-
-The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:
-``` syntax
-cctk.exe --tpm=on --valsetuppwd=Password1234
-```
-### Add tools from HP
-
-The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
-
-``` syntax
-BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234
-```
-And the sample content of the TPMEnable.REPSET file:
-
-``` syntax
-English
-Activate Embedded Security On Next Boot
-*Enable
-Embedded Security Activation Policy
-*No prompts
-F1 to Boot
-Allow user to reject
-Embedded Security Device Availability
-*Available
-```
-### Add tools from Lenovo
-
-The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:
-``` syntax
-cscript.exe SetConfig.vbs SecurityChip Active
-```
-## Configure the Windows 10 task sequence to enable BitLocker
-
-When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In this task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). In the following task sequence, we have added five actions:
-- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false.
-- **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf.
- **Note**
- It is common for organizations wrapping these tools in scripts to get additional logging and error handling.
-
-- **Restart computer.** Self-explanatory, reboots the computer.
-- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time.
-- **Enable BitLocker.** Runs the built-in action to activate BitLocker.
-
-## Related topics
-
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
-
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
-
-[Use web services in MDT](use-web-services-in-mdt-2013.md)
-
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
diff --git a/windows/deploy/set-up-mdt-for-bitlocker.md b/windows/deploy/set-up-mdt-for-bitlocker.md
new file mode 100644
index 0000000000..5047b0b791
--- /dev/null
+++ b/windows/deploy/set-up-mdt-for-bitlocker.md
@@ -0,0 +1,159 @@
+---
+title: Set up MDT for BitLocker (Windows 10)
+ms.assetid: 386e6713-5c20-4d2a-a220-a38d94671a38
+description:
+keywords: disk, encryption, TPM, configure, secure, script
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# Set up MDT for BitLocker
+
+This topic will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:
+- A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you also can use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password.
+- Multiple partitions on the hard drive.
+
+To configure your environment for BitLocker, you will need to do the following:
+
+1. Configure Active Directory for BitLocker.
+2. Download the various BitLocker scripts and tools.
+3. Configure the operating system deployment task sequence for BitLocker.
+4. Configure the rules (CustomSettings.ini) for BitLocker.
+
+**Note**
+Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
+
+For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+
+## Configure Active Directory for BitLocker
+
+To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.
+
+**Note**
+Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
+
+In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
+
+
+
+Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.
+
+### Add the BitLocker Drive Encryption Administration Utilities
+
+The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):
+
+1. On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, click **Add roles and features**.
+2. On the **Before you begin** page, click **Next**.
+3. On the **Select installation type** page, select **Role-based or feature-based installation**, and click **Next**.
+4. On the **Select destination server** page, select **DC01.contoso.com** and click **Next**.
+5. On the **Select server roles** page, click **Next**.
+6. On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then click **Next**:
+ 1. BitLocker Drive Encryption Administration Utilities
+ 2. BitLocker Drive Encryption Tools
+ 3. BitLocker Recovery Password Viewer
+7. On the **Confirm installation selections** page, click **Install** and then click **Close**.
+
+
+
+Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.
+
+### Create the BitLocker Group Policy
+
+Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.
+1. On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**.
+2. Assign the name **BitLocker Policy** to the new Group Policy.
+3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings:
+ Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives
+ 1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings:
+ 1. Allow data recovery agent (default)
+ 2. Save BitLocker recovery information to Active Directory Domain Services (default)
+ 3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives
+ 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy.
+ 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy.
+ Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services
+ 4. Enable the **Turn on TPM backup to Active Directory Domain Services** policy.
+
+**Note**
+If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
+
+### Set permissions in Active Directory for BitLocker
+
+In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01.
+1. On DC01, start an elevated PowerShell prompt (run as Administrator).
+2. Configure the permissions by running the following command:
+
+ ``` syntax
+ cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
+ ```
+
+
+
+Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.
+
+## Add BIOS configuration tools from Dell, HP, and Lenovo
+
+If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.
+
+### Add tools from Dell
+
+The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:
+``` syntax
+cctk.exe --tpm=on --valsetuppwd=Password1234
+```
+### Add tools from HP
+
+The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
+
+``` syntax
+BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234
+```
+And the sample content of the TPMEnable.REPSET file:
+
+``` syntax
+English
+Activate Embedded Security On Next Boot
+*Enable
+Embedded Security Activation Policy
+*No prompts
+F1 to Boot
+Allow user to reject
+Embedded Security Device Availability
+*Available
+```
+### Add tools from Lenovo
+
+The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:
+``` syntax
+cscript.exe SetConfig.vbs SecurityChip Active
+```
+## Configure the Windows 10 task sequence to enable BitLocker
+
+When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In this task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). In the following task sequence, we have added five actions:
+- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false.
+- **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf.
+ **Note**
+ It is common for organizations wrapping these tools in scripts to get additional logging and error handling.
+
+- **Restart computer.** Self-explanatory, reboots the computer.
+- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time.
+- **Enable BitLocker.** Runs the built-in action to activate BitLocker.
+
+## Related topics
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+
+[Use web services in MDT](use-web-services-in-mdt.md)
+
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
index 3677031293..ba135d788d 100644
--- a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -50,16 +50,16 @@ Figure 7. The ZTIGather.log file from PC0001, displaying some of its hardware ca
## Related topics
-[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-[Use web services in MDT](use-web-services-in-mdt-2013.md)
+[Use web services in MDT](use-web-services-in-mdt.md)
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
\ No newline at end of file
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
\ No newline at end of file
diff --git a/windows/deploy/troubleshoot-upgrade-readiness.md b/windows/deploy/troubleshoot-upgrade-readiness.md
index 700408bdd6..2cc9bf9340 100644
--- a/windows/deploy/troubleshoot-upgrade-readiness.md
+++ b/windows/deploy/troubleshoot-upgrade-readiness.md
@@ -11,7 +11,7 @@ If you’re having issues seeing data in Upgrade Readiness after running the Upg
If you still don’t see data in Upgrade Readiness, follow these steps:
-1. Download and extract UpgradeAnalytics.zip. Ensure the “Diagnostics” folder is included.
+1. Download and extract the [Upgrade Readiness Deployment Script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409). Ensure the “Pilot/Diagnostics” folder is included .
2. Edit the script as described in [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md).
diff --git a/windows/deploy/upgrade-readiness-architecture.md b/windows/deploy/upgrade-readiness-architecture.md
index c4cafc8768..93a028f925 100644
--- a/windows/deploy/upgrade-readiness-architecture.md
+++ b/windows/deploy/upgrade-readiness-architecture.md
@@ -13,7 +13,7 @@ Microsoft analyzes system, application, and driver telemetry data to help you de
-->
-
+
After you enable Windows telemetry on user computers and install the compatibility update KB (1), user computers send computer, application and driver telemetry data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Readiness, telemetry data is analyzed by the Upgrade Readiness Service (3) and pushed to your OMS workspace (4). You can then use the Upgrade Readiness solution (5) to plan and manage Windows upgrades.
diff --git a/windows/deploy/upgrade-readiness-deployment-script.md b/windows/deploy/upgrade-readiness-deployment-script.md
index e1decfb250..0206b5764e 100644
--- a/windows/deploy/upgrade-readiness-deployment-script.md
+++ b/windows/deploy/upgrade-readiness-deployment-script.md
@@ -31,7 +31,7 @@ The Upgrade Readiness deployment script does the following:
To run the Upgrade Readiness deployment script:
-1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
+1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
2. Edit the following parameters in RunConfig.bat:
diff --git a/windows/deploy/upgrade-readiness-get-started.md b/windows/deploy/upgrade-readiness-get-started.md
index 9f9abda9b2..4829baa632 100644
--- a/windows/deploy/upgrade-readiness-get-started.md
+++ b/windows/deploy/upgrade-readiness-get-started.md
@@ -44,7 +44,7 @@ If you are already using OMS, you’ll find Upgrade Readiness in the Solutions G
If you are not using OMS:
-1. Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process.
+1. Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **New Customers >** to kick off the onboarding process.
2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
3. Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
@@ -130,4 +130,4 @@ To ensure that user computers are receiving the most up to date data from Micros
### Distribute the deployment script at scale
-Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see the [Upgrade Readiness blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
\ No newline at end of file
+Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see the [Upgrade Readiness blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
diff --git a/windows/deploy/upgrade-readiness-resolve-issues.md b/windows/deploy/upgrade-readiness-resolve-issues.md
index 7436b86607..bb0e2c452d 100644
--- a/windows/deploy/upgrade-readiness-resolve-issues.md
+++ b/windows/deploy/upgrade-readiness-resolve-issues.md
@@ -53,7 +53,7 @@ For applications assessed as **Attention needed**, review the table below for de
| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance |
|--------------------|-----------------------------------|-----------|-----------------|------------|
| Attention needed | No | Application is removed during upgrade | Compatibility issues were detected and the application will not migrate to the new operating system.
| No action is required for the upgrade to proceed. |
-| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Analytics is not able to remove the application during upgrade.
The application may work on the new operating system.
| Remove the application before upgrading, and reinstall and test on new operating system. |
+| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Readiness is not able to remove the application during upgrade.
The application may work on the new operating system.
| Remove the application before upgrading, and reinstall and test on new operating system. |
| Attention needed | No | Evaluate application on new OS | The application will migrate, but issues were detected that may impact its performance on the new operating system. | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.
|
| Attention needed | No | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade. | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.
|
| Attention needed | Yes | Does not work with new OS, and will block upgrade | The application is not compatible with the new operating system and will block the upgrade. | Remove the application before upgrading.
A compatible version of the application may be available.
|
diff --git a/windows/deploy/upgrade-readiness-upgrade-overview.md b/windows/deploy/upgrade-readiness-upgrade-overview.md
index 29777cad6f..bf09694a38 100644
--- a/windows/deploy/upgrade-readiness-upgrade-overview.md
+++ b/windows/deploy/upgrade-readiness-upgrade-overview.md
@@ -17,9 +17,13 @@ The following color-coded status changes are reflected on the upgrade overview b
- No delay in processing device inventory data = "Last updated" banner is displayed in green.
- Delay processing device inventory data = "Last updated" banner is displayed in amber.
- Computers with incomplete data:
- - Less than 4% = Count is displayed in black.
+ - Less than 4% = Count is displayed in green.
- 4% - 10% = Count is displayed in amber.
- Greater than 10% = Count is displayed in red.
+- Computers with outdated KB:
+ - Less than 10% = Count is displayed in green.
+ - 10% - 30% = Count is displayed in amber.
+ - Greater than 30% = Count is displayed in red.
- User changes:
- Pending user changes = User changes count displays "Data refresh pending" in amber.
- No pending user changes = User changes count displays "Up to date" in green.
@@ -28,6 +32,8 @@ The following color-coded status changes are reflected on the upgrade overview b
- If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber.
- If the current value is a deprecated OS version, the version is displayed in red.
+Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for information on required KBs.
+
In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
diff --git a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
index 1739910931..4df01c9022 100644
--- a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -1,6 +1,6 @@
---
-title: Upgrade to Windows 10 with System Center Configuration Manager (Windows 10)
-description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process.
+title: Perform an in-place upgrade to Windows 10 using Configuration Manager (Windows 10)
+description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. Use a System Center Configuration Manager task sequence to completely automate the process.
ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
author: mtniehaus
---
-# Upgrade to Windows 10 with System Center Configuration Manager
+# Perform an in-place upgrade to Windows 10 using Configuration Manager
**Applies to**
diff --git a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index a57de8573f..4deadb668f 100644
--- a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -1,5 +1,5 @@
---
-title: Upgrade to Windows 10 with the Microsoft Deployment Toolkit (Windows 10)
+title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10)
description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
keywords: upgrade, update, task sequence, deploy
@@ -11,7 +11,7 @@ ms.pagetype: mdt
author: mtniehaus
---
-# Upgrade to Windows 10 with the Microsoft Deployment Toolkit
+# Perform an in-place upgrade to Windows 10 with MDT
**Applies to**
- Windows 10
@@ -28,7 +28,7 @@ Figure 1. The machines used in this topic.
## Set up the upgrade task sequence
-MDT 2013 Update 2 adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple.
+MDT adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple.
## Create the MDT production deployment share
diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
index 65fb7d646b..e7e0a319ae 100644
--- a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
+++ b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
@@ -1,174 +1,4 @@
---
title: Use Orchestrator runbooks with MDT (Windows 10)
-description: This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
-ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
-keywords: web services, database
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
+redirect_url: use-orchestrator-runbooks-with-mdt
---
-
-# Use Orchestrator runbooks with MDT
-
-This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
-MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required.
-
-**Note**
-If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website.
-
-## Orchestrator terminology
-
-Before diving into the core details, here is a quick course in Orchestrator terminology:
-- **Orchestrator Server.** This is a server that executes runbooks.
-- **Runbooks.** A runbook is similar to a task sequence; it is a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database.
-- **Orchestrator Designer.** This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions.
-- **Subscriptions.** These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook.
-- **Orchestrator Console.** This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default.
-- **Orchestrator web services.** These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default.
-- **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few.
-
-**Note**
-To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](https://go.microsoft.com/fwlink/p/?LinkId=619554).
-
-## Create a sample runbook
-
-This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01.
-
-1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS).
-2. In the **E:\\Logfile** folder, create the DeployLog.txt file.
- **Note**
- Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt.
-
- 
-
- Figure 23. The DeployLog.txt file.
-
-3. Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder.
-
- 
-
- Figure 24. Folder created in the Runbooks node.
-
-4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**.
-5. On the ribbon bar, click **Check Out**.
-6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**.
-7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane:
- 1. Runbook Control / Initialize Data
- 2. Text File Management / Append Line
-8. Connect **Initialize Data** to **Append Line**.
-
- 
-
- Figure 25. Activities added and connected.
-
-9. Right-click the **Initialize Data** activity, and select **Properties**
-10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**.
-
- 
-
- Figure 26. The Initialize Data Properties window.
-
-11. Right-click the **Append Line** activity, and select **Properties**.
-12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**.
-13. In the **File** encoding drop-down list, select **ASCII**.
-14. In the **Append** area, right-click inside the **Text** text box and select **Expand**.
-
- 
-
- Figure 27. Expanding the Text area.
-
-15. In the blank text box, right-click and select **Subscribe / Published Data**.
-
- 
-
- Figure 28. Subscribing to data.
-
-16. In the **Published Data** window, select the **OSDComputerName** item, and click **OK**.
-17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**.
-18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and click **OK**.
-
- 
-
- Figure 29. The expanded text box after all subscriptions have been added.
-
-19. On the **Append Line Properties** page, click **Finish**.
-## Test the demo MDT runbook
-After the runbook is created, you are ready to test it.
-1. On the ribbon bar, click **Runbook Tester**.
-2. Click **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then click **OK**:
- - OSDComputerName: PC0010
-3. Verify that all activities are green (for additional information, see each target).
-4. Close the **Runbook Tester**.
-5. On the ribbon bar, click **Check In**.
-
-
-
-Figure 30. All tests completed.
-
-## Use the MDT demo runbook from MDT
-
-1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**.
-2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- 1. Task sequence ID: OR001
- 2. Task sequence name: Orchestrator Sample
- 3. Task sequence comments: <blank>
- 4. Template: Custom Task Sequence
-3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab.
-4. Remove the default **Application Install** action.
-5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option.
-6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings:
- 1. Name: Set Task Sequence Variable
- 2. Task Sequence Variable: OSDComputerName
- 3. Value: %hostname%
-7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings:
- 1. Orchestrator Server: OR01.contoso.com
- 2. Use Browse to select **1.0 MDT / MDT Sample**.
-8. Click **OK**.
-
-
-
-Figure 31. The ready-made task sequence.
-
-## Run the orchestrator sample task sequence
-
-Since this task sequence just starts a runbook, you can test this on the PC0001 client that you used for the MDT simulation environment.
-**Note**
-Make sure the account you are using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](https://go.microsoft.com/fwlink/p/?LinkId=619555).
-
-1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
-2. Using an elevated command prompt (run as Administrator), type the following command:
-
- ``` syntax
- cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs
- ```
-3. Complete the Windows Deployment Wizard using the following information:
- 1. Task Sequence: Orchestrator Sample
- 2. Credentials:
- 1. User Name: MDT\_BA
- 2. Password: P@ssw0rd
- 3. Domain: CONTOSO
-4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated.
-
-
-
-Figure 32. The ready-made task sequence.
-
-## Related topics
-
-[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
-
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
-
-[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
-
-[Use web services in MDT](use-web-services-in-mdt-2013.md)
diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt.md b/windows/deploy/use-orchestrator-runbooks-with-mdt.md
new file mode 100644
index 0000000000..ceb7766904
--- /dev/null
+++ b/windows/deploy/use-orchestrator-runbooks-with-mdt.md
@@ -0,0 +1,174 @@
+---
+title: Use Orchestrator runbooks with MDT (Windows 10)
+description: This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
+ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
+keywords: web services, database
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# Use Orchestrator runbooks with MDT
+
+This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
+MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required.
+
+**Note**
+If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website.
+
+## Orchestrator terminology
+
+Before diving into the core details, here is a quick course in Orchestrator terminology:
+- **Orchestrator Server.** This is a server that executes runbooks.
+- **Runbooks.** A runbook is similar to a task sequence; it is a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database.
+- **Orchestrator Designer.** This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions.
+- **Subscriptions.** These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook.
+- **Orchestrator Console.** This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default.
+- **Orchestrator web services.** These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default.
+- **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few.
+
+**Note**
+To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](https://go.microsoft.com/fwlink/p/?LinkId=619554).
+
+## Create a sample runbook
+
+This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01.
+
+1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS).
+2. In the **E:\\Logfile** folder, create the DeployLog.txt file.
+ **Note**
+ Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt.
+
+ 
+
+ Figure 23. The DeployLog.txt file.
+
+3. Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder.
+
+ 
+
+ Figure 24. Folder created in the Runbooks node.
+
+4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**.
+5. On the ribbon bar, click **Check Out**.
+6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**.
+7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane:
+ 1. Runbook Control / Initialize Data
+ 2. Text File Management / Append Line
+8. Connect **Initialize Data** to **Append Line**.
+
+ 
+
+ Figure 25. Activities added and connected.
+
+9. Right-click the **Initialize Data** activity, and select **Properties**
+10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**.
+
+ 
+
+ Figure 26. The Initialize Data Properties window.
+
+11. Right-click the **Append Line** activity, and select **Properties**.
+12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**.
+13. In the **File** encoding drop-down list, select **ASCII**.
+14. In the **Append** area, right-click inside the **Text** text box and select **Expand**.
+
+ 
+
+ Figure 27. Expanding the Text area.
+
+15. In the blank text box, right-click and select **Subscribe / Published Data**.
+
+ 
+
+ Figure 28. Subscribing to data.
+
+16. In the **Published Data** window, select the **OSDComputerName** item, and click **OK**.
+17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**.
+18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and click **OK**.
+
+ 
+
+ Figure 29. The expanded text box after all subscriptions have been added.
+
+19. On the **Append Line Properties** page, click **Finish**.
+## Test the demo MDT runbook
+After the runbook is created, you are ready to test it.
+1. On the ribbon bar, click **Runbook Tester**.
+2. Click **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then click **OK**:
+ - OSDComputerName: PC0010
+3. Verify that all activities are green (for additional information, see each target).
+4. Close the **Runbook Tester**.
+5. On the ribbon bar, click **Check In**.
+
+
+
+Figure 30. All tests completed.
+
+## Use the MDT demo runbook from MDT
+
+1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**.
+2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+ 1. Task sequence ID: OR001
+ 2. Task sequence name: Orchestrator Sample
+ 3. Task sequence comments: <blank>
+ 4. Template: Custom Task Sequence
+3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab.
+4. Remove the default **Application Install** action.
+5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option.
+6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings:
+ 1. Name: Set Task Sequence Variable
+ 2. Task Sequence Variable: OSDComputerName
+ 3. Value: %hostname%
+7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings:
+ 1. Orchestrator Server: OR01.contoso.com
+ 2. Use Browse to select **1.0 MDT / MDT Sample**.
+8. Click **OK**.
+
+
+
+Figure 31. The ready-made task sequence.
+
+## Run the orchestrator sample task sequence
+
+Since this task sequence just starts a runbook, you can test this on the PC0001 client that you used for the MDT simulation environment.
+**Note**
+Make sure the account you are using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](https://go.microsoft.com/fwlink/p/?LinkId=619555).
+
+1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
+2. Using an elevated command prompt (run as Administrator), type the following command:
+
+ ``` syntax
+ cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs
+ ```
+3. Complete the Windows Deployment Wizard using the following information:
+ 1. Task Sequence: Orchestrator Sample
+ 2. Credentials:
+ 1. User Name: MDT\_BA
+ 2. Password: P@ssw0rd
+ 3. Domain: CONTOSO
+4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated.
+
+
+
+Figure 32. The ready-made task sequence.
+
+## Related topics
+
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+
+[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+
+[Use web services in MDT](use-web-services-in-mdt.md)
diff --git a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index 38ae49c0e7..b2bed4243a 100644
--- a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -77,16 +77,16 @@ Figure 11. Adding the PC00075 computer to the database.
## Related topics
-[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-[Use web services in MDT](use-web-services-in-mdt-2013.md)
+[Use web services in MDT](use-web-services-in-mdt.md)
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md
index cd081245c1..21ff12135a 100644
--- a/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md
+++ b/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md
@@ -41,7 +41,7 @@ As mentioned previously, the default target version in Upgrade Readiness is set
The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version.
-You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1610.
+You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1607.
To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution:
@@ -51,4 +51,4 @@ To change the target version setting, click on **Solutions Settings**, which app
On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
-
+
diff --git a/windows/deploy/use-web-services-in-mdt-2013.md b/windows/deploy/use-web-services-in-mdt-2013.md
index 33f1c9a3a7..6d885294e6 100644
--- a/windows/deploy/use-web-services-in-mdt-2013.md
+++ b/windows/deploy/use-web-services-in-mdt-2013.md
@@ -1,132 +1,6 @@
---
title: Use web services in MDT (Windows 10)
-description: In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment.
-ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522
-keywords: deploy, web apps
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.pagetype: mdt
-ms.sitesec: library
-author: mtniehaus
+redirect_url: use-web-services-in-mdt
---
-# Use web services in MDT
-
-In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Simply put, web services are web applications that run code on the server side, and MDT has built-in functions to call these web services.
-Using a web service in MDT is straightforward, but it does require that you have enabled the Web Server (IIS) role on the server. Developing web services involves a little bit of coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web.
-
-## Create a sample web service
-
-In these steps we assume you have installed Microsoft Visual Studio Express 2013 for Web on PC0001 (the Windows 10 client) and downloaded the [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363) from the Microsoft Download Center and extracted it to C:\\Projects.
-1. On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file.
-2. On the ribbon bar, verify that Release is selected.
-3. In the **Debug** menu, select the **Build MDTSample** action.
-4. On MDT01, create a folder structure for **E:\\MDTSample\\bin**.
-5. From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01.
-6. From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01:
- 1. Web.config
- 2. mdtsample.asmx
-
-
-
-Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web.
-
-## Create an application pool for the web service
-
-This section assumes that you have enabled the Web Server (IIS) role on MDT01.
-1. On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools).
-2. Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the "Do you want to get started with Microsoft Web Platform?" question, select the **Do not show this message** check box and then click **No**.
-3. Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings:
- 1. Name: MDTSample
- 2. .NET Framework version: .NET Framework 4.0.30319
- 3. Manage pipeline mode: Integrated
- 4. Select the **Start application pool immediately** check box.
- 5. Click **OK**.
-
-
-
-Figure 16. The new MDTSample application.
-
-## Install the web service
-
-1. On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application:
- 1. Alias: MDTSample
- 2. Application pool: MDTSample
- 3. Physical Path: E:\\MDTSample
-
- 
-
- Figure 17. Adding the MDTSample web application.
-
-2. In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box:
- 1. Anonymous Authentication: Enabled
- 2. ASP.NET Impersonation: Disabled
-
-
-
-Figure 18. Configuring Authentication for the MDTSample web service.
-
-## Test the web service in Internet Explorer
-
-1. On PC0001, using Internet Explorer, navigate to: **http://MDT01/MDTSample/mdtsample.asmx**.
-2. Click the **GetComputerName** link.
-
- 
-
- Figure 19. The MDT Sample web service.
-3. On the **GetComputerName** page, type in the following settings, and click **Invoke**:
- 1. Model: Hewlett-Packard
- 2. SerialNumber: 123456789
-
-
-
-Figure 20. The result from the MDT Sample web service.
-
-## Test the web service in the MDT simulation environment
-
-After verifying the web service using Internet Explorer, you are ready to do the same test in the MDT simulation environment.
-
-1. On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following:
- ``` syntax
- [Settings]
- Priority=Default, GetComputerName
- [Default]
- OSInstall=YES
- [GetComputerName]
- WebService=http://mdt01/MDTSample/mdtsample.asmx/GetComputerName
- Parameters=Model,SerialNumber
- OSDComputerName=string
- ```
- 
-
- Figure 21. The updated CustomSettings.ini file.
-
-2. Save the CustomSettings.ini file.
-3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
- ``` syntax
- Set-Location C:\MDT
- .\Gather.ps1
- ```
-4. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder.
-
-
-
-Figure 22. The OSDCOMPUTERNAME value obtained from the web service.
-
-## Related topics
-
-[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
-
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
-
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
-
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
\ No newline at end of file
diff --git a/windows/deploy/use-web-services-in-mdt.md b/windows/deploy/use-web-services-in-mdt.md
new file mode 100644
index 0000000000..a7f2ce0996
--- /dev/null
+++ b/windows/deploy/use-web-services-in-mdt.md
@@ -0,0 +1,132 @@
+---
+title: Use web services in MDT (Windows 10)
+description: In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment.
+ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522
+keywords: deploy, web apps
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.pagetype: mdt
+ms.sitesec: library
+author: mtniehaus
+---
+
+# Use web services in MDT
+
+In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Simply put, web services are web applications that run code on the server side, and MDT has built-in functions to call these web services.
+Using a web service in MDT is straightforward, but it does require that you have enabled the Web Server (IIS) role on the server. Developing web services involves a little bit of coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web.
+
+## Create a sample web service
+
+In these steps we assume you have installed Microsoft Visual Studio Express 2013 for Web on PC0001 (the Windows 10 client) and downloaded the [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363) from the Microsoft Download Center and extracted it to C:\\Projects.
+1. On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file.
+2. On the ribbon bar, verify that Release is selected.
+3. In the **Debug** menu, select the **Build MDTSample** action.
+4. On MDT01, create a folder structure for **E:\\MDTSample\\bin**.
+5. From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01.
+6. From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01:
+ 1. Web.config
+ 2. mdtsample.asmx
+
+
+
+Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web.
+
+## Create an application pool for the web service
+
+This section assumes that you have enabled the Web Server (IIS) role on MDT01.
+1. On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools).
+2. Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the "Do you want to get started with Microsoft Web Platform?" question, select the **Do not show this message** check box and then click **No**.
+3. Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings:
+ 1. Name: MDTSample
+ 2. .NET Framework version: .NET Framework 4.0.30319
+ 3. Manage pipeline mode: Integrated
+ 4. Select the **Start application pool immediately** check box.
+ 5. Click **OK**.
+
+
+
+Figure 16. The new MDTSample application.
+
+## Install the web service
+
+1. On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application:
+ 1. Alias: MDTSample
+ 2. Application pool: MDTSample
+ 3. Physical Path: E:\\MDTSample
+
+ 
+
+ Figure 17. Adding the MDTSample web application.
+
+2. In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box:
+ 1. Anonymous Authentication: Enabled
+ 2. ASP.NET Impersonation: Disabled
+
+
+
+Figure 18. Configuring Authentication for the MDTSample web service.
+
+## Test the web service in Internet Explorer
+
+1. On PC0001, using Internet Explorer, navigate to: **http://MDT01/MDTSample/mdtsample.asmx**.
+2. Click the **GetComputerName** link.
+
+ 
+
+ Figure 19. The MDT Sample web service.
+3. On the **GetComputerName** page, type in the following settings, and click **Invoke**:
+ 1. Model: Hewlett-Packard
+ 2. SerialNumber: 123456789
+
+
+
+Figure 20. The result from the MDT Sample web service.
+
+## Test the web service in the MDT simulation environment
+
+After verifying the web service using Internet Explorer, you are ready to do the same test in the MDT simulation environment.
+
+1. On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following:
+ ``` syntax
+ [Settings]
+ Priority=Default, GetComputerName
+ [Default]
+ OSInstall=YES
+ [GetComputerName]
+ WebService=http://mdt01/MDTSample/mdtsample.asmx/GetComputerName
+ Parameters=Model,SerialNumber
+ OSDComputerName=string
+ ```
+ 
+
+ Figure 21. The updated CustomSettings.ini file.
+
+2. Save the CustomSettings.ini file.
+3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
+ ``` syntax
+ Set-Location C:\MDT
+ .\Gather.ps1
+ ```
+4. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder.
+
+
+
+Figure 22. The OSDCOMPUTERNAME value obtained from the web service.
+
+## Related topics
+
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+
\ No newline at end of file
diff --git a/windows/deploy/windows-10-poc-mdt.md b/windows/deploy/windows-10-poc-mdt.md
index 54eb632a5f..e42cec7206 100644
--- a/windows/deploy/windows-10-poc-mdt.md
+++ b/windows/deploy/windows-10-poc-mdt.md
@@ -5,6 +5,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
+keywords: deployment, automate, tools, configure, mdt
+localizationpriority: high
author: greg-lindsay
---
@@ -636,7 +638,7 @@ Also see [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.m
## Related Topics
[Microsoft Deployment Toolkit](https://technet.microsoft.com/en-US/windows/dn475741)
-[Prepare for deployment with MDT 2013](prepare-for-windows-deployment-with-mdt-2013.md)
+[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
diff --git a/windows/deploy/windows-10-poc-sc-config-mgr.md b/windows/deploy/windows-10-poc-sc-config-mgr.md
index ff0b497b45..b7c115e44a 100644
--- a/windows/deploy/windows-10-poc-sc-config-mgr.md
+++ b/windows/deploy/windows-10-poc-sc-config-mgr.md
@@ -5,6 +5,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
+keywords: deployment, automate, tools, configure, sccm, configuration manager
+localizationpriority: high
author: greg-lindsay
---
diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md
index 74b8d0f352..3db31d59c4 100644
--- a/windows/deploy/windows-10-poc.md
+++ b/windows/deploy/windows-10-poc.md
@@ -5,6 +5,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
+keywords: deployment, automate, tools, configure, mdt, sccm
+localizationpriority: high
author: greg-lindsay
---
diff --git a/windows/deploy/windows-10-upgrade-paths.md b/windows/deploy/windows-10-upgrade-paths.md
index 0c5b8ff890..3fc038bdd6 100644
--- a/windows/deploy/windows-10-upgrade-paths.md
+++ b/windows/deploy/windows-10-upgrade-paths.md
@@ -21,9 +21,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
>**Windows 10 LTSB**: The upgrade paths displayed below do not apply to Windows 10 LTSB. In-place upgrade from Windows 7 or Windows 8.1 to Windows 10 LTSB is not supported. (Note that Windows 10 LTSB 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSB 2016 release, which will now only allow data-only and clean install options.)
->**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
-
->**Free upgrade**: The Windows 10 free upgrade offer expired on July 29, 2016. For more information, see [Free upgrade paths](#free-upgrade-paths).
+>**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
✔ = Full upgrade is supported including personal data, settings, and applications.
D = Edition downgrade; personal data is maintained, applications and settings are removed.
@@ -334,77 +332,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
-## Free upgrade paths
-
-Windows 10 is offered as a free upgrade for the first year after launch of Windows 10, with the following restrictions:
-- The offer expires on July 29th, 2016.
-- The offer applies to devices connected to the Internet with Windows Update enabled.
-- Upgrading to Windows 10 Pro requires a computer running the Pro or Ultimate version of Windows 7/8/8.1.
-- Windows Phone 8.0 users must update to Windows 8.1 before upgrading to Windows 10 Mobile1.
-- Editions that are excluded from the free upgrade offer include: Windows 7 Enterprise, Windows 8/8.1 Enterprise, and Windows RT/RT 8.12.
-
->1The availability of Windows 10 Mobile for Windows 8.1 devices will vary by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. For a list of eligible phones and important info about the upgrade and Windows 10 Mobile, see [Windows 10 specifications](http://windows.com/specsmobile).
-
->2Active Software Assurance customers in volume licensing have the benefit to upgrade to Windows 10 Enterprise outside of this offer. Windows 10 is not supported on devices running the RT versions of Windows 8.
-
-The following table summarizes the free upgrade paths to Windows 10. For a list of frequently asked questions about the free upgrade to Windows 10, see [Upgrade to Windows 10: FAQ](http://windows.microsoft.com/en-us/windows-10/upgrade-to-windows-10-faq).
-
-
-
- | |
- From |
- To |
-
-
- | Windows 7 |
-
-
- |
- Windows 7 Starter |
- Windows 10 Home |
-
-
- | |
- Windows 7 Home Basic |
-
-
- | |
- Windows 7 Home Premium |
-
-
- |
- Windows 7 Professional |
- Windows 10 Pro |
-
-
- | |
- Windows 7 Ultimate |
-
-
- | Windows 8/8.1 |
-
-
- |
- Windows Phone 8.1 |
- Windows 10 Mobile |
-
-
- |
- Windows 8/8.1 |
- Windows 10 Home |
-
-
- |
- Windows 8/8.1 Pro |
- Windows 10 Pro |
-
-
- | |
- Windows 8/8.1 Pro for Students |
-
-
-
-
## Related Topics
[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
diff --git a/windows/deploy/windows-deployment-scenarios-and-tools.md b/windows/deploy/windows-deployment-scenarios-and-tools.md
index 1a431a3040..997cf5b753 100644
--- a/windows/deploy/windows-deployment-scenarios-and-tools.md
+++ b/windows/deploy/windows-deployment-scenarios-and-tools.md
@@ -14,7 +14,7 @@ author: mtniehaus
To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment.
-Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT) 2013 Update 1](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) or [Microsoft System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) that you get the complete deployment solution.
+Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) or [Microsoft System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) that you get the complete deployment solution.
In this topic, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations
@@ -184,23 +184,23 @@ Also, there are a few new features related to TFTP performance:
Figure 10. TFTP changes are now easy to perform.
-## Microsoft Deployment Toolkit 2013 Update 1
+## Microsoft Deployment Toolkit
-MDT 2013 Update 1 is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution.
+MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution.
-MDT 2013 Update 1 has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to System Center 2012 R2 Configuration Manager.
+MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to System Center 2012 R2 Configuration Manager.
**Note**
-Lite Touch and Zero Touch are marketing names for the two solutions that MDT 2013 supports, and the naming has nothing to do with automation. You can fully automate the stand-alone MDT 2013 Update 1 solution (Lite Touch), and you can configure the solution integration with Configuration Manager to prompt for information.
+Lite Touch and Zero Touch are marketing names for the two solutions that MDT supports, and the naming has nothing to do with automation. You can fully automate the stand-alone MDT solution (Lite Touch), and you can configure the solution integration with Configuration Manager to prompt for information.
-Figure 11. The Deployment Workbench in MDT 2013, showing a task sequence.
+Figure 11. The Deployment Workbench in, showing a task sequence.
-For more information on MDT 2013 Update 1, see the [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=618117) resource center.
+For more information on MDT, see the [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=618117) resource center.
## Microsoft Security Compliance Manager 2013
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 82fea36b85..eeb1d26ced 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -168,6 +168,7 @@
##### [Choose the Right BitLocker Countermeasure](choose-the-right-bitlocker-countermeasure.md)
#### [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
### [Encrypted Hard Drive](encrypted-hard-drive.md)
+### [Enterprise Certificate Pinning](enterprise-certificate-pinning.md)
### [Security auditing](security-auditing-overview.md)
#### [Basic security audit policies](basic-security-audit-policies.md)
##### [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md)
@@ -572,7 +573,7 @@
###### [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)
###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
-###### [Interactive logon: Don\'t display last signed-in](interactive-logon-do-not-display-last-user-name.md)
+###### [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)
###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)
###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)
@@ -768,16 +769,19 @@
######## [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
######## [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
######## [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
-#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
-##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+#### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+##### [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+##### [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+##### [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
#### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
##### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
##### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
##### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+##### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
#### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md)
##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
@@ -785,7 +789,7 @@
###### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
#### [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md)
##### [Update general settings](general-settings-windows-defender-advanced-threat-protection.md)
-##### [Turn on advanced features](advanced-features-windows-defender-advacned-threat-protection.md)
+##### [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
##### [Turn on preview experience](preview-settings-windows-defender-advanced-threat-protection.md)
##### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/advanced-features-windows-defender-advacned-threat-protection.md b/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/advanced-features-windows-defender-advacned-threat-protection.md
rename to windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..d551629b2e
--- /dev/null
+++ b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,80 @@
+---
+title: Windows Defender ATP alert API fields
+description: Understand how the alert API fields map to the values in the Windows Defender ATP portal.
+keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Windows Defender ATP alert API fields
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
+
+
+# Alert API fields and portal mapping
+Field numbers match the numbers in the images below.
+
+Portal label | SIEM field name | Description
+:---|:---|:---
+1 | LinkToWDATP | Link back to the alert page in Windows Defender ATP
+2 | Alert ID | Alert ID visible in the link: `https://securitycenter.windows.com/alert/`
+3 | AlertTitle | Alert title
+4 | Actor | Actor name
+5 | AlertTime | Last time the alert was observed
+6 | Severity | Alert severity
+7 | Category | Alert category
+8 | Status in queue | Alert status in queue
+9 | ComputerDnsName| Computer DNS name and machine name
+10| IoaDefinitionId | (Internal only)
ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title.
**Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM.
+11 | UserName | The user context relevant to the activity on the machine which triggered the alert. NOTE: Not yet populated.
+12 | FileName | File name
+13 | FileHash | Sha1 of file observed
+14 | FilePath | File path
+15 | IpAddress | IP of the IOC (when relevant)
+16 | URL | URL of the IOC (when relevant)
+17 | FullId | (Internal only)
Unique ID for each combination of IOC and Alert ID. Provides the ability to apply dedup logic in the SIEM.
+18 | AlertPart | (Internal only)
Alerts which contain multiple IOCs will be split into several messages, each message contains one IOC and a running counter. The counter provides the ability to reconstruct the alerts in the SIEM.
+19 | LastProccesedTimeUtc | (Internal only)
Time the alert was last processed in Windows Defender ATP.
+20 | Source| Alert detection source (Windows Defender AV, Windows Defender ATP, and Device Guard)
+21 | ThreatCategory| Windows Defender AV threat category
+22 | ThreatFamily | Windows Defender AV family name
+23 | RemediationAction | Windows Defender AV threat category |
+24 | WasExecutingWhileDetected | Indicates if a file was running while being detected.
+25| RemediationIsSuccess | Indicates if an alert was successfully remediated.
+26 | Sha1 | Sha1 of file observed in alert timeline and in file side pane (when available)
+27 | Md5 | Md5 of file observed (when available)
+28 | Sha256 | Sha256 of file observed (when available)
+29 | ThreatName | Windows Defender AV threat name
+
+>[!NOTE]
+> Fields #21-29 are related to Windows Defender Antivirus alerts.
+
+
+
+
+
+
+
+
+
+
+
+
+## Related topics
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/code/example-script.ps1 b/windows/keep-secure/code/example-script.ps1
new file mode 100644
index 0000000000..e6563c2378
--- /dev/null
+++ b/windows/keep-secure/code/example-script.ps1
@@ -0,0 +1,60 @@
+$authUrl = 'Your Authorization URL'
+$clientId = 'Your Client ID'
+$clientSecret = 'Your Client Secret'
+
+
+Try
+{
+ $tokenPayload = @{
+ "resource" = 'https://graph.windows.net'
+ "client_id" = $clientId
+ "client_secret" = $clientSecret
+ "grant_type"='client_credentials'}
+
+ "Fetching an access token"
+ $response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
+ $token = $response.access_token
+ "Token fetched successfully"
+
+ $headers = @{
+ "Content-Type" = "application/json"
+ "Accept" = "application/json"
+ "Authorization" = "Bearer {0}" -f $token }
+
+ $apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
+
+ $alertDefinitionPayload = @{
+ "Name" = "Test Alert"
+ "Severity" = "Medium"
+ "InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature"
+ "Title" = "Test alert."
+ "UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled."
+ "RecommendedAction" = "No recommended action for this test alert."
+ "Category" = "SuspiciousNetworkTraffic"
+ "Enabled" = "true"}
+ "Creating an Alert Definition"
+ $alertDefinition =
+ Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
+ -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
+ "Alert Definition created successfully"
+ $alertDefinitionId = $alertDefinition.Id
+
+ $iocPayload = @{
+ "Type"="IpAddress"
+ "Value"="52.184.197.12"
+ "DetectionFunction"="Equals"
+ "Enabled"="true"
+ "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
+
+ "Creating an Indicator of Compromise"
+ $ioc =
+ Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
+ -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
+ "Indicator of Compromise created successfully"
+
+ "All done!"
+}
+Catch
+{
+ 'Something went wrong! Got the following exception message: {0}' -f $_.Exception.Message
+}
diff --git a/windows/keep-secure/code/example.ps1 b/windows/keep-secure/code/example.ps1
index 278824d13a..6941c80627 100644
--- a/windows/keep-secure/code/example.ps1
+++ b/windows/keep-secure/code/example.ps1
@@ -1,8 +1,6 @@
-$tenantId = '{Your Tenant ID}'
-$clientId = '{Your Client ID}'
-$clientSecret = '{Your Client Secret}'
-
-$authUrl = "https://login.windows.net/{0}/oauth2/token" -f $tenantId
+$authUrl = 'Your Authorization URL'
+$clientId = 'Your Client ID'
+$clientSecret = 'Your Client Secret'
$tokenPayload = @{
"resource"='https://graph.windows.net'
diff --git a/windows/keep-secure/code/example.py b/windows/keep-secure/code/example.py
index 7bf906738c..6203b5230b 100644
--- a/windows/keep-secure/code/example.py
+++ b/windows/keep-secure/code/example.py
@@ -2,11 +2,9 @@ import json
import requests
from pprint import pprint
-tenant_id="{your tenant ID}"
-client_id="{your client ID}"
-client_secret="{your client secret}"
-
-auth_url = "https://login.windows.net/{0}/oauth2/token".format(tenant_id)
+auth_url="Your Authorization URL"
+client_id="Your Client ID"
+client_secret="Your Client Secret"
payload = {"resource": "https://graph.windows.net",
"client_id": client_id,
diff --git a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
index d7147d12a9..7f3ba226aa 100644
--- a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
@@ -22,7 +22,7 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal.
+You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can pull alerts from Windows Defender ATP portal.
1. Login to the [Azure management portal](https://ms.portal.azure.com).
@@ -78,12 +78,12 @@ You need to add an application in your Azure Active Directory (AAD) tenant then
23. Save the application changes.
-After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be consumed by your SIEM.
+After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be pulled by your SIEM.
## Obtain a refresh token using an events URL
Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM. This section provides information on how you can use an events URL to obtain the required refresh token.
>[!NOTE]
->For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md).
+>For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md).
### Before you begin
Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
@@ -111,6 +111,6 @@ You'll use these values to obtain a refresh token.
After configuring your AAD application and generating a refresh token, you can proceed to configure your SIEM tool.
## Related topics
-- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
index c4ebb2bd23..21b8b172ec 100644
--- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
-title: Configure HP ArcSight to consume Windows Defender ATP alerts
-description: Configure HP ArcSight to receive and consume alerts from the Windows Defender ATP portal.
+title: Configure HP ArcSight to pull Windows Defender ATP alerts
+description: Configure HP ArcSight to receive and pull alerts from the Windows Defender ATP portal.
keywords: configure hp arcsight, security information and events management tools, arcsight
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high
---
-# Configure HP ArcSight to consume Windows Defender ATP alerts
+# Configure HP ArcSight to pull Windows Defender ATP alerts
**Applies to:**
@@ -21,86 +21,165 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-You'll need to configure HP ArcSight so that it can consume Windows Defender ATP alerts.
+You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender ATP alerts.
## Before you begin
+Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse alerts from your Azure Active Directory (AAD) application.
-- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page:
- - OAuth 2 Token refresh URL
- - OAuth 2 Client ID
- - OAuth 2 Client secret
-- Download the [WDATP-connector.properties](http://download.microsoft.com/download/3/9/C/39C703C2-487C-4C3E-AFD8-14C2253C2F12/WDATP-connector.properties) file and update the following values:
+This section guides you in getting the necessary information to set and use the required configuration files correctly.
- - **client_ID**: OAuth 2 Client ID
- - **client_secret**: OAuth 2 Client secret
- - **auth_url**: ```https://login.microsoftonline.com/?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ```
+- Make sure you have enabled the SIEM integration feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).
- >[!NOTE]
- >Replace *tenantID* with your tenant ID.
+- Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values:
+ - OAuth 2.0 Token refresh URL
+ - OAuth 2.0 Client ID
+ - OAuth 2.0 Client secret
- - **token_url**: `https://login.microsoftonline.com//oauth2/token`
+- Have the following configuration files ready:
+ - WDATP-connector.properties
+ - WDATP-connector.jsonparser.properties
- >[!NOTE]
- >Replace the *tenantID* value with your tenant ID.
+ You would have saved a .zip file which contains these two files when you chose HP ArcSight as the SIEM type you use in your organization.
- - **redirect_uri**: ```https://localhost:44300/wdatpconnector```
- - **scope**: Leave the value blank
+- Make sure you generate the following tokens and have them ready:
+ - Access token
+ - Refresh token
-- Download the [WDATP-connector.jsonparser.properties](http://download.microsoft.com/download/0/8/A/08A4957D-0923-4353-B25F-395EAE363E8C/WDATP-connector.jsonparser.properties) file. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format.
-- Install the HP ArcSight REST FlexConnector package. You can find this in the HPE Software center. Install the package on a server that has access to the Internet.
+ You can generate these tokens from the **SIEM integration** setup section of the portal.
-## Configure HP ArcSight
-The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). For more information, see the ArcSight FlexConnector Developer's guide.
+## Install and configure HP ArcSight SmartConnector
+The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
-1. Save the [WDATP-connector.jsonparser.properties file](http://download.microsoft.com/download/0/8/A/08A4957D-0923-4353-B25F-395EAE363E8C/WDATP-connector.jsonparser.properties) file into the connector installation folder.
+1. Install the latest 32-bit Windows SmartConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightSmartConnectors\current\bin`.You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
-2. Save the [WDATP-connector.properties](http://download.microsoft.com/download/3/9/C/39C703C2-487C-4C3E-AFD8-14C2253C2F12/WDATP-connector.properties) file into the `\current\user\agent\flexagent` folder of the connector installation folder.
+2. Follow the installation wizard through the following tasks:
+ - Introduction
+ - Choose Install Folder
+ - Choose Install Set
+ - Choose Shortcut Folder
+ - Pre-Installation Summary
+ - Installing...
-3. Open an elevated command-line:
+ You can keep the default values for each of these tasks or modify the selection to suit your requirements.
- a. Go to **Start** and type **cmd**.
+3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the SmartConnector installation location, for example:
- b. Right-click **Command prompt** and select **Run as administrator**.
+ - WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\
-4. Enter the following command and press **Enter**: ```runagentsetup.bat```. The Connector Setup pop-up window appears.
+ - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\
-5. In the form fill in the following required fields with these values:
- >[!NOTE]
- >All other values in the form are optional and can be left blank.
+ NOTE:
+ You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
-
-
-
- | Field |
- Value |
-
-
- | Configuration File |
- Type in the name of the client property file. It must match the client property file. |
-
- Events URL |
- Depending on the location of your datacenter, select either the EU or the US URL: **For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
- **For US:** https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME |
-
- | Authentication Type |
- OAuth 2 |
-
- OAuth 2 Client Properties file |
- Select *wdatp-connector.properties*. |
-
- | Refresh Token |
- You can use the Windows Defender ATP events URL or the restutil tool to get obtain a refresh token.
For more information on getting your refresh token using the events URL, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token). **To get your refresh token using the restutil tool:** a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\\current\bin`. b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties`. A Web browser window will open. c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. d. A refresh token is shown in the command prompt. e. Paste the value in the form.
- |
-
-
-
-6. Select **Next**, then **Save**.
+4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**.
-7. Run the connector. You can choose to run in Service mode or Application mode.
+5. Select Type: **ArcSight FlexConnector REST** and click **Next**.
-8. In the HP ArcSight console, create a **Windows Defender ATP** channel with intervals and properties suitable to your enterprise needs. Windows Defender ATP alerts will appear as discrete events, with “Microsoft” as the vendor and “Windows Defender ATP” as the device name.
+6. Type the following information in the parameter details form. All other values in the form are optional and can be left blank.
+
+
+
+
+ | Field |
+ Value |
+
+
+ | Configuration File |
+ Type in the name of the client property file. The name must match the file provided in the .zip that you downloaded.
+ For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file. |
+
+ Events URL |
+ Depending on the location of your datacenter, select either the EU or the US URL: **For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
+ **For US:** https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME |
+
+ | Authentication Type |
+ OAuth 2 |
+
+ OAuth 2 Client Properties file |
+ Browse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded. |
+
+ | Refresh Token |
+ You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM integration preferences setup** page or using the restutil tool.
For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). **Get your refresh token using the restutil tool:** a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. b. Type: `arcsight restutil token -config` from the bin directory. A Web browser window will open. c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. d. A refresh token is shown in the command prompt. e. Copy and paste it into the **Refresh Token** field.
+ |
+
+
+
+7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.
+If the `redirect_uri` is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https. If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
+
+8. Continue with the connector setup by returning to the HP ArcSight Connector Setup window.
+
+9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
+
+10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
+
+11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
+
+11. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
+
+12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
+
+13. Select **Install as a service** and click **Next**.
+
+14. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
+
+13. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
+
+14. Finish the installation by selecting **Exit** and **Next**.
+
+## Install and configure the HP ArcSight console
+1. Follow the installation wizard through the following tasks:
+ - Introduction
+ - License Agreement
+ - Special Notice
+ - Choose ArcSight installation directory
+ - Choose Shortcut Folder
+ - Pre-Installation Summary
+
+2. Click **Install**. After the installation completes, the ArcSight Console Configuration Wizard opens.
+
+3. Type localhost in **Manager Host Name** and 8443 in **Manager Port** then click **Next**.
+
+4. Select **Use direct connection**, then click **Next**.
+
+5. Select **Password Based Authentication**, then click **Next**.
+
+6. Select **This is a single user installation. (Recommended)**, then click **Next**.
+
+7. Click **Done** to quit the installer.
+
+8. Login to the HP ArcSight console.
+
+9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**.
+
+10. Set **Device Product = Windows Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
+
+You can now run queries in the HP ArcSight console.
+
+Windows Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
+
+
+## Troubleshooting HP ArcSight connection
+**Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`.
+
+**Symptom:** You get the following error message:
+
+`Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token`
+
+**Solution:**
+1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?".
+2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value:
+`reauthenticate=true`.
+
+3. Restart the connector by running the following command: `arcsight.bat connectors`.
+
+ A browser window appears. Allow it to run, it should disappear, and the connector should now be running.
+
+> [!NOTE]
+> Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear.
## Related topics
-- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
index 2ad2430c0e..c4a85d0274 100644
--- a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -64,5 +64,5 @@ This section lists various issues that you may encounter when using email notifi
## Related topics
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
-- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 775b756512..49e9d275ab 100644
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -45,9 +45,7 @@ You can use System Center Configuration Manager’s existing functionality to cr
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
-3. Onboard your devices using SCCM by following the steps in the [Onboard devices to Windows Defender ATP](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/windows-defender-advanced-threat-protection#onboard-devices-for-windows-defender-atp) topic.
-
-4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
+3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
index 35dead1efe..ba1f5cc851 100644
--- a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
-title: Consume alerts and create custom indicators in Windows Defender Advanced Threat Protection
-description: Learn how to configure supported security information and events management tools to receive and consume alerts and create custom indicators using REST API.
+title: Pull alerts to your SIEM tools from Windows Defender Advanced Threat Protection
+description: Learn how to use REST API and configure supported security information and events management tools to receive and pull alerts.
keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high
---
-# Consume alerts and create custom indicators
+# Pull alerts to your SIEM tools
**Applies to:**
@@ -21,8 +21,10 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-## Consume alerts using supported security information and events management (SIEM) tools
-Windows Defender ATP supports (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+## Pull alerts using supported security information and events management (SIEM) tools
+Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
Windows Defender ATP currently supports the following SIEM tools:
@@ -32,20 +34,26 @@ Windows Defender ATP currently supports the following SIEM tools:
To use either of these supported SIEM tools you'll need to:
-- [Configure an Azure Active Directory application for SIEM integration in your tenant](configure-aad-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- Configure the supported SIEM tool:
- - [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- - [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+ - [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+ - [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
-## Create custom threat indicators in Windows Defender ATP
-You can also create custom threat indicators using the available REST API so that you can create specific alerts that are applicable to your organization.
+For more information on the list of fields exposed in the alerts API see, [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md).
+
+
+## Pull Windows Defender ATP alerts using REST API
+Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API.
+
+For more information, see [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md).
-For more information, see [Create custom threat indicators (TI) using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md).
## In this section
Topic | Description
:---|:---
-[Configure an Azure Active Directory application](configure-aad-windows-defender-advanced-threat-protection.md)| Learn about configuring an Azure Active Directory application to integrate with supported security information and events management (SIEM) tools.
- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to consume Windows Defender ATP alerts.
- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to consume Windows Defender ATP alerts.
+[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
+[Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
+[Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
+[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
+[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API.
diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
index 8dc36252d3..f40c7d579d 100644
--- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
-title: Configure Splunk to consume Windows Defender ATP alerts
-description: Configure Splunk to receive and consume alerts from the Windows Defender ATP portal.
+title: Configure Splunk to pull Windows Defender ATP alerts
+description: Configure Splunk to receive and pull alerts from the Windows Defender ATP portal.
keywords: configure splunk, security information and events management tools, splunk
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high
---
-# Configure Splunk to consume Windows Defender ATP alerts
+# Configure Splunk to pull Windows Defender ATP alerts
**Applies to:**
@@ -21,16 +21,19 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-You'll need to configure Splunk so that it can consume Windows Defender ATP alerts.
+You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.
## Before you begin
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk.
-- Obtain your refresh token. For more information, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token).
-- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page:
- - OAuth 2 Token refresh URL
- - OAuth 2 Client ID
- - OAuth 2 Client secret
+- Make sure you have enabled the **SIEM integration** feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+
+- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values:
+ - OAuth 2 Token refresh URL
+ - OAuth 2 Client ID
+ - OAuth 2 Client secret
+
+- Have the refresh token that you generated from the SIEM integration feature ready.
## Configure Splunk
@@ -39,14 +42,16 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
2. Click **Search & Reporting**, then **Settings** > **Data inputs**.
3. Click **REST** under **Local inputs**.
-> [!NOTE]
-> This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
+
+ NOTE:
+ This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
4. Click **New**.
5. Type the following values in the required fields, then click **Save**:
-> [!NOTE]
->All other values in the form are optional and can be left blank.
+
+ NOTE:
+ All other values in the form are optional and can be left blank.
@@ -56,8 +61,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
| Endpoint URL |
- Depending on the location of your datacenter, select either the EU or the US URL: **For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts **For US:** https://wdatp-alertexporter-us.windows.com/api/alerts
-
+ | Depending on the location of your datacenter, select either the EU or the US URL: **For EU**: `https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts`**For US:**` https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts`
|
| HTTP Method |
@@ -66,16 +70,24 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
Authentication Type |
oauth2 |
+ | OAuth 2 Access token |
+ Use the value that you generated when you enabled the SIEM integration feature. NOTE: The access token expires after an hour. |
+
+
+ | OAuth 2 Refresh Token |
+ Use the value that you generated when you enabled the **SIEM integration** feature. |
+
+
| OAuth 2 Token Refresh URL |
- Value taken from AAD application |
+ Use the value from the details file you saved when you enabled the **SIEM integration** feature. |
| OAuth 2 Client ID |
- Value taken from AAD application |
+ Use the value from the details file you saved when you enabled the **SIEM integration** feature. |
| OAuth 2 Client Secret |
- Value taken from AAD application |
+ Use the value from the details file you saved when you enabled the **SIEM integration** feature. |
| Response type |
@@ -102,11 +114,27 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
-You can use the following query as an example in Splunk:
-```source="rest://windows atp alerts"|spath|table*```
+## View alerts using Splunk solution explorer
+Use the solution explorer to view alerts in Splunk.
+
+1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**.
+
+2. Select **New**.
+
+3. Enter the following details:
+ - Destination app: Select Search & Reporting (search)
+ - Search name: Enter a name for the query
+ - Search: Enter a query, for example:
+ `source="rest://windows atp alerts"|spath|table*`
+
+ Other values are optional and can be left with the default values.
+4. Click **Save**. The query is saved in the list of searches.
+
+5. Find the query you saved in the list and click **Run**. The results are displayed based on your query.
## Related topics
-- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
-- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 5fdb54b819..dab9e6eabd 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -316,7 +316,7 @@ DG_Readiness_Tool_v3.0.ps1 -Ready
- **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+ - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malwar efrom taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
diff --git a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
index 8c54c753a6..e8032882a1 100644
--- a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Create custom threat intelligence using REST API in Windows Defender ATP
+title: Create threat intelligence using REST API in Windows Defender ATP
description: Create your custom alert definitions and indicators of compromise in Windows Defender ATP using the available APIs in Windows Enterprise, Education, and Pro editions.
keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api
search.product: eADQiWindows 10XVcnh
@@ -54,6 +54,44 @@ For this URL:
**Quotas**
Each tenant has a defined quota that limits the number of possible alert definitions, IOCs and another quota for IOCs of Action different than “equals” in the system. If you upload data beyond this quota, you'll encounter an HTTP error status code 507 (Insufficient Storage).
+## Request an access token from the token issuing endpoint
+Windows Defender ATP Threat Intelligence API uses OAuth 2.0. In the context of Windows Defender ATP, the alert definitions are a protected resource. To issue tokens for ad-hoc, non-automatic operations you can use the **Preferences settings** page and click the **Generate Token** button. However, if you’d like to create an automated client, you need to use the “Client Credentials Grant” flow. For more information, see the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749#section-4.4).
+
+For more information about the authorization flow, see [OAuth 2.0 authorization flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#oauth-20-authorization-flow).
+
+Make an HTTP POST request to the token issuing endpoint with the following parameters, replacing ``, ``, and `` with your app's client ID, client secret and authorization server URL.
+
+>[!NOTE]
+> The authorization server URL is `https://login.windows.net//oauth2/token`. Replace `` with your Azure Active Directory tenant ID.
+
+>[!NOTE]
+> The ``, ``, and the `` are all provided to you when enabling the custom threat intelligence application. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).
+
+
+```
+POST HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+
+grant_type=client_credentials
+&client_id=
+&client_secret=
+&resource=https://graph.microsoft.com
+```
+The response will include an access token and expiry information.
+
+```json
+{
+ "token_type": "Bearer",
+ "expires_in": "3599",
+ "ext_expires_in": "0",
+ "expires_on": "1449685363",
+ "not_before": "1449681463",
+ "resource": "https://graph.microsoft.com",
+ "access_token": ""
+}
+
+```
+
## Threat intelligence API metadata
The metadata document ($metadata) is published at the service root.
diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
index c2c75d2d52..4aba77f8b3 100644
--- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
@@ -55,14 +55,14 @@ This tile shows you a list of machines with the highest number of active alerts.
Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
-You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
+You can also click **Machines list** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
## Users at risk
The tile shows you a list of user accounts with the most active alerts. The total number of alerts for each user is shown in a circle next to the user account, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
-Click the user account to see details about the user account. For more information see [Investigate a user entity in Windows Defender Advanced Threat Protection]
+Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md).
## Machines with active malware detections
The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender.
@@ -97,7 +97,7 @@ There are two status indicators that provide information on the number of machin
- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month.
- **Misconfigured** – These machines might partially be reporting telemetry to the Windows Defender ATP service and might have configuration errors that need to be corrected.
-When you click any of the groups, you’ll be directed to machines view, filtered according to your choice. For more information, see [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
+When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
## Service health
The **Service health** tile informs you if the service is active or if there are issues.
diff --git a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
index e62a85a083..e717a28f79 100644
--- a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
-title: Enable the custom threat intelligence application in Windows Defender ATP
-description: Enable the custom threat intelligence application in Windows Defender ATP so that you can create custom threat intelligence using REST API.
+title: Enable the custom threat intelligence API in Windows Defender ATP
+description: Learn how to setup the custom threat intelligence application in Windows Defender ATP to create custom threat intelligence (TI).
keywords: enable custom threat intelligence application, custom ti application, application name, client id, authorization url, resource, client secret, access tokens
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high
---
-# Enable the custom threat intelligence application
+# Enable the custom threat intelligence API in Windows Defender ATP
**Applies to:**
@@ -27,13 +27,15 @@ Before you can create custom threat intelligence (TI) using REST API, you'll nee
1. In the navigation pane, select **Preference Setup** > **Threat intel API**.
+ 
+
2. Select **Enable threat intel API**. This activates the **Azure Active Directory application** setup sections with pre-populated values.
3. Copy the individual values or select **Save details to file** to download a file that contains all the values.
- >[!WARNING]
- >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
- >For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
+ WARNING:
+ The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
+ For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
4. Select **Generate tokens** to get an access and refresh token.
diff --git a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..a645f8ccad
--- /dev/null
+++ b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,55 @@
+---
+title: Enable SIEM integration in Windows Defender Advanced Threat Protection
+description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution.
+keywords: enable siem connector, siem, connector, security information and events
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Enable SIEM integration in Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
+
+1. In the navigation pane, select **Preferences setup** > **SIEM integration**.
+
+ 
+
+2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant.
+
+ WARNING:
+ The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
+ For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
+
+3. Choose the SIEM type you use in your organization.
+
+ NOTE:
+ If you select HP ArcSight, you'll need to save these two configuration files:
+ - WDATP-connector.jsonparser.properties
+ - WDATP-connector.properties
+
+ If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**.
+
+4. Copy the individual values or select **Save details to file** to download a file that contains all the values.
+
+5. Select **Generate tokens** to get an access and refresh token.
+
+You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal.
+
+## Related topics
+- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/enterprise-certificate-pinning.md b/windows/keep-secure/enterprise-certificate-pinning.md
new file mode 100644
index 0000000000..b6b15f7df9
--- /dev/null
+++ b/windows/keep-secure/enterprise-certificate-pinning.md
@@ -0,0 +1,450 @@
+---
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.author: mstephens
+author: MikeStephens-MS
+description: Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name.
+manager: alanth
+ms.date: 2016-12-27
+ms.prod: w10
+ms.technology: security
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+---
+
+# Enterprise Certificate Pinning
+
+**Applies to**
+- Windows 10
+
+Enterprise certificate pinning is a Windows feature for remembering, or “pinning,” a root issuing certificate authority or end entity certificate to a given domain name.
+Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.
+
+>[!NOTE]
+> External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning. Web administrators should configure their web servers to use HTTP public key pinning (HPKP) and encourage users to use web browsers that support HPKP.
+
+Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site’s server authentication certificate chain matches a restricted set of certificates.
+These restrictions are encapsulated in a Pin Rules Certificate Trust List (CTL) that is configured and deployed to Windows 10 computers.
+Any site certificate triggering a name mismatch causes Windows to write an event to the CAPI2 event log and prevents the user from navigating to the web site using Microsoft Edge or Internet Explorer.
+
+## Deployment
+
+To deploy enterprise certificate pinning, you need to:
+
+- Create a well-formatted certificate pinning rule XML file
+- Create a pin rules certificate trust list file from the XML file
+- Apply the pin rules certificate trust list file to a reference administrative computer
+- Deploy the registry configuration on the reference computer using Group Policy Management Console (GPMC), which is included in the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/download/details.aspx?id=45520).
+
+### Create a Pin Rules XML file
+
+The XML-based pin rules file consists of a sequence of PinRule elements.
+Each PinRule element contains a sequence of one or more Site elements and a sequence of zero or more Certificate elements.
+
+```code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+#### PinRules Element
+
+The PinRules element can have the following attributes.
+For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml) or [Representing a Duration in XML](#representing-a-duration-in-xml).
+
+- **Duration** or **NextUpdate**
+
+ Specifies when the Pin Rules will expire.
+ Either is required.
+ **NextUpdate** takes precedence if both are specified.
+
+ **Duration**, represented as an XML TimeSpan data type, does not allow years and months.
+ You represent the **NextUpdate** attribute as a XML DateTime data type in UTC.
+
+ **Required?** Yes. At least one is required.
+
+- **LogDuration** or **LogEndDate**
+
+ Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
+
+ **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified.
+
+ You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months.
+
+ If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes.
+
+ **Required?** No.
+
+- **ListIdentifier**
+
+ Provides a friendly name for the list of pin rules.
+ Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL).
+
+ **Required?** No.
+
+#### PinRule Element
+
+The **PinRule** element can have the following attributes:
+
+- **Name**
+
+ Uniquely identifies the **PinRule**.
+ Windows uses this attribute to identify the element for a parsing error or for verbose output.
+ The attribute is not included in the generated certificate trust list (CTL).
+
+ **Required?** Yes.
+
+- **Error**
+
+ Describes the action Windows performs when it encounters a PIN mismatch.
+ You can choose from the following string values:
+ - **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
+ - **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site.
+ - **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction.
+
+ **Required?** No.
+
+- **Log**
+
+ A Boolean value represent as string that equals **true** or **false**.
+ By default, logging is enabled (**true**).
+
+ **Required?** No.
+
+#### Certificate element
+
+The **Certificate** element can have the following attributes:
+
+- **File**
+
+ Path to a file containing one or more certificates.
+ Where the certificate(s) can be encoded as:
+ - single certificate
+ - p7b
+ - sst.
+
+ These files can also be Base64 formatted.
+ All **Site** elements included in the same **PinRule** element can match any of these certificates.
+
+ **Required?** Yes (File, Directory or Base64 must be present).
+
+- **Directory**
+
+ Path to a directory containing one or more of the above certificate files.
+ Skips any files not containing any certificates.
+
+ **Required?** Yes (File, Directory or Base64 must be present).
+
+- **Base64**
+
+ Base64 encoded certificate(s).
+ Where the certificate(s) can be encoded as:
+ - single certificate
+ - p7b
+ - sst.
+
+ This allows the certificates to be included in the XML file without a file directory dependency.
+
+ > [!Note]
+ > You can use **certutil -encode** to a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule.
+
+ **Required?** Yes (File, Directory or Base64 must be present).
+
+- **EndDate**
+
+ Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
+
+ If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
+
+ If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.
+
+ For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).
+
+ **Required?** No.
+
+#### Site element
+
+The **Site** element can have the following attributes:
+
+- **Domain**
+
+ Contains the DNS name to be matched for this pin rule.
+ When creating the certificate trust list, the parser normalizes the input name string value as follows:
+ - If the DNS name has a leading "*" it is removed.
+ - Non-ASCII DNS name are converted to ASCII Puny Code.
+ - Upper case ASCII characters are converted to lower case.
+
+ If the normalized name has a leading ".", then, wildcard left hand label matching is enabled.
+ For example, ".xyz.com" would match "abc.xyz.com".
+
+ **Required?** Yes.
+
+- **AllSubdomains**
+
+ By default, wildcard left hand label matching is restricted to a single left hand label.
+ This attribute can be set to "true" to enable wildcard matching of all of the left hand labels.
+
+ For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.
+
+ **Required?** No.
+
+### Create a Pin Rules Certificate Trust List
+
+The command line utility, **Certutil.exe**, includes the **generatePinRulesCTL** argument to parse the XML file and generate the encoded certificate trust list (CTL) that you add to your reference Windows 10 version 1703 computer and subsequently deploy.
+The usage syntax is:
+
+```code
+CertUtil [Options] -generatePinRulesCTL XMLFile CTLFile [SSTFile]
+ Generate Pin Rules CTL
+ XMLFile -- input XML file to be parsed.
+ CTLFile -- output CTL file to be generated.
+ SSTFile -- optional .sst file to be created.
+ The .sst file contains all of the certificates
+ used for pinning.
+
+Options:
+ -f -- Force overwrite
+ -v -- Verbose operation
+```
+
+The same certificate(s) can occur in multiple **PinRule** elements.
+The same domain can occur in multiple **PinRule** elements.
+Certutil coalesces these in the resultant pin rules certificate trust list.
+
+Certutil.exe does not strictly enforce the XML schema definition.
+It does perform the following to enable other tools to add/consume their own specific elements and attributes:
+
+- Skips elements before and after the **PinRules** element.
+- Skips any element not matching **Certificate** or **Site** within the **PinRules** element.
+- Skips any attributes not matching the above names for each element type.
+
+Use the **certutil** command with the **generatePinRulesCTL** argument along with your XML file that contains your certificate pinning rules.
+Lastly, provide the name of an output file that will include your certificate pinning rules in the form of a certificate trust list.
+
+```code
+certutil -generatePinRulesCTL certPinRules.xml pinrules.stl
+```
+
+### Applying Certificate Pinning Rules to a Reference Computer
+
+Now that your certificate pinning rules are in the certificate trust list format, you need to apply the settings to a reference computer as a prerequisite to deploying the setting to your enterprise.
+To simplify the deployment configuration, it is best to apply your certificate pinning rules to a computer that has the Group Policy Management Console (GPMC) that is include in the Remote Server Administration Tools (RSAT).
+
+Use **certutil.exe** to apply your certificate pinning rules to your reference computer using the **setreg** argument.
+The **setreg** argument takes a secondary argument that determines the location of where certutil writes the certificate pining rules.
+This secondary argument is **chain\PinRules**.
+The last argument you provide is the name of file that contains your certificate pinning rules in certificate trust list format (.stl).
+You’ll pass the name of the file as the last argument; however, you need to prefix the file name with the '@' symbol as shown in the following example.
+You need to perform this command from an elevated command prompt.
+
+```code
+Certutil -setreg chain\PinRules @pinrules.stl
+```
+
+Certutil writes the binary information to the following registration location:
+
+| Name | Value |
+|------|-------|
+| Key | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config |
+| Name | PinRules |
+| Value | Binary contents from the certificate pin rules certificate trust list file |
+| Data type | REG_BINARY |
+
+
+
+### Deploying Enterprise Pin Rule Settings using Group Policy
+
+You’ve successfully created a certificate pinning rules XML file.
+From the XML file you have created a certificate pinning trust list file, and you have applied the contents of that file to your reference computer from which you can run the Group Policy Management Console.
+Now you need to configure a Group Policy object to include the applied certificate pin rule settings and deploy it to your environment.
+
+Sign-in to the reference computer using domain administrator equivalent credentials.
+
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. In the navigation pane, expand the forest node and then expand the domain node.
+3. Expand the node that has contains your Active Directory’s domain name
+4. Select the **Group Policy objects** node. Right-click the **Group Policy objects** node and click **New**.
+5. In the **New GPO** dialog box, type _Enterprise Certificate Pinning Rules_ in the **Name** text box and click **OK**.
+6. In the content pane, right-click the **Enterprise Certificate Pinning Rules** Group Policy object and click **Edit**.
+7. In the **Group Policy Management Editor**, in the navigation pane, expand the **Preferences** node under **Computer Configuration**. Expand **Windows Settings**.
+8. Right-click the **Registry** node and click **New**.
+9. In the **New Registry Properties** dialog box, select **Update** from the **Action** list. Select **HKEY_LOCAL_MACHINE** from the **Hive** list.
+10. For the **Key Path**, click **…** to launch the **Registry Item Browser**. Navigate to the following registry key and select the **PinRules** registry value name:
+ HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config
+ Click **Select** to close the **Registry Item Browser**.
+11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REGBINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box.
+
+ 
+
+12. Close the **Group Policy Management Editor** to save your settings.
+13. Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer.
+
+## Additional Pin Rules Logging
+
+To assist in constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules.
+
+```code
+HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config
+```
+
+| Name | Value |
+|------|-------|
+| Key | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config |
+| Name | PinRulesLogDir |
+| Value | The Parent directory where Windows should write the additional pin rule logs |
+| Data type | REG_SZ |
+
+### Permission for the Pin Rule Log Folder
+
+The folder in which Windows writes the additional pin rule logs must have permissions so that all users and applications have full access.
+You can run the following commands from an elevated command prompt to achieved the proper permissions.
+
+```code
+set PinRulesLogDir=c:\PinRulesLog
+mkdir %PinRulesLogDir%
+icacls %PinRulesLogDir% /grant *S-1-15-2-1:(OI)(CI)(F)
+icacls %PinRulesLogDir% /grant *S-1-1-0:(OI)(CI)(F)
+icacls %PinRulesLogDir% /grant *S-1-5-12:(OI)(CI)(F)
+icacls %PinRulesLogDir% /inheritance:e /setintegritylevel (OI)(CI)L
+```
+
+Whenever an application verifies a TLS/SSL certificate chain that contains a server name matching a DNS name in the server certificate, Windows writes a .p7b file consisting of all the certificates in the server’s chain to one of three child folders:
+
+- AdminPinRules
+ Matched a site in the enterprise certificate pinning rules.
+- AutoUpdatePinRules
+ Matched a site in the certificate pinning rules managed by Microsoft.
+- NoPinRules
+ Didn’t match any site in the certificate pin rules.
+
+The output file name consists of the leading 8 ASCII hex digits of the root’s SHA1 thumbprint followed by the server name.
+For example:
+
+- D4DE20D0_xsi.outlook.com.p7b
+- DE28F4A4_www.yammer.com.p7b
+
+If there is either an enterprise certificate pin rule or Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder.
+If the pin rules have expired, then Windows writes the .p7b to the **ExpiredPinRules** child folder.
+
+## Representing a Date in XML
+
+Many attributes within the pin rules xml file are dates.
+These dates must be properly formatted and represented in UTC.
+You can use Windows PowerShell to format these dates.
+You can then copy and paste the output of the cmdlet into the XML file.
+
+
+
+For simplicity, you can truncate decimal point (.) and the numbers after it.
+However, be certain to append the uppercase “Z” to the end of the XML date string.
+
+```code
+2015-05-11T07:00:00.2655691Z
+2015-05-11T07:00:00Z
+```
+
+## Converting an XML Date
+
+You can also use Windows PowerShell to validate convert an XML date into a human readable date to validate it’s the correct date.
+
+
+
+## Representing a Duration in XML
+
+Some elements may be configured to use a duration rather than a date.
+You must represent the duration as an XML timespan data type.
+You can use Windows PowerShell to properly format and validate durations (timespans) and copy and paste them into your XML file.
+
+
+
+## Converting an XML Duration
+
+You can convert a XML formatted timespan into a timespan variable that you can read.
+
+
+
+## Certificate Trust List XML Schema Definition (XSD)
+
+```code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
index 2c68fb6704..e69c2a864d 100644
--- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -25,7 +25,7 @@ localizationpriority: high
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints.
-For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
+For example, if endpoints are not appearing in the **Machines list** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
> [!NOTE]
> It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
diff --git a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..e840000672
--- /dev/null
+++ b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,85 @@
+---
+title: Experiment with custom threat intelligence alerts
+description: Use this end-to-end guide to start using the Windows Defender ATP threat intelligence API.
+keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Experiment with custom threat intelligence (TI) alerts
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization.
+
+For more information about threat intelligence concepts, see [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md).
+
+This article demonstrates an end-to-end usage of the threat intelligence API to get you started in using the threat intelligence API.
+
+You'll be guided through sample steps so you can experience how the threat intelligence API feature works. Sample steps include creating alerts definitions and indicators of compromise (IOCs), and examples of how triggered custom TI alerts look like.
+
+## Step 1: Enable the threat intelligence API and obtain authentication details
+To use the threat intelligence API feature, you'll need to enable the feature. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).
+
+This step is required to generate security credentials that you need to use while working with the API.
+
+## Step 2: Create a sample alert definition and IOCs
+This step will guide you in creating an alert definition and an IOC for a malicious IP.
+
+1. Open a Windows PowerShell ISE.
+
+2. Copy and paste the following PowerShell script. This script will upload a sample alert definition and IOC to Windows Defender ATP which you can use to generate an alert.
+
+ NOTE:
+ Make sure you replace the `authUrl`, `clientId`, and `clientSecret` values with your details which you saved in when you enabled the threat intelligence application.
+
+ [!code[ExampleScript](./code/example-script.ps1#L1-L60)]
+
+3. Run the script and verify that the operation succeeded in the results the window. Wait up to 20 minutes until the new or updated alert definition propagates to the detection engines.
+
+ 
+
+ NOTE:
+ If you get the exception “The remote server returned an error: (407) Proxy Authentication Required", you need to add the proxy configuration by adding the following code to the PowerShell script:
+
+ ```syntax
+ $webclient=New-Object System.Net.WebClient
+ $creds=Get-Credential
+ $webclient.Proxy.Credentials=$creds
+ ```
+
+## Step 3: Simulate a custom TI alert
+This step will guide you in simulating an event in connection to a malicious IP that will trigger the Windows Defender ATP custom TI alert.
+
+1. Open a Windows PowerShell ISE in the machine you onboarded to Windows Defender ATP.
+
+2. Type `Invoke-WebRequest 52.184.197.12` in the editor and click **Run**. This call will generate a network communication event to a Microsoft's dedicated demo server that will raise an alert based on the custom alert definition.
+
+ 
+
+## Step 4: Explore the custom alert in the portal
+This step will guide you in exploring the custom alert in the portal.
+
+1. Open the [Windows Defender ATP portal](http: /securitycenter.windows.com/) on a browser.
+
+2. Log in with your Windows Defender ATP credentials.
+
+3. The dashboard should display the custom TI alert for the victim machine resulting from the simulated attack.
+
+ 
+
+> [!NOTE]
+> It can take up to 15 minutes for the alert to appear in the portal.
diff --git a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index 749d25c114..225527fdbc 100644
--- a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -36,7 +36,7 @@ If the machine has not been in use for more than 7 days for any reason, it will
A reinstalled or renamed machine will generate a new machine entity in Windows Defender ATP portal. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally.
**Machine was offboarded**
-If the machine was offboarded it will still appear in machines view. After 7 days, the machine health state should change to inactive.
+If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive.
Do you expect a machine to be in ‘Active’ status? [Open a CSS ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
@@ -60,7 +60,7 @@ If you took corrective actions and the machine status is still misconfigured, [o
### No sensor data
A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report partial sensor data.
-Follow theses actions to correct known issues related to a misconfigured machine with status ‘Impaired communication’:
+Follow theses actions to correct known issues related to a misconfigured machine with status ‘No sensor data’:
- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
diff --git a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
index b8021ab337..d53c76fc27 100644
--- a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
@@ -23,14 +23,16 @@ localizationpriority: high
During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu.
1. In the navigation pane, select **Preferences setup** > **General**.
+
2. Modify settings such as data retention policy or the industry that best describes your organization.
- >[!NOTE]
- >Other settings are not editable.
+ > [!NOTE]
+ > Other settings are not editable.
+
3. Click **Save preferences**.
## Related topics
-- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
- [Turn on the preview experience in Windows Defender ATP ](preview-settings-windows-defender-advanced-threat-protection.md)
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md
index 8a3c433fa4..af480096c6 100644
--- a/windows/keep-secure/hello-how-it-works.md
+++ b/windows/keep-secure/hello-how-it-works.md
@@ -14,7 +14,7 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
-TWindows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
+Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
## Register a new user or device
@@ -118,4 +118,4 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/keep-secure/images/atp-actor.png b/windows/keep-secure/images/atp-actor.png
new file mode 100644
index 0000000000..dc9c9dd6fc
Binary files /dev/null and b/windows/keep-secure/images/atp-actor.png differ
diff --git a/windows/keep-secure/images/atp-alert-source.png b/windows/keep-secure/images/atp-alert-source.png
new file mode 100644
index 0000000000..c2155cc7ee
Binary files /dev/null and b/windows/keep-secure/images/atp-alert-source.png differ
diff --git a/windows/keep-secure/images/atp-alert-timeline-numbered.png b/windows/keep-secure/images/atp-alert-timeline-numbered.png
new file mode 100644
index 0000000000..e791757460
Binary files /dev/null and b/windows/keep-secure/images/atp-alert-timeline-numbered.png differ
diff --git a/windows/keep-secure/images/atp-file-details.png b/windows/keep-secure/images/atp-file-details.png
new file mode 100644
index 0000000000..ad92f3af0c
Binary files /dev/null and b/windows/keep-secure/images/atp-file-details.png differ
diff --git a/windows/keep-secure/images/atp-machine-details-view.png.pdf b/windows/keep-secure/images/atp-machine-details-view.png.pdf
deleted file mode 100644
index 6f018827bb..0000000000
Binary files a/windows/keep-secure/images/atp-machine-details-view.png.pdf and /dev/null differ
diff --git a/windows/keep-secure/images/atp-machines-at-risk.png b/windows/keep-secure/images/atp-machines-at-risk.png
index e733606c0c..219e958d7d 100644
Binary files a/windows/keep-secure/images/atp-machines-at-risk.png and b/windows/keep-secure/images/atp-machines-at-risk.png differ
diff --git a/windows/keep-secure/images/atp-remediated-alert.png b/windows/keep-secure/images/atp-remediated-alert.png
new file mode 100644
index 0000000000..d49b681907
Binary files /dev/null and b/windows/keep-secure/images/atp-remediated-alert.png differ
diff --git a/windows/keep-secure/images/atp-running-script.png b/windows/keep-secure/images/atp-running-script.png
new file mode 100644
index 0000000000..ebfdebadc5
Binary files /dev/null and b/windows/keep-secure/images/atp-running-script.png differ
diff --git a/windows/keep-secure/images/atp-sample-custom-ti-alert.png b/windows/keep-secure/images/atp-sample-custom-ti-alert.png
new file mode 100644
index 0000000000..e536f6f4cc
Binary files /dev/null and b/windows/keep-secure/images/atp-sample-custom-ti-alert.png differ
diff --git a/windows/keep-secure/images/atp-siem-integration.png b/windows/keep-secure/images/atp-siem-integration.png
new file mode 100644
index 0000000000..0205980406
Binary files /dev/null and b/windows/keep-secure/images/atp-siem-integration.png differ
diff --git a/windows/keep-secure/images/atp-simulate-custom-ti.png b/windows/keep-secure/images/atp-simulate-custom-ti.png
new file mode 100644
index 0000000000..2828654c79
Binary files /dev/null and b/windows/keep-secure/images/atp-simulate-custom-ti.png differ
diff --git a/windows/keep-secure/images/atp-threat-intel-api.png b/windows/keep-secure/images/atp-threat-intel-api.png
new file mode 100644
index 0000000000..ef6720b29e
Binary files /dev/null and b/windows/keep-secure/images/atp-threat-intel-api.png differ
diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-converting-a-duration.png b/windows/keep-secure/images/enterprise-certificate-pinning-converting-a-duration.png
new file mode 100644
index 0000000000..6d14d64c36
Binary files /dev/null and b/windows/keep-secure/images/enterprise-certificate-pinning-converting-a-duration.png differ
diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-converting-an-xml-date.png b/windows/keep-secure/images/enterprise-certificate-pinning-converting-an-xml-date.png
new file mode 100644
index 0000000000..ab932c226f
Binary files /dev/null and b/windows/keep-secure/images/enterprise-certificate-pinning-converting-an-xml-date.png differ
diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-pinrules-properties.png b/windows/keep-secure/images/enterprise-certificate-pinning-pinrules-properties.png
new file mode 100644
index 0000000000..7a9b31f55f
Binary files /dev/null and b/windows/keep-secure/images/enterprise-certificate-pinning-pinrules-properties.png differ
diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-date.png b/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-date.png
new file mode 100644
index 0000000000..929cae9617
Binary files /dev/null and b/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-date.png differ
diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-duration.png b/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-duration.png
new file mode 100644
index 0000000000..dd79819a96
Binary files /dev/null and b/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-duration.png differ
diff --git a/windows/keep-secure/images/enterprise-pinning-registry-binary-information.png b/windows/keep-secure/images/enterprise-pinning-registry-binary-information.png
new file mode 100644
index 0000000000..ee36266a6d
Binary files /dev/null and b/windows/keep-secure/images/enterprise-pinning-registry-binary-information.png differ
diff --git a/windows/keep-secure/images/rules-legend.png b/windows/keep-secure/images/rules-legend.png
index dea7d1dc70..a48783c6e3 100644
Binary files a/windows/keep-secure/images/rules-legend.png and b/windows/keep-secure/images/rules-legend.png differ
diff --git a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
index ddb0839afa..5442141ce8 100644
--- a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -12,77 +12,78 @@ author: brianlic-msft
# Interactive logon: Display user information when the session is locked
**Applies to**
-- Windows 10
+- Windows 10
Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting.
## Reference
-This security setting controls whether details such as email address or domain\username appear with the username on the sign-in screen.
-For clients that run Windows 10 version 1511 and 1507 (RTM), this setting works similarly to previous versions of Windows.
-However, because of a new **Privacy** setting introduced in Windows 10 version 1607, this security setting affects those clients differently.
+This security setting controls whether details such as email address or domain\username appear with the username on the sign-in screen.
+For clients that run Windows 10 version 1511 and 1507 (RTM), this setting works similarly to previous versions of Windows.
+However, because of a new **Privacy** setting introduced in Windows 10 version 1607, this security setting affects those clients differently.
-### Changes in Windows 10 version 1607
+### Changes beginning with Windows 10 version 1607
-Beginning with Windows 10 version 1607, new functionality was added to Windows 10 to hide username details such as email address by default, with the ability to change the default to show the details.
-This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
-The Privacy setting is off by default, which hides the details.
+Beginning with Windows 10 version 1607, new functionality was added to Windows 10 to hide username details such as email address by default, with the ability to change the default to show the details.
+This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
+The Privacy setting is off by default, which hides the details.
-The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality.
+The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality.
This setting has these possible values:
- **User display name, domain and user names**
- For a local logon, the user's full name is displayed.
- If the user signed in using a Microsoft account, the user's email address is displayed.
- For a domain logon, the domain\username is displayed.
- This has the same effect as turning on the **Privacy** setting.
+ For a local logon, the user's full name is displayed.
+ If the user signed in using a Microsoft account, the user's email address is displayed.
+ For a domain logon, the domain\username is displayed.
+ This has the same effect as turning on the **Privacy** setting.
- **User display name only**
- The full name of the user who locked the session is displayed.
+ The full name of the user who locked the session is displayed.
This has the same effect as turning off the **Privacy** setting.
- **Do not display user information**
- No names are displayed.
- Beginning with Windows 10 version 1607, this option is not supported.
- If this option is chosen, the full name of the user who locked the session is displayed instead.
- This change makes this setting consistent with the functionality of the new **Privacy** setting.
+ No names are displayed.
+ Beginning with Windows 10 version 1607, this option is not supported.
+ If this option is chosen, the full name of the user who locked the session is displayed instead.
+ This change makes this setting consistent with the functionality of the new **Privacy** setting.
To display no user information, enable the Group Policy setting **Interactive logon: Don't display last signed-in**.
- Blank.
- Default setting.
- This translates to “Not defined,” but it will display the user’s full name in the same manner as the option **User display name only**.
+ Default setting.
+ This translates to “Not defined,” but it will display the user’s full name in the same manner as the option **User display name only**.
When an option is set, you cannot reset this policy to blank, or not defined.
### Hotfix for Windows 10 version 1607
-Clients that run Windows 10 version 1607 will not show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off.
-If the **Privacy** setting is turned on, details will show.
+Clients that run Windows 10 version 1607 will not show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off.
+If the **Privacy** setting is turned on, details will show.
-The **Privacy** setting cannot be changed for clients in bulk.
-Instead, apply KB 4013429 to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows.
+The **Privacy** setting cannot be changed for clients in bulk.
+Instead, apply [KB 4013429](http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows.
+Clients that run later versions of Windows 10 do not require a hotfix.
There are related Group Policy settings:
-- **Computer Configuration\Policies\Administrative Templates\System\Logon\Block user from showing account details on sign-in** prevents users from showing account details on the sign-in screen.
+- **Computer Configuration\Policies\Administrative Templates\System\Logon\Block user from showing account details on sign-in** prevents users from showing account details on the sign-in screen.
- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display last signed-in** prevents the username of the last user to sign in from being shown.
-- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display username at sign-in** prevents the username from being shown at Windows sign-in and immediately after credentials are entered and before the desktop appears.
+- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display username at sign-in** prevents the username from being shown at Windows sign-in and immediately after credentials are entered and before the desktop appears.
### Interaction with related Group Policy settings
-For all versions of Windows 10, only the user display name is shown by default.
+For all versions of Windows 10, only the user display name is shown by default.
-If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings.
+If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings.
Users will not be able to show details.
-If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username.
-In this case, clients that run Windows 10 version 1607 need KB 4013429 applied.
-Users will not be able to hide additional details.
+If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username.
+In this case, clients that run Windows 10 version 1607 need [KB 4013429](http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) applied.
+Users will not be able to hide additional details.
If **Block user from showing account details on sign-in** is not enabled and **Don’t display last signed-in** is enabled, the username will not be shown.
@@ -100,13 +101,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or Group Policy object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | **User display name, domain and user names**|
-| Member server effective default settings | **User display name, domain and user names**|
-| Effective GPO default settings on client computers | **User display name, domain and user names**|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | **User display name, domain and user names**|
+| Member server effective default settings | **User display name, domain and user names**|
+| Effective GPO default settings on client computers | **User display name, domain and user names**|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
index d712d65bdd..302baa44b9 100644
--- a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
+++ b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
@@ -40,14 +40,14 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
### Default values
-| Server type or Group Policy object (GPO) | Default value|
+| Server type or Group Policy object (GPO) | Default value|
| - | - |
-| Default domain policy| Disabled|
-| Default domain controller policy| Disabled|
-| Stand-alone server default settings | Disabled|
-| Domain controller effective default settings | Disabled|
-| Member server effective default settings | Disabled|
-| Effective GPO default settings on client computers | Disabled|
+| Default domain policy| Disabled|
+| Default domain controller policy| Disabled|
+| Stand-alone server default settings | Disabled|
+| Domain controller effective default settings | Disabled|
+| Member server effective default settings | Disabled|
+| Effective GPO default settings on client computers | Disabled|
## Policy management
diff --git a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md
index 3b6173cf5c..e188c2bed0 100644
--- a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -43,10 +43,10 @@ The following table lists the actual and effective default values for this polic
| - | - |
| Default Domain Policy| Not defined|
| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | 14 days|
-| DC Effective Default Settings | 14 days |
-| Member Server Effective Default Settings| 14 days |
-| Client Computer Effective Default Settings | 14 days|
+| Stand-Alone Server Default Settings | 5 days|
+| DC Effective Default Settings | 5 days |
+| Member Server Effective Default Settings| 5 days |
+| Client Computer Effective Default Settings | 5 days|
## Policy management
@@ -74,11 +74,11 @@ If user passwords are configured to expire periodically in your organization, us
### Countermeasure
-Configure the **Interactive logon: Prompt user to change password before expiration** setting to 14 days.
+Configure the **Interactive logon: Prompt user to change password before expiration** setting to 5 days.
### Potential impact
-Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 14 or fewer days.
+Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days.
## Related topics
diff --git a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
index 76dd0c900d..73f0e86007 100644
--- a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
-title: View and organize the Windows Defender ATP machines view
-description: Learn about the available features that you can use from the Machines view such as sorting, filtering, and exporting the machine list which can enhance investigations.
+title: View and organize the Windows Defender ATP machines list
+description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the machine list which can enhance investigations.
keywords: sort, filter, export, csv, machine name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high
---
-# View and organize the Windows Defender ATP Machines view
+# View and organize the Windows Defender ATP Machines list
**Applies to:**
@@ -21,23 +21,23 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-The **Machines view** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network.
+The **Machines list** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network.
Use the Machines view in these main scenarios:
- **During onboarding**
- During the onboarding process, the **Machines view** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis.
+ During the onboarding process, the **Machines list** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis.
- **Day-to-day work**
- The **Machines view** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them.
+ The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them.
## Sort, filter, and download the list of machines from the Machines view
-You can sort the **Machines view** by clicking on any column header to sort the view in ascending or descending order.
+You can sort the **Machines list** by clicking on any column header to sort the view in ascending or descending order.
-Filter the **Machines view** by time period, **Active malware categories**, or **Sensor health state** to focus on certain sets of machines, according to the desired criteria.
+Filter the **Machines list** by time period, **Active malware categories**, or **Sensor health state** to focus on certain sets of machines, according to the desired criteria.
You can also download the entire list in CSV format using the **Export to CSV** feature.
-
+
You can use the following filters to limit the list of machines displayed during an investigation:
@@ -71,7 +71,7 @@ You can download a full list of all the machines in your organization, in CSV f
Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
## Sort the Machines view
-You can sort the **Machines view** by the following columns:
+You can sort the **Machines list** by the following columns:
- **Machine name** - Name or GUID of the machine
- **Last seen** - Date and time when the machine last reported sensor data
diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
index ac785c854a..c6d0f9dd37 100644
--- a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: Windows Defender Advanced Threat Protection portal overview
description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
-keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, endpoint management, advanced attacks
+keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, preferences setup, endpoint management, advanced attacks
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
index 5574319409..c30415b0fd 100644
--- a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
@@ -36,7 +36,7 @@ These code examples demonstrate the following tasks:
## Step 1: Obtain an Azure AD access token
The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.
-Replace the *tenantid*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal:
+Replace the *authUrl*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal:
[!code[CustomTIAPI](./code/example.ps1#L1-L14)]
diff --git a/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md
index 5d51de963a..1523930b5c 100644
--- a/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -27,6 +27,6 @@ Use the **Preferences setup** menu to modify general settings, advanced features
Topic | Description
:---|:---
[Update general settings](general-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process.
-[Enable advanced features](advanced-features-windows-defender-advacned-threat-protection.md)| Enable features such as **Block file** and other features that require integration with other products.
+[Enable advanced features](advanced-features-windows-defender-advanced-threat-protection.md)| Enable features such as **Block file** and other features that require integration with other products.
[Enable the preview experience](preview-settings-windows-defender-advanced-threat-protection.md) | Allows you to turn on preview features so you can try upcoming features.
[Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) | Enables you to configure and identify a group of individuals who will immediately be informed of new alerts through email notifications.
diff --git a/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
index 9304e0ab7e..f1e4b41964 100644
--- a/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
@@ -27,5 +27,5 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Related topics
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
-- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..670143cd10
--- /dev/null
+++ b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,195 @@
+---
+title: Pull Windows Defender ATP alerts using REST API
+description: Pull alerts from the Windows Defender ATP portal REST API.
+keywords: alerts, pull alerts, rest api, request, response
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Pull Windows Defender ATP alerts using REST API
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal.
+
+In general, the OAuth 2.0 protocol supports four types of flows:
+- Authorization grant flow
+- Implicit flow
+- Client credentials flow
+- Resource owner flow
+
+For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net).
+
+Windows Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to generate alerts from the portal, with Azure Active Directory (AAD) as the authorization server.
+
+The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token.
+
+The _Client credential flow_ uses client credentials to authenticate against the Windows Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
+
+Use the following method in the Windows Defender ATP API to pull alerts in JSON format.
+
+## Before you begin
+- Before calling the Windows Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).
+
+- Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app:
+ - Application ID (unique to your application)
+ - App key, or secret (unique to your application)
+ - Your app's OAuth 2.0 token endpoint
+ - Find this value by clicking **View Endpoints** at the bottom of the Azure Management Portal in your app's page. The endpoint will look like `https://login.microsoftonline.com/{tenantId}/oauth2/token`.
+
+## Get an access token
+Before creating calls to the endpoint, you'll need to get an access token.
+
+You'll use the access token to access the protected resource, which are alerts in Windows Defender ATP.
+
+To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
+
+```syntax
+
+POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1
+Host: login.microsoftonline.com
+Content-Type: application/x-www-form-urlencoded
+
+resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com&client_id=35e0f735-5fe4-4693-9e68-3de80f1d3745&client_secret=IKXc6PxB2eoFNJ%2FIT%2Bl2JZZD9d9032VXz6Ul3D2WyUQ%3D&grant_type=client_credentials
+```
+The response will include an access token and expiry information.
+
+```json
+{
+ "token type": "Bearer",
+ "expires in": "3599"
+ "ext_expires_in": "0",
+ "expires_on": "1488720683",
+ "not_before": "1488720683",
+ "resource": "https://WDATPAlertExport.Seville.onmicrosoft.com",
+ "access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..."
+}
+```
+You can now use the value in the *access_token* field in a request to the Windows Defender ATP API.
+
+## Request
+With an access token, your app can make authenticated requests to the Windows Defender ATP API. Your app must append the access token to the Authorization header of each request.
+
+### Request syntax
+Method | Request URI
+:---|:---|
+GET| Use the URI applicable for your region.
**For EU**: `https://wdatp-alertexporter-eu.windows.com/api/alerts` **For US**: `https://wdatp-alertexporter-us.windows.com/api/alerts`
+
+### Request header
+Header | Type | Description|
+:--|:--|:--
+Authorization | string | Required. The Azure AD access token in the form **Bearer** <*token*>. |
+
+### Request parameters
+
+Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization.
+
+Name | Value| Description
+:---|:---|:---
+DateTime?sinceTimeUtc | string | Defines the time alerts are retrieved from based from `LastProccesedTimeUtc` time to current time.
**NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
+int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.
**NOTE**: When not specified, all alerts available in the time range will be retrieved.
+
+### Request example
+The following example demonstrates how to retrieve all the alerts in your organization.
+
+```syntax
+GET https://wdatp-alertexporter-eu.windows.com/api/alerts
+Authorization: Bearer
+```
+
+The following example demonstrates a request to get the last 20 alerts since 2016-09-12 00:00:00.
+
+```syntax
+GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc="2016-09-12 00:00:00"
+Authorization: Bearer
+```
+
+## Response
+The return value is an array of alert objects in JSON format.
+
+Here is an example return value:
+
+```json
+{"AlertTime":"2017-01-23T07:32:54.1861171Z",
+"ComputerDnsName":"desktop-bvccckk",
+"AlertTitle":"Suspicious PowerShell commandline",
+"Category":"SuspiciousActivity",
+"Severity":"Medium",
+"AlertId":"636207535742330111_-1114309685",
+"Actor":null,
+"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685",
+"IocName":null,
+"IocValue":null,
+"CreatorIocName":null,
+"CreatorIocValue":null,
+"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9",
+"FileName":"powershell.exe",
+"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0",
+"IpAddress":null,
+"Url":null,
+"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68",
+"UserName":null,
+"AlertPart":0,
+"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF",
+"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z",
+"ThreatCategory":null,
+"ThreatFamily":null,
+"ThreatName":null,
+"RemediationAction":null,
+"RemediationIsSuccess":null,
+"Source":"Windows Defender ATP",
+"Md5":null,
+"Sha256":null,
+"WasExecutingWhileDetected":null,
+"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9",
+"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"}
+```
+
+## Code examples
+### Get access token
+The following code example demonstrates how to obtain an access token and call the Windows Defender ATP API.
+
+```syntax
+AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}/oauth2", tenantId));
+ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret);
+AuthenticationResult authenticationResult = context.AcquireToken(resource, clientCredentials);
+```
+### Use token to connect to the alerts endpoint
+
+```
+HttpClient httpClient = new HttpClient();
+httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType, authenticationResult.AccessToken);
+HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-eu.windows.com/api/alert").GetAwaiter().GetResult();
+string alertsJson = response.Content.ReadAsStringAsync().Result;
+Console.WriteLine("Got alert list: {0}", alertsJson);
+
+```
+
+
+
+
+## Error codes
+The Windows Defender ATP REST API returns the following error codes caused by an invalid request.
+
+HTTP error code | Description
+:---|:---
+401 | Malformed request or invalid token.
+403 | Unauthorized exception - any of the domains is not managed by the tenant administrator or tenant state is deleted.
+500 | Error in the service.
+
+## Related topics
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
index 6e63d9f1b5..d162c44a38 100644
--- a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
@@ -37,7 +37,7 @@ These code examples demonstrate the following tasks:
## Step 1: Obtain an Azure AD access token
The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.
-Replace the *tenant\_id*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
+Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
[!code[CustomTIAPI](./code/example.py#L1-L17)]
diff --git a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 0d15caf8a1..26459e371e 100644
--- a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -130,7 +130,7 @@ For prevalent files in the organization, a warning is shown before an action is
1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
– **Alerts** - Click the file links from the Description or Details in the Alert timeline
- – **Machines view** - Click the file links in the Description or Details columns in the Observed on machine section
+ – **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
– **Search box** - Select File from the drop–down menu and enter the file name
2. Open the **Actions** menu and select **Remove file from blocked list**.
@@ -175,7 +175,7 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
– Alerts - click the file links from the **Description** or **Details** in the Alert timeline
- – **Machines View** - click the file links from the **Description** or **Details** in the **Machine in organization** section
+ – **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
– Search box - select **File** from the drop–down menu and enter the file name
2. In the **Deep analysis** section of the file view, click **Submit**.
diff --git a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index 7262eeac48..3918964ff2 100644
--- a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -40,7 +40,7 @@ This machine isolation feature disconnects the compromised machine from the netw
- **Dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- - **Machines view** - Select the machine name from the list of machines.
+ - **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
2. Open the **Actions** menu and select **Isolate machine**.
@@ -102,7 +102,7 @@ CollectionSummaryReport.xls | This file is a summary of the investigation packag
- **Dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- - **Machines view** - Select the heading of the machine name from the machines view.
+ - **Machines list** - Select the heading of the machine name from the machines list.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
2. Open the **Actions** menu and select **Collect investigation package**.
diff --git a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
index be6cfe9d8e..07cf221238 100644
--- a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Understand threat intelligence concepts in Windows Defender ATP
-description: Understand the concepts around threat intelligence in Windows Defender Advanced Threat Protection so that you can effectively create custom intelligence for your organization.
+description: Create custom threat alerts for your organization and learn the concepts around threat intelligence in Windows Defender Advanced Threat Protection.
keywords: threat intelligence, alert definitions, indicators of compromise, ioc
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
index d63bd1bf4c..04fdd96eb0 100644
--- a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@@ -37,7 +37,7 @@ If your client secret expires or if you've misplaced the copy provided when you
3. Select your tenant.
-4. Click **Application**, then select your custom threat intelligence application.
+4. Click **Application**, then select your custom threat intelligence application. The application name is **WindowsDefenderATPThreatIntelAPI** (formerly known as **WindowsDefenderATPCustomerTiConnector**).
5. Select **Keys** section, then provide a key description and specify the key validity duration.
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index e95197be01..3a2b9f8868 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -45,7 +45,7 @@ Deployment with the above-mentioned versions of System Center Configuration Mana
If the deployment fails, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint).
-If the onboarding completed successfully but the endpoints are not showing up in the **Machines view** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur.
+If the onboarding completed successfully but the endpoints are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur.
## Troubleshoot onboarding when deploying with a script on the endpoint
@@ -119,7 +119,7 @@ ID | Severity | Event description | Troubleshooting steps
1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
## Troubleshoot onboarding issues on the endpoint
-If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
+If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
- [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log)
- [Ensure the telemetry and diagnostics service is enabled](#ensure-the-telemetry-and-diagnostics-service-is-enabled)
- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
diff --git a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md
index 96a64490d0..efc97f3e17 100644
--- a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md
+++ b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md
@@ -14,7 +14,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts.
+There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) Secure Boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts.
The next few sections describe each type of attack that could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution. After an attacker has compromised a volume encryption key, the attacker can read data from your system drive or even install malware while Windows is offline. Each section begins with a graphical overview of the attack’s strengths and weaknesses as well as suggested mitigations.
@@ -40,7 +40,7 @@ Although password protection of the UEFI configuration is important for protecti
For this reason, when BitLocker is configured on devices that include a TPM, the TPM and its PCRs are always used to secure and confirm the integrity of the pre–operating system environment before making encrypted volumes accessible.
-Any changes to the UEFI configuration invalidates the PCR7 and require the user to enter the BitLocker recovery key. Because of this feature, it’s not critical to password-protect your UEFI configuration. If an attacker successfully turns off Secure Boot or otherwise changes the UEFI configuration, they will need to enter the BitLocker recovery key, but UEFI password protection is a best practice and is still required for systems not using a TPM (such as non-Microsoft alternatives).
+Any change to the UEFI configuration invalidates the PCR7 and requires the user to enter the BitLocker recovery key. Because of this feature, it’s not critical to password-protect your UEFI configuration. But UEFI password protection is a best practice and is still required for systems not using a TPM (such as non-Microsoft alternatives).
### Brute-force Sign-in Attacks
diff --git a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md
index 0757a26702..cf9af66f72 100644
--- a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
-title: Use the threat intelligence API in Windows Defender Advanced Threat Protection to create custom alerts
-description: Use the custom threat intelligence API to create custom alerts for your organization.
+title: Use the custom threat intelligence API to create custom alerts for your organization
+description: Use the threat intelligence API in Windows Defender Advanced Threat Protection to create custom alerts
keywords: threat intelligence, alert definitions, indicators of compromise
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
index 23bb45e5bf..e614c969ca 100644
--- a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
@@ -45,7 +45,7 @@ Topic | Description
[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses.
[Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
[View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list.
-[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
+[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines list** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
[Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts.
[Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.
[Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take action on a machine or file to quickly respond to detected attacks.
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index 70f2e9290f..49dd11e6c9 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -3,11 +3,12 @@
## [Cortana integration in your business or enterprise](cortana-at-work-overview.md)
### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md)
#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work-scenario-1.md)
-#### [Test scenario 2 - Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
+#### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work-scenario-3.md)
#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work-scenario-4.md)
#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work-scenario-5.md)
-#### [Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-6.md)
+#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md)
+#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-7.md)
### [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md)
### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work-crm.md)
### [Set up and test Cortana for Power BI in your organization](cortana-at-work-powerbi.md)
diff --git a/windows/manage/appv-planning-for-using-appv-with-office.md b/windows/manage/appv-planning-for-using-appv-with-office.md
index bd79da1f4f..b18a9df8d0 100644
--- a/windows/manage/appv-planning-for-using-appv-with-office.md
+++ b/windows/manage/appv-planning-for-using-appv-with-office.md
@@ -28,81 +28,20 @@ Use the following information to plan how to deploy Office by using Microsoft Ap
You can use the App-V Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group.
-**Note**
+>**Note**
Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack.
## Supported versions of Microsoft Office
-The following table lists the versions of Microsoft Office that App-V supports, methods of Office package creation, supported licensing, and supported deployments.
+See [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/en-us/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click) for a list of supported Office products.
+>**Note** You must use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. You cannot use the App-V Sequencer.
+
+>**Note**
+Support for the [Office 2013 version of Office 365 ended in Februrary 2017](https://support.microsoft.com/kb/3199744)
+
-
-
-
-
-
-
-
-
-
-
-
-
-Office 365 ProPlus (either the Office 2013 or the Office 2016 version)
-Also supported:
- |
-Office Deployment Tool |
-Subscription |
-
-Desktop Personal VDI Pooled VDI RDS |
-
-
-
-Visio Professional 2016 (C2R-P) Visio Standard 2016 (C2R-P) Project Professional 2016 (C2R-P) Project Standard 2016 (C2R-P) |
-Office Deployment Tool |
-Volume Licensing |
-
-Desktop Personal VDI Pooled VDI RDS |
-
-
-Office Professional Plus 2013
-Also supported:
- |
-Office Deployment Tool |
-Volume Licensing |
-
-Desktop Personal VDI Pooled VDI RDS |
-
-
-
## Planning for using App-V with coexisting versions of Office
@@ -148,7 +87,7 @@ The Office documentation provides extensive guidance on coexistence for Windows
The following tables summarize the supported coexistence scenarios. They are organized according to the version and deployment method you’re starting with and the version and deployment method you are migrating to. Be sure to fully test all coexistence solutions before deploying them to a production audience.
-**Note**
+>**Note**
Microsoft does not support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service.
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index 13a0de7e4f..51e0f36d15 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -14,6 +14,12 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
+## March 2017
+
+| New or changed topic | Description |
+| --- | --- |
+|[Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md) |New |
+
## February 2017
| New or changed topic | Description |
@@ -26,11 +32,12 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Added Express updates. |
| [Distribute offline apps](distribute-offline-apps.md) | General updates to topic. Added links to supporting content for System Center Configuration Manager and Microsoft Intune. |
+
## January 2017
| New or changed topic | Description |
| --- | --- |
-| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | New |
+| [Cortana integration in your business or enterprise and sub-topics](cortana-at-work-overview.md) |New |
| [Start layout XML for desktop editions of Windows 10](start-layout-xml-desktop.md) | New (previously published in Hardware Dev Center on MSDN) |
| [Start layout XML for mobile editions of Windows 10](start-layout-xml-mobile.md) | New (previously published in Hardware Dev Center on MSDN) |
| [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. |
@@ -58,7 +65,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| [Manage device restarts after updates](waas-restart.md) | New |
| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | New |
| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |Added an important note about Cortana and Office 365 integration. |
-| [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. |
+| [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. |
| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. Added Teredo Group Policy. |
| [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Current Branch for Business (CBB) support for Windows 10 IoT Mobile. |
@@ -85,7 +92,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
## RELEASE: Windows 10, version 1607
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
- [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
@@ -117,7 +124,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | New telemetry content |
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |Removed info about sharing wi-fi network access with contacts, since it's been deprecated. |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher |
-| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Removed Windows 10 Mobile from **Applies to** |
+| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Removed Windows 10 Mobile from **Applies to** |
@@ -142,12 +149,12 @@ The topics in this library have been updated for Windows 10, version 1607 (also
| New or changed topic | Description |
| ---|---|
| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added call history and email to the Settings > Privacy section.
Added the Turn off Windows Mail application Group Policy to the Mail synchronization section. |
-| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
+| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Added instructions for replacing markup characters with escape characters in Start layout XML |
| [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | New |
| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | New |
-| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
-
+| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
+
## December 2015
@@ -185,5 +192,3 @@ The topics in this library have been updated for Windows 10, version 1607 (also
[Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
-
-
diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md
index 0b4b7ec69f..d8710b1bb2 100644
--- a/windows/manage/configure-windows-telemetry-in-your-organization.md
+++ b/windows/manage/configure-windows-telemetry-in-your-organization.md
@@ -216,6 +216,8 @@ No user content, such as user files or communications, is gathered at the **Secu
The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
+The normal upload range for the Basic telemetry level is between 109 KB - 159 KB per day, per device.
+
The data gathered at this level includes:
- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include:
@@ -256,12 +258,15 @@ The data gathered at this level includes:
- **Windows Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
+
### Enhanced level
The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
+The normal upload range for the Enhanced telemetry level is between 239 KB - 348 KB per day, per device.
+
The data gathered at this level includes:
- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
diff --git a/windows/manage/cortana-at-work-scenario-6.md b/windows/manage/cortana-at-work-scenario-6.md
index ac15463824..2ad1c7cb5c 100644
--- a/windows/manage/cortana-at-work-scenario-6.md
+++ b/windows/manage/cortana-at-work-scenario-6.md
@@ -1,13 +1,14 @@
---
-title: Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device (Windows 10)
-description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
+title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email (Windows 10)
+description: A test scenario about how to use Cortana with the Suggested reminders feature.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+author: eross-msft
localizationpriority: high
---
-# Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
+# Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
@@ -16,22 +17,32 @@ localizationpriority: high
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
>[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement).
-This optional scenario helps you to protect your organization’s data on a device, based on an inspection by Cortana.
+Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don’t forget about them. For example, Cortana recognizes that if you include the text, _I’ll get this to you by the end of the week_ in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it.
-## Use Cortana and WIP to protect your organization’s data
+>[!NOTE]
+>The Suggested reminders feature is currently only available in English (en-us).
-1. Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md).
+**To use Cortana to create Suggested reminders for you**
-2. Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_.
+1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md).
-3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**.
- Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you.
+3. Make sure the **Contacts, email, calendar, and communication history** option is turned on.
-4. Create a new email from a protected mailbox, including the same text as above, _I’ll send you that presentation tomorrow_.
+ 
-5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**.
+
+ 
+
+5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, _I’ll finish this project by end of day today_.
+
+6. After you get the email, click on the Cortana **Home** icon, and scroll to today’s events.
+
+ If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed.
+
+ 
- Because it was in an WIP-protected email, the presentation info isn’t pulled out and it isn’t shown to you.
diff --git a/windows/manage/cortana-at-work-scenario-7.md b/windows/manage/cortana-at-work-scenario-7.md
new file mode 100644
index 0000000000..e8d6cfd3ff
--- /dev/null
+++ b/windows/manage/cortana-at-work-scenario-7.md
@@ -0,0 +1,38 @@
+---
+title: Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device (Windows 10)
+description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: eross-msft
+localizationpriority: high
+---
+
+# Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This optional scenario helps you to protect your organization’s data on a device, based on an inspection by Cortana.
+
+## Use Cortana and WIP to protect your organization’s data
+
+1. Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md).
+
+2. Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_.
+
+3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+ Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you.
+
+4. Create a new email from a protected mailbox, including the same text as above, _I’ll send you that presentation tomorrow_.
+
+5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+ Because it was in an WIP-protected email, the presentation info isn’t pulled out and it isn’t shown to you.
diff --git a/windows/manage/cortana-at-work-testing-scenarios.md b/windows/manage/cortana-at-work-testing-scenarios.md
index 41f734e006..9f97783bca 100644
--- a/windows/manage/cortana-at-work-testing-scenarios.md
+++ b/windows/manage/cortana-at-work-testing-scenarios.md
@@ -18,15 +18,19 @@ localizationpriority: high
We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
-- Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana.
+- [Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana](cortana-at-work-scenario-1.md)
-- Set a reminder and have it remind you when you’ve reached a specific location.
+- [Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
-- Search for your upcoming meetings on your work calendar.
+- [Set a reminder and have it remind you when you’ve reached a specific location](cortana-at-work-scenario-3.md)
-- Send an email to a co-worker from your work email app.
+- [Search for your upcoming meetings on your work calendar](cortana-at-work-scenario-4.md)
-- Use WIP to secure content on a device and then try to manage your organization’s entries in the notebook.
+- [Send an email to a co-worker from your work email app](cortana-at-work-scenario-5.md)
+
+- [Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md)
+
+- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization’s entries in the notebook](cortana-at-work-scenario-7.md)
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
\ No newline at end of file
diff --git a/windows/manage/images/cortana-communication-history-permissions.png b/windows/manage/images/cortana-communication-history-permissions.png
new file mode 100644
index 0000000000..db182be13c
Binary files /dev/null and b/windows/manage/images/cortana-communication-history-permissions.png differ
diff --git a/windows/manage/images/cortana-suggested-reminder-settings.png b/windows/manage/images/cortana-suggested-reminder-settings.png
new file mode 100644
index 0000000000..176dbff483
Binary files /dev/null and b/windows/manage/images/cortana-suggested-reminder-settings.png differ
diff --git a/windows/manage/images/cortana-suggested-reminder.png b/windows/manage/images/cortana-suggested-reminder.png
new file mode 100644
index 0000000000..4184bd1b6c
Binary files /dev/null and b/windows/manage/images/cortana-suggested-reminder.png differ
diff --git a/windows/manage/start-layout-xml-desktop.md b/windows/manage/start-layout-xml-desktop.md
index c86fc0cfe6..db4bf8dd66 100644
--- a/windows/manage/start-layout-xml-desktop.md
+++ b/windows/manage/start-layout-xml-desktop.md
@@ -224,7 +224,7 @@ The following example shows how to create a tile of the Web site's URL using the
Column="4"/>
```
-The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to *8Size**, **Row**, and *8Column**.
+The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**.
| Attribute | Required/optional | Description |
| --- | --- | --- |
diff --git a/windows/manage/waas-optimize-windows-10-updates.md b/windows/manage/waas-optimize-windows-10-updates.md
index e8a17a2b8b..681a39ca98 100644
--- a/windows/manage/waas-optimize-windows-10-updates.md
+++ b/windows/manage/waas-optimize-windows-10-updates.md
@@ -13,24 +13,24 @@ localizationpriority: high
**Applies to**
-- Windows 10
+- Windows 10
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10.
-Two methods of peer-to-peer content distribution are available in Windows 10.
+Two methods of peer-to-peer content distribution are available in Windows 10.
-- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests.
+- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests.
- Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
+ Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
-- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
+- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
>[!NOTE]
>Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
- Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
+ Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
@@ -50,7 +50,7 @@ Windows 10 update downloads can be large because every package contains all prev
### How Microsoft supports Express
- **Express on WSUS Standalone**
-
+
Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).
- **Express on devices directly connected to Windows Update**
- **Enterprise devices managed using [Windows Update for Business](waas-manage-updates-wufb.md)** also get the benefit of Express update delivery support without any change in configuration.
@@ -96,7 +96,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
@@ -104,5 +104,3 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage device restarts after updates](waas-restart.md)
-
-
diff --git a/windows/manage/windows-store-for-business-overview.md b/windows/manage/windows-store-for-business-overview.md
index c2ce1d7706..a3a565c261 100644
--- a/windows/manage/windows-store-for-business-overview.md
+++ b/windows/manage/windows-store-for-business-overview.md
@@ -18,12 +18,12 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
-With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
+With Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
## Features
-Organizations of any size can benefit from using the Store for Business provides:
+Organizations of any size can benefit from using the Store for Business:
- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate the Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
@@ -47,7 +47,6 @@ Organizations of any size can benefit from using the Store for Business provides
## Prerequisites
-
You'll need this software to work with the Store for Business.
### Required
@@ -78,7 +77,6 @@ While not required, you can use a management tool to distribute and manage apps.
## How does the Store for Business work?
-
### Sign up!
The first step for getting your organization started with the Store for Business is signing up. To sign up for the Business store, you need an Azure AD account and you must be a Global Administrator for your organization.
@@ -89,50 +87,12 @@ For more information, see [Sign up for the Store for Business](../manage/sign-up
After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Admin |
-X |
-X |
-X |
- |
-
-
-Purchaser |
- |
-X |
-X |
- |
-
-
-Device Guard signer |
- |
- |
- |
-X |
-
-
-
-
+| Permission | Account settings | Acquire apps | Distribute apps | Device Guard signing |
+| ---------- | ---------------- | ------------ | --------------- | -------------------- |
+| Admin | X | X | X | |
+| Purchaser | | X | X | |
+| Device Guard signer | | | | X |
-
In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](../manage/manage-users-and-groups-windows-store-for-business.md).
Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with the Store for Business.
@@ -292,6 +252,7 @@ Store for Business is currently available in these markets.
- Luxembourg
- Malaysia
- Malta
+ - Mauritius
- Mexico
- Mongolia
- Montenegro
@@ -313,12 +274,12 @@ Store for Business is currently available in these markets.
- Portugal
- Puerto Rico
- Qatar
- - Romania
- - Rwanda
+ - Romania
+ - Rwanda
- Saint Kitts and Nevis
- Saudi Arabia
- Senegal
@@ -343,8 +304,7 @@ Store for Business is currently available in these markets.
- Viet Nam
- Virgin Islands, U.S.
- Zambia
- - Zimbabwe
-
+ - Zimbabwe
|
@@ -367,7 +327,19 @@ Store for Business is currently available in these markets.
-
+## Privacy notice
+
+Microsoft Store for Business services get names and email addresses of people in your organization from Azure Active Directory. This information is needed for these admin functions:
+- Granting and managing permissions
+- Managing app licenses
+- Distributing apps to people (names appear in a list that admins can select from)
+
+Store for Business does not save names, or email addresses.
+
+Your use of Store for Business is also governed by the Store for Business Terms of Use.
+
+Information sent to Store for Business is subject to the [Store for Business Privacy Statement](https://privacy.microsoft.com/privacystatement/).
+
## ISVs and the Store for Business
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index 2a85e07f4d..40750ab97e 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -144,7 +144,7 @@ Many users customize their settings for Windows and for specific applications. C
With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
-With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and EU-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
+With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
[Learn how to synchronize user-customized settings with UE-V.](../manage/uev-for-windows.md)