/Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
```
-> **Note:** You can also add these features to an online image by using either DISM or Configuration Manager.
+> [!NOTE]
+> You can also add these features to an online image by using either DISM or Configuration Manager.
In Windows 10, version 1607, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode:
@@ -181,14 +183,30 @@ If you don't use Group Policy, you can enable Credential Guard by using the regi
- Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it.
4. Close Registry Editor.
-> **Note:** You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
+> [!NOTE]
+> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
+
+**Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool**
+
+You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+
+```
+DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot
+```
### Remove Credential Guard
If you have to remove Credential Guard on a PC, you need to do the following:
1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**).
-2. Delete the following registry setting: HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags
+2. Delete the following registry settings:
+ - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
+ - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
+ - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
+
+ > [!IMPORTANT]
+ > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
+
3. Delete the Credential Guard EFI variables by using bcdedit.
**Delete the Credential Guard EFI variables**
@@ -208,9 +226,18 @@ If you have to remove Credential Guard on a PC, you need to do the following:
3. Accept the prompt to disable Credential Guard.
4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard.
-> **Note:** The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
+> [!NOTE]
+> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
+
+**Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool**
+
+You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+
+```
+DG_Readiness_Tool_v2.0.ps1 -Disable -AutoReboot
+```
### Check that Credential Guard is running
@@ -223,6 +250,12 @@ You can use System Information to ensure that Credential Guard is running on a P
Here's an example:
+
+You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+
+```
+DG_Readiness_Tool_v2.0.ps1 -Ready
+```
## Considerations when using Credential Guard
@@ -245,6 +278,7 @@ You can use System Information to ensure that Credential Guard is running on a P
- Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
- Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
- You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
+ - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported.
### Kerberos Considerations
@@ -314,7 +348,8 @@ On devices that are running Credential Guard, enroll the devices using the machi
``` syntax
CertReq -EnrollCredGuardCert MachineAuthentication
```
-> **Note:** You must restart the device after enrolling the machine authentication certificate.
+> [!NOTE]
+> You must restart the device after enrolling the machine authentication certificate.
### Link the issuance policies to a group
@@ -353,7 +388,8 @@ Now you can set up an authentication policy to use Credential Guard.
14. Click **OK** to create the authentication policy.
15. Close Active Directory Administrative Center.
-> **Note:** When authentication policies in enforcement mode are deployed with Credential Guard, users will not be able to sign in using devices that do not have the machine authentication certificate provisioned. This applies to both local and remote sign in scenarios.
+> [!NOTE]
+> When authentication policies in enforcement mode are deployed with Credential Guard, users will not be able to sign in using devices that do not have the machine authentication certificate provisioned. This applies to both local and remote sign in scenarios.
### Appendix: Scripts
@@ -547,7 +583,8 @@ write-host "There are no issuance policies which are not mapped to groups"
}
}
```
-> **Note:** If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+> [!NOTE]
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
#### Link an issuance policy to a group
@@ -828,7 +865,8 @@ write-host $tmp -Foreground Red
}
```
-> **Note:** If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+> [!NOTE]
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
## Related topics
diff --git a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
new file mode 100644
index 0000000000..322d36d515
--- /dev/null
+++ b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
@@ -0,0 +1,110 @@
+---
+title: Detect and block Potentially Unwanted Application with Windows Defender
+description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
+keywords: pua, enable, detect pua, block pua, windows defender and pua
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: detect
+ms.sitesec: library
+ms.pagetype: security
+author: dulcemv
+---
+
+# Detect and block Potentially Unwanted Application in Windows 10
+
+**Applies to:**
+
+- Windows 10
+
+You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
+
+Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
+
+Typical examples of PUA behavior include:
+* Various types of software bundling
+* Ad-injection into your browsers
+* Driver and registry optimizers that detect issues, request payment to fix them, and persist
+
+These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
+
+Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
+
+**Enable PUA protection in SCCM and Intune**
+
+The PUA feature is available for enterprise users who are running System Center Configuration Manager (SCCM) or Microsoft Intune in their infrastructure.
+
+***Configure PUA in SCCM***
+
+For SCCM users, PUA is enabled by default. See the following topics for configuration details:
+
+If you are using these versions | See these topics
+:---|:---
+System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)
[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
+System Center 2012 R2 Endpoint Protection
System Center 2012 Configuration Manager
System Center 2012 Configuration Manager SP1
System Center 2012 Configuration Manager SP2
System Center 2012 R2 Configuration Manager
System Center 2012 Endpoint Protection SP1
System Center 2012 Endpoint Protection
System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
+
+
+***Use PUA audit mode in SCCM***
+
+You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and you’d like to avoid any false positives.
+
+1. Open PowerShell as Administrator
+
+ a. Click **Start**, type **powershell**, and press **Enter**.
+
+ b. Click **Windows PowerShell** to open the interface.
+
+ > [!NOTE]
+ > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+
+2. Enter the PowerShell command:
+
+ ```text
+ et-mpPreference -puaprotection 2
+ ```
+> [!NOTE]
+> PUA events are reported in the Windows Event Viewer and not in SCCM.
+
+
+***Configure PUA in Intune***
+
+ PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
+
+
+ ***Use PUA audit mode in Intune***
+
+ You can detect PUA without blocking them from your client. Gain insights into what can be blocked.
+
+**View PUA events**
+
+PUA events are reported in the Windows Event Viewer and not in SCCM or Intune. To view PUA events:
+
+1. Open **Event Viewer**.
+2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
+3. Double-click on **Operational**.
+4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
+
+You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
+
+
+**What PUA notifications look like**
+
+When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
+
+
+
+To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
+
+
+
+**PUA threat file-naming convention**
+
+When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
+
+**PUA blocking conditions**
+
+PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
+* The file is being scanned from the browser
+* The file has [Mark of the Web](https://msdn.microsoft.com/en-us/library/ms537628%28v=vs.85%29.aspx) set
+* The file is in the %downloads% folder
+* Or if the file in the %temp% folder
diff --git a/windows/keep-secure/encrypted-hard-drive.md b/windows/keep-secure/encrypted-hard-drive.md
index 7de2f367e0..3bae653290 100644
--- a/windows/keep-secure/encrypted-hard-drive.md
+++ b/windows/keep-secure/encrypted-hard-drive.md
@@ -12,7 +12,8 @@ author: brianlic-msft
# Encrypted Hard Drive
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
index 1a19780713..fe5431ac69 100644
--- a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
@@ -183,7 +183,7 @@ In Endpoint Protection, you can use the advanced scanning options to configure a
## Related topics
-[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
-[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
+- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
diff --git a/windows/keep-secure/images/defender/client.png b/windows/keep-secure/images/defender/client.png
new file mode 100644
index 0000000000..4f2118206e
Binary files /dev/null and b/windows/keep-secure/images/defender/client.png differ
diff --git a/windows/keep-secure/images/defender/detection-source.png b/windows/keep-secure/images/defender/detection-source.png
new file mode 100644
index 0000000000..7d471dc22d
Binary files /dev/null and b/windows/keep-secure/images/defender/detection-source.png differ
diff --git a/windows/keep-secure/images/defender/download-wdo.png b/windows/keep-secure/images/defender/download-wdo.png
new file mode 100644
index 0000000000..50d2fc3152
Binary files /dev/null and b/windows/keep-secure/images/defender/download-wdo.png differ
diff --git a/windows/keep-secure/images/defender/enhanced-notifications.png b/windows/keep-secure/images/defender/enhanced-notifications.png
new file mode 100644
index 0000000000..8317458416
Binary files /dev/null and b/windows/keep-secure/images/defender/enhanced-notifications.png differ
diff --git a/windows/keep-secure/images/defender/gp.png b/windows/keep-secure/images/defender/gp.png
new file mode 100644
index 0000000000..8b57c7b45c
Binary files /dev/null and b/windows/keep-secure/images/defender/gp.png differ
diff --git a/windows/keep-secure/images/defender/notification.png b/windows/keep-secure/images/defender/notification.png
new file mode 100644
index 0000000000..cad9f162e9
Binary files /dev/null and b/windows/keep-secure/images/defender/notification.png differ
diff --git a/windows/keep-secure/images/defender/sccm-wdo.png b/windows/keep-secure/images/defender/sccm-wdo.png
new file mode 100644
index 0000000000..8f504b94e1
Binary files /dev/null and b/windows/keep-secure/images/defender/sccm-wdo.png differ
diff --git a/windows/keep-secure/images/defender/settings-wdo.png b/windows/keep-secure/images/defender/settings-wdo.png
new file mode 100644
index 0000000000..23412856b0
Binary files /dev/null and b/windows/keep-secure/images/defender/settings-wdo.png differ
diff --git a/windows/keep-secure/images/defender/ux-config-key.png b/windows/keep-secure/images/defender/ux-config-key.png
new file mode 100644
index 0000000000..3e2d966342
Binary files /dev/null and b/windows/keep-secure/images/defender/ux-config-key.png differ
diff --git a/windows/keep-secure/images/defender/ux-uilockdown-key.png b/windows/keep-secure/images/defender/ux-uilockdown-key.png
new file mode 100644
index 0000000000..86d1b4b249
Binary files /dev/null and b/windows/keep-secure/images/defender/ux-uilockdown-key.png differ
diff --git a/windows/keep-secure/images/detection-source.png b/windows/keep-secure/images/detection-source.png
new file mode 100644
index 0000000000..7d471dc22d
Binary files /dev/null and b/windows/keep-secure/images/detection-source.png differ
diff --git a/windows/keep-secure/images/hellosettings.png b/windows/keep-secure/images/hellosettings.png
index 77a8753b5c..9b897a136e 100644
Binary files a/windows/keep-secure/images/hellosettings.png and b/windows/keep-secure/images/hellosettings.png differ
diff --git a/windows/keep-secure/images/pinerror.png b/windows/keep-secure/images/pinerror.png
index 188b981299..28a759f2fc 100644
Binary files a/windows/keep-secure/images/pinerror.png and b/windows/keep-secure/images/pinerror.png differ
diff --git a/windows/keep-secure/images/pua1.png b/windows/keep-secure/images/pua1.png
new file mode 100644
index 0000000000..f3d96a245a
Binary files /dev/null and b/windows/keep-secure/images/pua1.png differ
diff --git a/windows/keep-secure/images/pua2.png b/windows/keep-secure/images/pua2.png
new file mode 100644
index 0000000000..72ffa10aa5
Binary files /dev/null and b/windows/keep-secure/images/pua2.png differ
diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index 4f2de5952b..813a67705d 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -312,7 +312,7 @@ You’ll need this software to set Windows Hello for Business policies in your e
Azure AD subscription |
- Active Directory Federation Service (AD FS) (Windows Server 2016)
-- A few Windows Server 2016 Technical Preview domain controllers on-site
+- A few Windows Server 2016 domain controllers on-site
- Microsoft System Center 2012 R2 Configuration Manager SP2
|
@@ -350,12 +350,12 @@ Configuration Manager and MDM provide the ability to manage Windows Hello for Bu
Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
-Active Directory provides the ability to authorize users and devices using keys protected by Windows Hello for Business if domain controllers are running Windows 10 and the Windows Hello for Business provisioning service in Windows 10 AD FS.
## Windows Hello for BYOD
-Windows Hello can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Windows Hello PIN for unlocking the device and a separate work PIN for access to work resources.
-The work PIN is managed using the same Windows Hello for Business policies that you can use to manage Windows Hello for Business on organization-owned devices. The personal PIN is managed separately using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244).
+Windows Hello can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Windows Hello PIN for unlocking the device and used this PIN for access to work resources.
+
+The PIN is managed using the same Windows Hello for Business policies that you can use to manage Windows Hello for Business on organization-owned devices. The PIN can also be managed using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244).
## Related topics
diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
index c55903536b..78dcd69fae 100644
--- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@@ -29,7 +29,7 @@ Hello addresses the following problems with passwords:
Hello lets users authenticate to:
- a Microsoft account.
- an Active Directory account.
-- a Microsoft Azure Active Directory (AD) account.
+- a Microsoft Azure Active Directory (Azure AD) account.
- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication
After an initial two-step verification of the user during enrollment, Hello is set up on the user's device and the user is asked to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Hello to authenticate users and help them to access protected resources and services.
@@ -41,26 +41,30 @@ As an administrator in an enterprise or educational organization, you can create
## The difference between Windows Hello and Windows Hello for Business
-- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Hello provides a layer of protection by being unique to the device on which it is set up, however it is not backed by key-based or certificate-based authentication.
+- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Hello provides a layer of protection by being unique to the device on which it is set up, however it is not backed by certificate-based authentication.
- Windows Hello for Business, which is configured by Group Policy or MDM policy, uses key-based or certificate-based authentication.
+- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication. Support for key-based or certificate-based authentication is on the roadmap for a future release.
+
## Benefits of Windows Hello
Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
-In Windows 10, Hello replaces passwords. The Hello provisioning process creates two cryptographic keys bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Hello keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Hello key is created in software.
+In Windows 10, Hello replaces passwords. The Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Hello keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Hello key is created in software.
Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
-Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs.
+
+Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
Hello also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
-> **Note:** Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+> [!NOTE]
+> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
## How Windows Hello for Business works: key points
@@ -73,7 +77,7 @@ Hello also enables Windows 10 Mobile devices to be used as [a remote credential
- PIN entry and biometric gesture both trigger Windows 10 to verify the user's identity and authenticate using Hello keys or certificates.
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
- Certificates are added to the Hello container and are protected by the Hello gesture.
-- Windows Update behavior: After a reboot is required by Windows Update, the last interactive user is automatically signed on without any user gesture and the session is locked so the user's lock screen apps can run.
+
## Comparing key-based and certificate-based authentication
diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
index e99c7d38aa..8f3d731281 100644
--- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
+++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
@@ -17,11 +17,11 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
-When you set up Windows Hello in Windows 10, you may get an error during the **Create a work PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
+When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
## Where is the error code?
-The following image shows an example of an error during **Create a work PIN**.
+The following image shows an example of an error during **Create a PIN**.
diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
index 154996d6b6..72a30d320b 100644
--- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
+++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
@@ -23,7 +23,7 @@ After enrollment in Hello, users should use their gesture (such as a PIN or fing
Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Hello.
-People who are currently using virtual smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
+People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
## On devices owned by the organization
@@ -35,13 +35,13 @@ Next, they select a way to connect. Tell the people in your enterprise which opt
-They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a work PIN** screen displays any complexity requirements that you have set, such as minimum length.
+They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on.
## On personal devices
-People who want to access work resources on their personal devices can add a work or school account in **Settings** > **Accounts** > **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials. (This work account gesture doesn't affect the device unlock PIN.)
+People who want to access work resources on their personal devices can add a work or school account in **Settings** > **Accounts** > **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials.
People can go to **Settings** > **Accounts** > **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device.
diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
index 9e6debeb0f..bf02b33e04 100644
--- a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
@@ -1,7 +1,7 @@
---
-title: Run a scan from the command line in Windows Defender in Windows 10 (Windows 10)
-description: IT professionals can run a scan using the command line in Windows Defender in Windows 10.
-keywords: scan, command line, mpcmdrun, defender
+title: Learn how to run a scan from command line in Windows Defender (Windows 10)
+description: Windows Defender utility enables IT professionals to use command line to run antivirus scans.
+keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -19,19 +19,19 @@ author: mjcaparas
IT professionals can use a command-line utility to run a Windows Defender scan.
-The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_
+The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_.
This utility can be handy when you want to automate the use of Windows Defender.
-**To run a full system scan from the command line**
+**To run a quick scan from the command line**
1. Click **Start**, type **cmd**, and press **Enter**.
2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
```
-C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 2
+C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
```
-The full scan will start. When the scan completes, you'll see a message indicating that the scan is finished.
+The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished.
The utility also provides other commands that you can run:
@@ -43,12 +43,12 @@ MpCmdRun.exe [command] [-options]
Command | Description
:---|:---
\- ? / -h | Displays all available options for the tool
-\-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]][-Timeout ] | Scans for malicious softare
+\-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]][-Timeout ] | Scans for malicious software
\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing
\-GetFiles | Collects support information
\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
-\-AddDynamicSignature [-Path] | Loads a dyanmic signature
+\-AddDynamicSignature [-Path] | Loads a dynamic signature
\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
-\-EnableIntegrityServices | Enables integrity services
-\-SubmitSamples | Submit all sample requests
\ No newline at end of file
+
+The command-line utility provides detailed information on the other commands supported by the tool.
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
index e81dff792a..088acf33fa 100644
--- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
@@ -23,7 +23,8 @@ For a list of the cmdlets and their functions and available parameters, see the
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
-> **Note:** PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
+> [!NOTE]
+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
@@ -32,7 +33,8 @@ PowerShell is typically installed under the folder _%SystemRoot%\system32\Window
1. Click **Start**, type **powershell**, and press **Enter**.
2. Click **Windows PowerShell** to open the interface.
- > **Note:** You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+ > [!NOTE]
+ > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
3. Enter the command and parameters.
To open online help for any of the cmdlets type the following:
@@ -41,3 +43,7 @@ To open online help for any of the cmdlets type the following:
Get-Help -Online
```
Omit the `-online` parameter to get locally cached help.
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md
new file mode 100644
index 0000000000..6f7d62ba38
--- /dev/null
+++ b/windows/keep-secure/windows-defender-block-at-first-sight.md
@@ -0,0 +1,113 @@
+---
+title: Enable the Block at First Sight feature to detect malware within seconds
+description: In Windows 10 the Block at First Sight feature determines and blocks new malware variants in seconds. You can enable the feature with Group Policy.
+keywords: scan, BAFS, malware, first seen, first sight, cloud, MAPS, defender
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: iaanw
+---
+
+# Enable the Block at First Sight feature in Windows 10
+
+**Applies to**
+
+- Windows 10, version 1607
+
+Block at First Sight is a feature of Windows Defender cloud protection that provides a way to detect and block new malware within seconds.
+
+You can enable Block at First Sight with Group Policy or individually on endpoints.
+
+## Backend procesing and near-instant determinations
+
+When a Windows Defender client encounters a suspicious but previously undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
+
+If the cloud backend is unable to make a determination, a copy of the file is requested for additional processing and analysis in the cloud.
+
+If the Block at First Sight feature is enabled on the client, the file will be locked by Windows Defender while a copy is uploaded to the cloud, processed, and a verdict returned to the client. Only after a determination is returned from the cloud will Windows Defender release the lock and let the file run.
+
+The file-based determination typically takes 1 to 4 seconds.
+
+> [!NOTE]
+> Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files.
+
+
+## Enable Block at First Sight
+
+### Use Group Policy to configure Block at First Sight
+
+You can use Group Policy to control whether Windows Defender will continue to lock a suspicious file until it is uploaded to the backend.
+
+This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device.
+
+Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work.
+
+**Configure pre-requisite cloud protection Group Policy settings:**
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender > MAPS** and configure the following Group Policies:
+
+ 1. Double-click the **Join Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**.
+
+ 1. Double-click the **Send file samples when further analysis is required** setting and set the option as **Enabled** and the additional options as either of the following:
+
+ 1. Send safe samples (1)
+
+ 1. Send all samples (3)
+
+ > [!NOTE]
+ > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function.
+
+ 1. Click OK after both Group Policies have been set.
+
+1. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender > Real-time Protection**:
+
+ 1. Double-click the **Scan all downloaded files and attachments** setting and set the option to **Enabled**. Click **OK**.
+
+ 1. Double-click the **Turn off real-time protection** setting and set the option to **Disabled**. Click **OK**.
+
+
+
+**Enable Block at First Sight with Group Policy**
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree through **Windows components > Windows Defender > MAPS**.
+
+1. Double-click the **Configure the Block at First Sight feature** setting and set the option to **Enabled**.
+
+ > [!NOTE]
+ > The Block at First Sight feature will not function if the pre-requisite group policies have not been correctly set.
+
+### Manually enable Block at First Sight on Individual clients
+
+To configure un-managed clients that are running Windows 10, Block at First Sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
+
+**Enable Block at First Sight on invididual clients**
+
+1. Open Windows Defender settings:
+
+ a. Open the Windows Defender app and click **Settings**.
+
+ b. On the main Windows Settings page, click **Update & Security** and then **Windows Defender**.
+
+2. Switch **Cloud-based Protection** and **Automatic sample submission** to **On**.
+
+> [!NOTE]
+> These settings will be overridden if the network administrator has configured their associated Group Policies. The settings will appear grayed out and you will not be able to modify them if they are being managed by Group Policy.
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-enhanced-notifications.md b/windows/keep-secure/windows-defender-enhanced-notifications.md
new file mode 100644
index 0000000000..e7ce19cd26
--- /dev/null
+++ b/windows/keep-secure/windows-defender-enhanced-notifications.md
@@ -0,0 +1,43 @@
+---
+title: Configure enhanced notifications for Windows Defender
+description: In Windows 10, you can enable advanced notifications for endpoints throughout your enterprise network.
+keywords: notifications, defender, endpoint, management, admin
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: iaanw
+---
+
+# Configure enhanced notifications for Windows Defender in Windows 10
+
+**Applies to:**
+
+- Windows 10, version 1607
+
+In Windows 10, application notifications about malware detection and remediation by Windows Defender are more robust, consistent, and concise.
+
+Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals.
+
+You can enable and disable enhanced notifications with the registry or in Windows Settings.
+
+## Configure enhanced notifications
+
+You can disable enhanced notifications on individual endpoints in Windows Settings.
+
+**Use Windows Settings to disable enhanced notifications on individual endpoints**
+
+1. Open the **Start** menu and click or type **Settings**.
+
+1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Enhanced notifications** section.
+
+1. Toggle the setting between **On** and **Off**.
+
+
+
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md
index 0f5d4d28f0..07242d64f4 100644
--- a/windows/keep-secure/windows-defender-in-windows-10.md
+++ b/windows/keep-secure/windows-defender-in-windows-10.md
@@ -1,84 +1,76 @@
----
-title: Windows Defender in Windows 10 (Windows 10)
-description: This topic provides an overview of Windows Defender, including a list of system requirements and new features.
-ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-author: jasesso
----
-
-# Windows Defender in Windows 10
-
-**Applies to**
-- Windows 10
-
-Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
-This topic provides an overview of Windows Defender, including a list of system requirements and new features.
-
-For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx).
-
-Take advantage of Windows Defender by configuring settings and definitions using the following tools:
-- Microsoft Active Directory *Group Policy* for settings
-- Windows Server Update Services (WSUS) for definitions
-
-Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md).
-> **Note:** System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including:
-- Settings management
-- Definition update management
-- Alerts and alert management
-- Reports and report management
-
-When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed.
-
-### Minimum system requirements
-
-Windows Defender has the same hardware requirements as Windows 10. For more information, see:
-- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
-- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
-
-### New and changed functionality
-
-- **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise.
-- **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed.
-- **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices.
-
-For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website.
-
-## In this section
-
-
-
-
-
-
-
-
-
-
-
-[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) |
-IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Active Directory or WSUS, apply updates to endpoints, and manage scans using:
-
-- Group Policy Settings
-- Windows Management Instrumentation (WMI)
-- PowerShell
- |
-
-
-[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) |
-IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Active Directory and WSUS. |
-
-
-[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) |
-IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take. |
-
-
-
-
-
-
+---
+title: Windows Defender in Windows 10 (Windows 10)
+description: This topic provides an overview of Windows Defender, including a list of system requirements and new features.
+ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: jasesso
+---
+
+# Windows Defender in Windows 10
+
+**Applies to**
+- Windows 10
+
+Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
+This topic provides an overview of Windows Defender, including a list of system requirements and new features.
+
+For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx).
+
+Take advantage of Windows Defender by configuring settings and definitions using the following tools:
+- Microsoft Active Directory *Group Policy* for settings
+- Windows Server Update Services (WSUS) for definitions
+
+Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md).
+> **Note:** System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including:
+- Settings management
+- Definition update management
+- Alerts and alert management
+- Reports and report management
+
+When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed.
+
+
+### Compatibility with Windows Defender Advanced Threat Protection
+
+Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network.
+
+See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
+
+If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode.
+
+In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware.
+
+You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+
+If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
+
+
+
+### Minimum system requirements
+
+Windows Defender has the same hardware requirements as Windows 10. For more information, see:
+- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
+- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
+
+### New and changed functionality
+
+- **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise.
+- **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed.
+- **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices.
+
+For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website.
+
+## In this section
+
+Topic | Description
+:---|:---
+[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)|Use Active Directory or Windows Server Update Services to manage and deploy updates to endpoints on your network. Configure and run special scans, including archive and email scans.
+[Configure updates for Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)|Configure definition updates and cloud-based protection with Active Directory and Windows Server Update Services.
+[Windows Defender Offline in Windows 10](windows-defender-offline.md)|Manually run an offline scan directly from winthin Windows without having to download and create bootable media.
+[Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)|Run scans and configure Windows Defender options with Windows PowerShell cmdlets in Windows 10.
+[Enable the Black at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)|Use the Block at First Sight feature to leverage the Windows Defender cloud.
+[Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)|Enable or disable enhanced notifications on endpoints running Windows Defender for greater details about threat detections and removal.
+[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)|Review event IDs in Windows Defender for Windows 10 and take the appropriate actions.
diff --git a/windows/keep-secure/windows-defender-offline.md b/windows/keep-secure/windows-defender-offline.md
new file mode 100644
index 0000000000..d861493653
--- /dev/null
+++ b/windows/keep-secure/windows-defender-offline.md
@@ -0,0 +1,181 @@
+---
+title: Windows Defender Offline in Windows 10
+description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network.
+keywords: scan, defender, offline
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: iaanw
+---
+
+# Windows Defender Offline in Windows 10
+
+**Applies to:**
+
+- Windows 10, version 1607
+
+Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
+
+In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
+
+## Pre-requisites and requirements
+
+Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
+
+For more information about Windows 10 requirements, see the following topics:
+
+- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
+
+- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx)
+
+> [!NOTE]
+> Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
+
+To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.
+
+## Windows Defender Offline updates
+
+Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
+
+> [!NOTE]
+> Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
+
+For information on setting up Windows Defender updates, see the [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) topic.
+
+## Usage scenarios
+
+In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints.
+
+The prompt can occur via a notification, similar to the following:
+
+
+
+The user will also be notified within the Windows Defender client:
+
+
+
+In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
+
+
+
+## Manage notifications
+
+
+You can suppress Windows Defender Offline notifications with Group Policy.
+
+> [!NOTE]
+> Changing these settings will affect *all* notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required.
+
+**Use Group Policy to suppress Windows Defender notifications:**
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender > Client Interface**.
+
+1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client.
+
+## Configure Windows Defender Offline settings
+
+You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications.
+
+For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics:
+
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
+
+- [Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx)
+
+For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic.
+
+## Run a scan
+
+Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings.
+
+> [!NOTE]
+> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete.
+
+You can set up a Windows Defender Offline scan with the following:
+
+- Windows Update and Security settings
+
+- Windows Defender
+
+- Windows Management Instrumentation
+
+- Windows PowerShell
+
+- Group Policy
+
+> [!NOTE]
+> The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
+
+**Run Windows Defender Offline from Windows Settings:**
+
+1. Open the **Start** menu and click or type **Settings**.
+
+1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section.
+
+1. Click **Scan offline**.
+
+ 
+
+1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
+
+**Run Windows Defender Offline from Windows Defender:**
+
+1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client.
+
+1. On the **Home** tab click **Download and Run**.
+
+ 
+
+1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
+
+
+**Use Windows Management Instrumentation to configure and run Windows Defender Offline:**
+
+Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan.
+
+The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
+
+```WMI
+wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
+```
+
+For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics:
+
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
+
+- [MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx)
+
+**Run Windows Defender Offline using PowerShell:**
+
+Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan.
+
+For more information on available cmdlets and optios, see the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) topic.
+
+## Review scan results
+
+Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan.
+
+1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client.
+
+1. Go to the **History** tab.
+
+1. Select **All detected items**.
+
+1. Click **View details**.
+
+Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**:
+
+
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/wip-enterprise-overview.md b/windows/keep-secure/wip-enterprise-overview.md
index 7724af5d0e..433af351d2 100644
--- a/windows/keep-secure/wip-enterprise-overview.md
+++ b/windows/keep-secure/wip-enterprise-overview.md
@@ -11,12 +11,12 @@ ms.pagetype: security
**Applies to:**
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
+- Windows 10
+- Windows 10 Mobile
With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
-Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
+Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
## Benefits of WIP
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index a7ca2c26eb..7c04914b16 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -66,6 +66,7 @@
#### [Security Considerations for UE-V](uev-security-considerations.md)
## [Windows Store for Business](windows-store-for-business.md)
### [Sign up and get started](sign-up-windows-store-for-business-overview.md)
+####[Windows Store for Business overview](windows-store-for-business-overview.md)
#### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)
#### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)
#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)
diff --git a/windows/manage/changes-to-start-policies-in-windows-10.md b/windows/manage/changes-to-start-policies-in-windows-10.md
index 8697ff8945..ad0589981e 100644
--- a/windows/manage/changes-to-start-policies-in-windows-10.md
+++ b/windows/manage/changes-to-start-policies-in-windows-10.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Changes to Group Policy settings for Windows 10 Start
diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/manage/configure-devices-without-mdm.md
index 6a8dd2c3c5..175c61bf6e 100644
--- a/windows/manage/configure-devices-without-mdm.md
+++ b/windows/manage/configure-devices-without-mdm.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile, devices
author: jdeckerMS
+localizationpriority: medium
---
# Configure devices without MDM
diff --git a/windows/manage/configure-windows-10-taskbar.md b/windows/manage/configure-windows-10-taskbar.md
index 83fd6310e1..0424d18166 100644
--- a/windows/manage/configure-windows-10-taskbar.md
+++ b/windows/manage/configure-windows-10-taskbar.md
@@ -12,7 +12,8 @@ localizationpriority: medium
Starting in Windows 10, version 1607, administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar.
-> **Note:** The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout.
+> [!NOTE]
+> The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout.
You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](http://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path (the local path to the application).
@@ -20,7 +21,8 @@ If you specify an app to be pinned that is not installed on the computer, it won
The order of apps in the xml file dictates order of apps on taskbar from left to right, to the right of any existing apps pinned by user.
-> **Note** In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
+> [!NOTE]
+> In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
@@ -220,7 +222,8 @@ The resulting taskbar for computers in any other country region:
-> **Note** [Look up country and region codes (use the ISO Short column)](http://go.microsoft.com/fwlink/p/?LinkId=786445)
+> [!NOTE]
+> [Look up country and region codes (use the ISO Short column)](http://go.microsoft.com/fwlink/p/?LinkId=786445)
diff --git a/windows/manage/customize-and-export-start-layout.md b/windows/manage/customize-and-export-start-layout.md
index 46e13d01b9..68d1056ac3 100644
--- a/windows/manage/customize-and-export-start-layout.md
+++ b/windows/manage/customize-and-export-start-layout.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Customize and export Start layout
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
index acdd1656ab..6c7c63c9cd 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Customize Windows 10 Start and taskbar with Group Policy
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
index de8f037cfe..2e17e4b129 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Customize Windows 10 Start with mobile device management (MDM)
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index e3ca4b1967..2fcd71d6ad 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Customize Windows 10 Start and taskbar with ICD and provisioning packages
diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md
index 525b08904e..90eaa4a016 100644
--- a/windows/manage/group-policies-for-enterprise-and-education-editions.md
+++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md
@@ -5,6 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: brianlic-msft
+localizationpriority: high
---
# Group Policies that apply only to Windows 10 Enterprise and Education Editions
@@ -20,7 +21,7 @@ In Windows 10, version 1607, the following Group Policies apply only to Windows
| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. |
| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
-| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md |
+| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
| **Do not require CTRL+ALT+DEL** combined with**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon andComputer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](set-up-a-device-for-anyone-to-use.md)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. **Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.|
| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md |
| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
diff --git a/windows/manage/guidelines-for-assigned-access-app.md b/windows/manage/guidelines-for-assigned-access-app.md
index 8e5cb9e7e1..2d776f2cf5 100644
--- a/windows/manage/guidelines-for-assigned-access-app.md
+++ b/windows/manage/guidelines-for-assigned-access-app.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
+localizationpriority: high
---
# Guidelines for choosing an app for assigned access (kiosk mode)
diff --git a/windows/manage/how-it-pros-can-use-configuration-service-providers.md b/windows/manage/how-it-pros-can-use-configuration-service-providers.md
index fa09b55f1c..a61e88337b 100644
--- a/windows/manage/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/manage/how-it-pros-can-use-configuration-service-providers.md
@@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Introduction to configuration service providers (CSPs) for IT pros
diff --git a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
index 3a8047bf80..07b423dbf8 100644
--- a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
+localizationpriority: high
---
# Join Windows 10 Mobile to Azure Active Directory
diff --git a/windows/manage/lock-down-windows-10-to-specific-apps.md b/windows/manage/lock-down-windows-10-to-specific-apps.md
index 232ab26d13..71622d4902 100644
--- a/windows/manage/lock-down-windows-10-to-specific-apps.md
+++ b/windows/manage/lock-down-windows-10-to-specific-apps.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerMS
+localizationpriority: high
---
# Lock down Windows 10 to specific apps
@@ -114,6 +115,10 @@ To learn more about locking down features, see [Customizations for Windows 10 En
Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
+## Related topics
+
+- [Provisioning packages for Windows 10](../deploy/provisioning-packages.md)
+
diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md
index 23461ca922..a3374f6d0f 100644
--- a/windows/manage/lock-down-windows-10.md
+++ b/windows/manage/lock-down-windows-10.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerMS
+localizationpriority: high
---
# Lock down Windows 10
diff --git a/windows/manage/lockdown-features-windows-10.md b/windows/manage/lockdown-features-windows-10.md
index 0c82b6da7c..555ec7ab73 100644
--- a/windows/manage/lockdown-features-windows-10.md
+++ b/windows/manage/lockdown-features-windows-10.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
+localizationpriority: high
---
# Lockdown features from Windows Embedded 8.1 Industry
diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md
index 90f5d9ca65..08bd7496c7 100644
--- a/windows/manage/lockdown-xml.md
+++ b/windows/manage/lockdown-xml.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerMS
+localizationpriority: high
---
# Configure Windows 10 Mobile using Lockdown XML
@@ -22,7 +23,8 @@ This topic provides example XML that you can use in your own lockdown XML file t
Lockdown XML is an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=618601).
-> **Note** On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](set-up-a-device-for-anyone-to-use.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=618601).
+> [!NOTE]
+> On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](set-up-a-device-for-anyone-to-use.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=618601).
If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) first.
@@ -211,7 +213,8 @@ Search |  |  |  |  | 
Custom 1, 2, and 3 |  |  | 
-> **Note** Custom buttons are hardware buttons that can be added to devices by OEMs.
+> [!NOTE]
+> Custom buttons are hardware buttons that can be added to devices by OEMs.
In the following example, press-and-hold is disabled for the Back button.
@@ -240,7 +243,8 @@ If you don't specify a button event, all actions for the button are disabled. In
ButtonRemapList lets you change the app that a button will run. You can remap the Search button and any custom buttons included by the OEM. You can't remap the Back, Start, or Camera buttons.
-> **Warning** Button remapping can enable a user to open an application that is not in the allow list for that user role. Use button lock down to prevent application access for a user role.
+> [!WARNING]
+> Button remapping can enable a user to open an application that is not in the allow list for that user role. Use button lock down to prevent application access for a user role.
To remap a button, you specify the button, the event, and the product ID for the app that you want the event to open.
In the following example, when a user presses the Search button, the phone dialer will open instead of the Search app.
@@ -268,7 +272,8 @@ CSPRunner is helpful when you are configuring a device to support multiple roles
In CSPRunner, you specify the CSP and settings using SyncML, a standardized markup language for device management. A SyncML section can include multiple settings, or you can use multiple SyncML sections -- it's up to you how you want to organize settings in this section.
-> **Note** This description of SyncML is just the information that you need to use SyncML in a lockdown XML file. To learn more about SyncML, see [Structure of OMA DM provisioning files](https://msdn.microsoft.com/windows/hardware/dn914774.aspx).
+> [!NOTE]
+> This description of SyncML is just the information that you need to use SyncML in a lockdown XML file. To learn more about SyncML, see [Structure of OMA DM provisioning files](https://msdn.microsoft.com/windows/hardware/dn914774.aspx).
Let's start with the structure of SyncML in the following example:
@@ -354,7 +359,9 @@ For a list of the settings and quick actions that you can allow or block, see [S
By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
- > **Important** If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile.
+
+ > [!IMPORTANT]
+ > If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile.
```xml
diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 69564006f4..1a3ffc0c33 100644
--- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -60,83 +60,85 @@ Here's what's covered in this article:
- [9. Mail synchronization](#bkmk-mailsync)
- - [10. Microsoft Edge](#bkmk-edge)
+ - [10. Microsoft Account](#bkmk-microsoft-account)
- - [10.1 Microsoft Edge Group Policies](#bkmk-edgegp)
+ - [11. Microsoft Edge](#bkmk-edge)
- - [10.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
+ - [11.1 Microsoft Edge Group Policies](#bkmk-edgegp)
- - [10.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
+ - [11.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
- - [11. Network Connection Status Indicator](#bkmk-ncsi)
+ - [11.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
- - [12. Offline maps](#bkmk-offlinemaps)
+ - [12. Network Connection Status Indicator](#bkmk-ncsi)
- - [13. OneDrive](#bkmk-onedrive)
+ - [13. Offline maps](#bkmk-offlinemaps)
- - [14. Preinstalled apps](#bkmk-preinstalledapps)
+ - [14. OneDrive](#bkmk-onedrive)
- - [15. Settings > Privacy](#bkmk-settingssection)
+ - [15. Preinstalled apps](#bkmk-preinstalledapps)
- - [15.1 General](#bkmk-priv-general)
+ - [16. Settings > Privacy](#bkmk-settingssection)
- - [15.2 Location](#bkmk-priv-location)
+ - [16.1 General](#bkmk-priv-general)
- - [15.3 Camera](#bkmk-priv-camera)
+ - [16.2 Location](#bkmk-priv-location)
- - [15.4 Microphone](#bkmk-priv-microphone)
+ - [16.3 Camera](#bkmk-priv-camera)
- - [15.5 Notifications](#bkmk-priv-notifications)
+ - [16.4 Microphone](#bkmk-priv-microphone)
- - [15.6 Speech, inking, & typing](#bkmk-priv-speech)
+ - [16.5 Notifications](#bkmk-priv-notifications)
- - [15.7 Account info](#bkmk-priv-accounts)
+ - [16.6 Speech, inking, & typing](#bkmk-priv-speech)
- - [15.8 Contacts](#bkmk-priv-contacts)
+ - [16.7 Account info](#bkmk-priv-accounts)
- - [15.9 Calendar](#bkmk-priv-calendar)
+ - [16.8 Contacts](#bkmk-priv-contacts)
- - [15.10 Call history](#bkmk-priv-callhistory)
+ - [16.9 Calendar](#bkmk-priv-calendar)
- - [15.11 Email](#bkmk-priv-email)
+ - [16.10 Call history](#bkmk-priv-callhistory)
- - [15.12 Messaging](#bkmk-priv-messaging)
+ - [16.11 Email](#bkmk-priv-email)
- - [15.13 Radios](#bkmk-priv-radios)
+ - [16.12 Messaging](#bkmk-priv-messaging)
- - [15.14 Other devices](#bkmk-priv-other-devices)
+ - [16.13 Radios](#bkmk-priv-radios)
- - [15.15 Feedback & diagnostics](#bkmk-priv-feedback)
+ - [16.14 Other devices](#bkmk-priv-other-devices)
- - [15.16 Background apps](#bkmk-priv-background)
+ - [16.15 Feedback & diagnostics](#bkmk-priv-feedback)
- - [16. Software Protection Platform](#bkmk-spp)
+ - [16.16 Background apps](#bkmk-priv-background)
- - [17. Sync your settings](#bkmk-syncsettings)
+ - [17. Software Protection Platform](#bkmk-spp)
- - [18. Teredo](#bkmk-teredo)
+ - [18. Sync your settings](#bkmk-syncsettings)
- - [19. Wi-Fi Sense](#bkmk-wifisense)
+ - [19. Teredo](#bkmk-teredo)
- - [20. Windows Defender](#bkmk-defender)
+ - [20. Wi-Fi Sense](#bkmk-wifisense)
- - [21. Windows Media Player](#bkmk-wmp)
+ - [21. Windows Defender](#bkmk-defender)
- - [22. Windows spotlight](#bkmk-spotlight)
+ - [22. Windows Media Player](#bkmk-wmp)
- - [23. Windows Store](#bkmk-windowsstore)
+ - [23. Windows spotlight](#bkmk-spotlight)
- - [24. Windows Update Delivery Optimization](#bkmk-updates)
+ - [24. Windows Store](#bkmk-windowsstore)
- - [24.1 Settings > Update & security](#bkmk-wudo-ui)
+ - [25. Windows Update Delivery Optimization](#bkmk-updates)
- - [24.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
+ - [25.1 Settings > Update & security](#bkmk-wudo-ui)
- - [24.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
+ - [25.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
- - [24.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
+ - [25.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
- - [25. Windows Update](#bkmk-wu)
+ - [25.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
+
+ - [26. Windows Update](#bkmk-wu)
## What's new in Windows 10, version 1607
@@ -147,6 +149,7 @@ Here's a list of changes that were made to this article for Windows 10, version
- Added a section on how to turn off automatic root updates to stop updating the certificate trust list in [1. Certificate trust lists](#certificate-trust-lists).
- Added a new setting in [25. Windows Update](#bkmk-wu).
- Changed the NCSI URL in [11. Network Connection Status Indicator](#bkmk-ncsi).
+- Added a section on how to turn off features that depend on Microsoft Account cloud authentication service [10. Microsoft Account](#bkmk-microsoft-account).
- Added the following Group Policies:
@@ -351,11 +354,18 @@ To turn off the Windows Mail app:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application**
-### 10. Microsoft Edge
+### 10. Microsoft Account
+
+To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways.
+
+- Change the **Start** REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentControlSet\\Services\\wlidsvc** to 4.
+
+
+### 11. Microsoft Edge
Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
-### 10.1 Microsoft Edge Group Policies
+### 11.1 Microsoft Edge Group Policies
Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**.
@@ -385,7 +395,7 @@ The Windows 10, version 1511 Microsoft Edge Group Policy names are:
| Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled |
| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** |
-### 10.2 Microsoft Edge MDM policies
+### 11.2 Microsoft Edge MDM policies
The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@@ -397,13 +407,13 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http
| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
Default: Allowed |
| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed |
-### 10.3 Microsoft Edge Windows Provisioning
+### 11.3 Microsoft Edge Windows Provisioning
Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**.
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
-### 11. Network Connection Status Indicator
+### 12. Network Connection Status Indicator
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
@@ -416,7 +426,7 @@ You can turn off NCSI through Group Policy:
> [!NOTE]
> After you apply this policy, you must restart the device for the policy setting to take effect.
-### 12. Offline maps
+### 13. Offline maps
You can turn off the ability to download and update offline maps.
@@ -426,13 +436,13 @@ You can turn off the ability to download and update offline maps.
- In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
-### 13. OneDrive
+### 14. OneDrive
To turn off OneDrive in your organization:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage**
-### 14. Preinstalled apps
+### 15. Preinstalled apps
Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
@@ -544,43 +554,43 @@ To remove the Get Skype app:
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
-### 15. Settings > Privacy
+### 16. Settings > Privacy
Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
-- [15.1 General](#bkmk-general)
+- [16.1 General](#bkmk-general)
-- [15.2 Location](#bkmk-priv-location)
+- [16.2 Location](#bkmk-priv-location)
-- [15.3 Camera](#bkmk-priv-camera)
+- [16.3 Camera](#bkmk-priv-camera)
-- [15.4 Microphone](#bkmk-priv-microphone)
+- [16.4 Microphone](#bkmk-priv-microphone)
-- [15.5 Notifications](#bkmk-priv-notifications)
+- [16.5 Notifications](#bkmk-priv-notifications)
-- [15.6 Speech, inking, & typing](#bkmk-priv-speech)
+- [16.6 Speech, inking, & typing](#bkmk-priv-speech)
-- [15.7 Account info](#bkmk-priv-accounts)
+- [16.7 Account info](#bkmk-priv-accounts)
-- [15.8 Contacts](#bkmk-priv-contacts)
+- [16.8 Contacts](#bkmk-priv-contacts)
-- [15.9 Calendar](#bkmk-priv-calendar)
+- [16.9 Calendar](#bkmk-priv-calendar)
-- [15.10 Call history](#bkmk-priv-callhistory)
+- [16.10 Call history](#bkmk-priv-callhistory)
-- [15.11 Email](#bkmk-priv-email)
+- [16.11 Email](#bkmk-priv-email)
-- [15.12 Messaging](#bkmk-priv-messaging)
+- [16.12 Messaging](#bkmk-priv-messaging)
-- [15.13 Radios](#bkmk-priv-radios)
+- [16.13 Radios](#bkmk-priv-radios)
-- [15.14 Other devices](#bkmk-priv-other-devices)
+- [16.14 Other devices](#bkmk-priv-other-devices)
-- [15.15 Feedback & diagnostics](#bkmk-priv-feedback)
+- [16.15 Feedback & diagnostics](#bkmk-priv-feedback)
-- [15.16 Background apps](#bkmk-priv-background)
+- [16.16 Background apps](#bkmk-priv-background)
-### 15.1 General
+### 16.1 General
**General** includes options that don't fall into other areas.
@@ -658,7 +668,7 @@ To turn off **Let apps on my other devices use Bluetooth to open apps and contin
- Turn off the feature in the UI.
-### 15.2 Location
+### 16.2 Location
In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
@@ -709,7 +719,7 @@ To turn off **Choose apps that can use your location**:
- Turn off each app using the UI.
-### 15.3 Camera
+### 16.3 Camera
In the **Camera** area, you can choose which apps can access a device's camera.
@@ -746,7 +756,7 @@ To turn off **Choose apps that can use your camera**:
- Turn off the feature in the UI for each app.
-### 15.4 Microphone
+### 16.4 Microphone
In the **Microphone** area, you can choose which apps can access a device's microphone.
@@ -764,7 +774,7 @@ To turn off **Choose apps that can use your microphone**:
- Turn off the feature in the UI for each app.
-### 15.5 Notifications
+### 16.5 Notifications
In the **Notifications** area, you can choose which apps have access to notifications.
@@ -778,7 +788,7 @@ To turn off **Let apps access my notifications**:
- Set the **Select a setting** box to **Force Deny**.
-### 15.6 Speech, inking, & typing
+### 16.6 Speech, inking, & typing
In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
@@ -813,7 +823,7 @@ Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https:/
- Create a REG\_DWORD registry setting called **AllowSpeechModelUpdate** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\Current\\Device\\Speech**, with a value of 0 (zero).
-### 15.7 Account info
+### 16.7 Account info
In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
@@ -831,7 +841,7 @@ To turn off **Choose the apps that can access your account info**:
- Turn off the feature in the UI for each app.
-### 15.8 Contacts
+### 16.8 Contacts
In the **Contacts** area, you can choose which apps can access an employee's contacts list.
@@ -845,7 +855,7 @@ To turn off **Choose apps that can access contacts**:
- Set the **Select a setting** box to **Force Deny**.
-### 15.9 Calendar
+### 16.9 Calendar
In the **Calendar** area, you can choose which apps have access to an employee's calendar.
@@ -863,7 +873,7 @@ To turn off **Choose apps that can access calendar**:
- Turn off the feature in the UI for each app.
-### 15.10 Call history
+### 16.10 Call history
In the **Call history** area, you can choose which apps have access to an employee's call history.
@@ -877,7 +887,7 @@ To turn off **Let apps access my call history**:
- Set the **Select a setting** box to **Force Deny**.
-### 15.11 Email
+### 16.11 Email
In the **Email** area, you can choose which apps have can access and send email.
@@ -891,7 +901,7 @@ To turn off **Let apps access and send email**:
- Set the **Select a setting** box to **Force Deny**.
-### 15.12 Messaging
+### 16.12 Messaging
In the **Messaging** area, you can choose which apps can read or send messages.
@@ -909,7 +919,7 @@ To turn off **Choose apps that can read or send messages**:
- Turn off the feature in the UI for each app.
-### 15.13 Radios
+### 16.13 Radios
In the **Radios** area, you can choose which apps can turn a device's radio on or off.
@@ -927,7 +937,7 @@ To turn off **Choose apps that can control radios**:
- Turn off the feature in the UI for each app.
-### 15.14 Other devices
+### 16.14 Other devices
In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
@@ -945,7 +955,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
- Set the **Select a setting** box to **Force Deny**.
-### 15.15 Feedback & diagnostics
+### 16.15 Feedback & diagnostics
In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
@@ -1019,7 +1029,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- **3**. Maps to the **Full** level.
-### 15.16 Background apps
+### 16.16 Background apps
In the **Background Apps** area, you can choose which apps can run in the background.
@@ -1027,7 +1037,7 @@ To turn off **Let apps run in the background**:
- Turn off the feature in the UI for each app.
-### 16. Software Protection Platform
+### 17. Software Protection Platform
Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
@@ -1039,7 +1049,7 @@ Enterprise customers can manage their Windows activation status with volume lice
The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
-### 17. Sync your settings
+### 18. Sync your settings
You can control if your settings are synchronized:
@@ -1065,13 +1075,13 @@ To turn off Messaging cloud sync:
- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
-### 18. Teredo
+### 19. Teredo
You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
- From an elevated command prompt, run **netsh interface teredo set state disabled**
-### 19. Wi-Fi Sense
+### 20. Wi-Fi Sense
Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
@@ -1097,7 +1107,7 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
-### 20. Windows Defender
+### 21. Windows Defender
You can disconnect from the Microsoft Antimalware Protection Service.
@@ -1149,7 +1159,7 @@ You can stop Enhanced Notifications:
You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
-### 21. Windows Media Player
+### 22. Windows Media Player
To remove Windows Media Player:
@@ -1159,7 +1169,7 @@ To remove Windows Media Player:
- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
-### 22. Windows spotlight
+### 23. Windows spotlight
Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy.
@@ -1197,13 +1207,13 @@ If you're not running Windows 10, version 1607 or later, you can use the other o
For more info, see [Windows Spotlight on the lock screen](../manage/windows-spotlight.md).
-### 23. Windows Store
+### 24. Windows Store
You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**.
-### 24. Windows Update Delivery Optimization
+### 25. Windows Update Delivery Optimization
Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
@@ -1213,13 +1223,13 @@ Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delive
In Windows 10, version 1607, you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Simple** (99) or **Bypass** (100), as described below.
-### 24.1 Settings > Update & security
+### 25.1 Settings > Update & security
You can set up Delivery Optimization from the **Settings** UI.
- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
-### 24.2 Delivery Optimization Group Policies
+### 25.2 Delivery Optimization Group Policies
You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**.
@@ -1231,7 +1241,7 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con
| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.|
| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
-### 24.3 Delivery Optimization MDM policies
+### 25.3 Delivery Optimization MDM policies
The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@@ -1244,7 +1254,7 @@ The following Delivery Optimization MDM policies are available in the [Policy CS
| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
-### 24.4 Delivery Optimization Windows Provisioning
+### 25.4 Delivery Optimization Windows Provisioning
If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
@@ -1260,7 +1270,7 @@ Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windo
For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
-### 25. Windows Update
+### 26. Windows Update
You can turn off Windows Update by setting the following registry entries:
diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md
index 904a5922c3..c3bdd6979a 100644
--- a/windows/manage/manage-corporate-devices.md
+++ b/windows/manage/manage-corporate-devices.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: jdeckerMS
+localizationpriority: medium
---
# Manage corporate devices
diff --git a/windows/manage/manage-tips-and-suggestions.md b/windows/manage/manage-tips-and-suggestions.md
index 3b754f0ea5..f9e05fc19e 100644
--- a/windows/manage/manage-tips-and-suggestions.md
+++ b/windows/manage/manage-tips-and-suggestions.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: jdeckerMS
+localizationpriority: medium
---
# Manage Windows 10 and Windows Store tips, tricks, and suggestions
diff --git a/windows/manage/manage-wifi-sense-in-enterprise.md b/windows/manage/manage-wifi-sense-in-enterprise.md
index 172b930871..6a6c1683ca 100644
--- a/windows/manage/manage-wifi-sense-in-enterprise.md
+++ b/windows/manage/manage-wifi-sense-in-enterprise.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: eross-msft
+localizationpriority: high
---
# Manage Wi-Fi Sense in your company
diff --git a/windows/manage/new-policies-for-windows-10.md b/windows/manage/new-policies-for-windows-10.md
index 2da6a7e615..6dc1d6a75b 100644
--- a/windows/manage/new-policies-for-windows-10.md
+++ b/windows/manage/new-policies-for-windows-10.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# New policies for Windows 10
diff --git a/windows/manage/product-ids-in-windows-10-mobile.md b/windows/manage/product-ids-in-windows-10-mobile.md
index f1e1f9a3e3..fd249d0732 100644
--- a/windows/manage/product-ids-in-windows-10-mobile.md
+++ b/windows/manage/product-ids-in-windows-10-mobile.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
+localizationpriority: high
---
# Product IDs in Windows 10 Mobile
diff --git a/windows/manage/reset-a-windows-10-mobile-device.md b/windows/manage/reset-a-windows-10-mobile-device.md
index f9b0a026b4..5455485e1f 100644
--- a/windows/manage/reset-a-windows-10-mobile-device.md
+++ b/windows/manage/reset-a-windows-10-mobile-device.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
+localizationpriority: high
---
# Reset a Windows 10 Mobile device
diff --git a/windows/manage/set-up-a-device-for-anyone-to-use.md b/windows/manage/set-up-a-device-for-anyone-to-use.md
index 156c44901a..28b5f6a030 100644
--- a/windows/manage/set-up-a-device-for-anyone-to-use.md
+++ b/windows/manage/set-up-a-device-for-anyone-to-use.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
+localizationpriority: high
---
# Set up a device for anyone to use (kiosk mode)
@@ -33,8 +34,8 @@ Do you need a computer that can only do one thing? For example:
The following table identifies the type of application that can be used on each Windows 10 edition to create a kiosk device.
-**Note**
-A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
+> [!NOTE]
+> A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index ed48272b37..940a457a76 100644
--- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
+localizationpriority: high
---
# Set up a kiosk on Windows 10 Pro, Enterprise, or Education
diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
index 50afb75bef..a8a83c428c 100644
--- a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
+localizationpriority: high
---
# Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise
diff --git a/windows/manage/set-up-shared-or-guest-pc.md b/windows/manage/set-up-shared-or-guest-pc.md
index a0c40e738a..047004f0c0 100644
--- a/windows/manage/set-up-shared-or-guest-pc.md
+++ b/windows/manage/set-up-shared-or-guest-pc.md
@@ -6,7 +6,7 @@ ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
-localizationpriority: medium
+localizationpriority: high
---
# Set up a shared or guest PC with Windows 10
@@ -18,7 +18,8 @@ localizationpriority: medium
Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise.
-> **Note:** If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
+> [!NOTE]
+> If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
##Shared PC mode concepts
A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. Users who sign-in are signed in as standard users, not admin users.
@@ -65,7 +66,9 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
##Configuring shared PC mode on Windows
You can configure Windows to be in shared PC mode in a couple different ways:
- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune)
+
+
- A provisioning package created with the Windows Imaging and Configuration Designer (ICD): You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in ICD as SharedPC.
@@ -73,7 +76,7 @@ You can configure Windows to be in shared PC mode in a couple different ways:
### Create a provisioning package for shared use
-Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
@@ -91,14 +94,14 @@ Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (
8. On the **Export** menu, select **Provisioning package**.
9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
10. Set a value for **Package Version**.
- > **Tip**
- You can make changes to existing packages and change the version number to update previously applied packages.
+ > [!TIP]
+ > You can make changes to existing packages and change the version number to update previously applied packages.
-11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+11. (*Optional*) In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
- > **Important**
- We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
+ > [!IMPORTANT]
+ > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
@@ -170,7 +173,8 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
-> **Note:** If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
+> [!NOTE]
+> If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
## Guidance for accounts on shared PCs
@@ -203,7 +207,8 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
## Policies set by shared PC mode
Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
-> **Important**: It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
+> [!IMPORTANT]
+> It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
diff --git a/windows/manage/settings-that-can-be-locked-down.md b/windows/manage/settings-that-can-be-locked-down.md
index adf2de0b5e..fe4253fb64 100644
--- a/windows/manage/settings-that-can-be-locked-down.md
+++ b/windows/manage/settings-that-can-be-locked-down.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
+localizationpriority: high
---
# Settings and quick actions that can be locked down in Windows 10 Mobile
diff --git a/windows/manage/sign-up-windows-store-for-business-overview.md b/windows/manage/sign-up-windows-store-for-business-overview.md
index 7a391739cc..5a85ddec8a 100644
--- a/windows/manage/sign-up-windows-store-for-business-overview.md
+++ b/windows/manage/sign-up-windows-store-for-business-overview.md
@@ -36,18 +36,22 @@ IT admins can sign up for the Windows Store for Business, and get started workin
+[Windows Store for Business overview](windows-store-for-business-overview.md) |
+Learn about Windows Store for Business. |
+
+
[Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md) |
There are a few prerequisites for using Store for Business. |
-
+
[Sign up for Windows Store for Business](sign-up-windows-store-for-business.md) |
Before you sign up for Store for Business, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization. If your organization is already using Azure AD, you can go ahead and sign up for Store for Business. If not, we'll help you create an Azure AD account and directory as part of the sign up process. |
-
+
[Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md) |
The first person to sign in to Store for Business must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees. |
-
+
[Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md) |
The Store for Business has a group of settings that admins use to manage the store. |
diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/manage/stop-employees-from-using-the-windows-store.md
index dabf676bf5..3668ccb6d7 100644
--- a/windows/manage/stop-employees-from-using-the-windows-store.md
+++ b/windows/manage/stop-employees-from-using-the-windows-store.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, mobile
author: TrudyHa
+localizationpriority: high
---
# Configure access to Windows Store
diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/manage/windows-10-mobile-and-mdm.md
index 3053aedc09..a7d4e10a34 100644
--- a/windows/manage/windows-10-mobile-and-mdm.md
+++ b/windows/manage/windows-10-mobile-and-mdm.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile, devices, security
author: AMeeus
+localizationpriority: high
---
# Windows 10 Mobile and mobile device management
diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md
index 090c5ba1ac..c41206fb4c 100644
--- a/windows/manage/windows-10-start-layout-options-and-policies.md
+++ b/windows/manage/windows-10-start-layout-options-and-policies.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Manage Windows 10 Start and taskbar layout
diff --git a/windows/manage/windows-spotlight.md b/windows/manage/windows-spotlight.md
index af6bd8ed19..2af7597418 100644
--- a/windows/manage/windows-spotlight.md
+++ b/windows/manage/windows-spotlight.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Windows Spotlight on the lock screen
diff --git a/windows/manage/windows-store-for-business-overview.md b/windows/manage/windows-store-for-business-overview.md
new file mode 100644
index 0000000000..e2a222e6ee
--- /dev/null
+++ b/windows/manage/windows-store-for-business-overview.md
@@ -0,0 +1,277 @@
+---
+title: Windows Store for Business overview (Windows 10)
+description: With the new Windows Store for Business, organizations can make volume purchases of Windows apps.
+ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C
+ms.prod: w10
+ms.pagetype: store, mobile
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Windows Store for Business overview
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
+
+## Features
+
+
+Organizations of any size can benefit from using the Store for Business provides:
+
+- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Businessare available to you, or you can integrate the Store for Businesswith management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
+
+- **Bulk app acquisition** - Acquire apps in volume from the Store for Business.
+
+- **Private store** - Curate a private store for your business that’s easily available from any Windows 10 device.
+
+- **Flexible distribution options** - Flexible options for distributing content and apps to your employee devices:
+
+ - Distribute through Store for Business services. You can assign apps to individual employees, or make apps available to all employees in your private store.
+
+ - Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images.
+
+ - Offline licensing model allows you to distribute apps without connecting to Store services, and for managing images.
+
+- **Line-of-business apps** - Privately add and distribute your internal line-of-business apps using any of the distribution options.
+
+- **App license management**: Admins can reclaim and reuse app licenses. Online and offline licenses allow you to customize how you decide to deploy apps.
+
+- **Up-to-date apps** - The Store for Business manages the update process for apps with online licenses. Apps are automatically updated so you are always current with the most recent software updates and product features. Store for Business apps also uninstall cleanly, without leaving behind extra files, for times when you need to switch apps for specific employees.
+
+## Prerequisites
+
+
+You'll need this software to work with the Store for Business.
+
+### Required
+
+- IT Pros that are administering Store for Business need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox.
+
+- Employees using apps from Store for Business need Windows 10, version 1511 running on a PC or mobile device.
+
+Microsoft Azure Active Directory (AD) accounts for your employees:
+
+- Admins need Azure AD accounts to sign up for the Store for Business, and then to sign in, get apps, distribute apps, and manage app licenses.
+
+- Employees need Azure AD account when they access Store for Business content from Windows devices.
+
+- If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
+
+- For offline-licensed apps, Azure AD accounts are not required for employees.
+
+For more information on Azure AD, see [About Office 365 and Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=708612), and [Intro to Azure: identity and access](http://go.microsoft.com/fwlink/p/?LinkId=708611).
+
+### Optional
+
+While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. A couple of things to note about management tools:
+
+- Need to integrate with Windows 10 management framework and Azure AD.
+
+- Need to sync with the Store for Business inventory to distribute apps.
+
+## How does the Store for Business work?
+
+
+### Sign up!
+
+The first step for getting your organization started with the Store for Business is signing up. To sign up for the Business store, you need an Azure AD account and you must be a Global Administrator for your organization.
+
+For more information, see [Sign up for the Store for Business](../manage/sign-up-windows-store-for-business.md).
+
+### Set up
+
+After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Admin |
+X |
+X |
+X |
+ |
+
+
+Purchaser |
+ |
+X |
+X |
+ |
+
+
+Device Guard signer |
+ |
+ |
+ |
+X |
+
+
+
+
+
+
+In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](../manage/manage-users-and-groups-windows-store-for-business.md).
+
+Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with the Store for Business.
+
+### Get apps and content
+
+Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time.
+
+**App types** -- These app types are supported in the Store for Business:
+
+- Universal Windows Platform apps
+
+- Universal Windows apps, by device: Phone, Surface Hub, IOT devices , HoloLens
+
+Apps purchased from the Store for Business only work on Windows 10 devices.
+
+Line-of-business (LOB) apps are also supported via the Business store. You can invite IT developers or ISVs to be LOB publishers for your organization. This allows them to submit apps via the developer center that are only available to your organization. These apps can be distributed using the distribution methods discussed in this topic. For more information, see Working with Line-of-Business apps.
+
+**App licensing model**
+
+The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
+
+For more information, see [Apps in the Store for Business](../manage/apps-in-windows-store-for-business.md#licensing-model).
+
+### Distribute apps and content
+
+App distribution is handled through two channels, either through the Store for Business, or using a management tool. You can use either or both distribution methods in your organization.
+
+**Using the Store for Business** – Distribution options for the Store for Business:
+
+- Email link – After purchasing an app, admins can send employees a link in an email message. Employees can click the link to install the app.
+
+- Curate private store for all employees – A private store can include content you’ve purchased from the Store, and your line-of-business apps that you’ve submitted to the Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
+
+- To use the options above users must be signed in with an Azure AD account on a Windows 10 device.
+
+**Using a management tool** – For larger organizations that might want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
+
+- Scoped content distribution – Ability to scope content distribution to specific groups of employees.
+
+- Install apps for employees – Employees are not responsible for installing apps. Management tool installs apps for employees.
+
+Management tools can synchronize content that has been acquired in the Store for Business. If an offline application has been purchased this will also include the app package, license and metadata for the app (like, icons, count, or localized product descriptions). Using the metadata, management tools can enable portals or apps as a destination for employees to acquire apps.
+
+For more information, see [Distribute apps to your employees from the Store for Business](../manage/distribute-apps-to-your-employees-windows-store-for-business.md).
+
+### Manage Store for Business settings and content
+
+Once you are signed up with the Business store and have purchased apps, Admins can manage Store for Business settings and inventory.
+
+**Manage Store for Business settings**
+
+- Assign and change roles for employees or groups
+
+- Device Guard signing
+
+- Register a management server to deploy and install content
+
+- Manage relationships with LOB publishers
+
+- Manage offline licenses
+
+- Update the name of your private store
+
+**Manage inventory**
+
+- Assign app licenses to employees
+
+- Reclaim and reassign app licenses
+
+- Manage app updates for all apps, or customize updates for each app. Online apps will automatically update from the Store. Offline apps can be updated using a management server.
+
+- Download apps for offline installs
+
+For more information, see [Manage settings in the Store for Business](../manage/manage-settings-windows-store-for-business.md) and [Manage apps](../manage/manage-apps-windows-store-for-business-overview.md).
+
+## Supported markets
+
+
+Store for Business is currently available in these markets.
+
+|Country or locale|Paid apps|Free apps|
+|-----------------|---------|---------|
+|Argentina|X|X|
+|Australia|X|X|
+|Austria|X|X|
+|Belgium (Dutch, French)|X|X|
+|Brazil| |X|
+|Canada (English, French)|X|X|
+|Chile|X|X|
+|Columbia|X|X|
+|Croatia|X|X|
+|Czech Republic|X|X|
+|Denmark|X|X|
+|Finland|X|X|
+|France|X|X|
+|Germany|X|X|
+|Greece|X|X|
+|Hong Kong SAR|X|X|
+|Hungary|X|X|
+|India| |X|
+|Indonesia|X|X|
+|Ireland|X|X|
+|Italy|X|X|
+|Japan|X|X|
+|Malaysia|X|X|
+|Mexico|X|X|
+|Netherlands|X|X|
+|New Zealand|X|X|
+|Norway|X|X|
+|Philippines|X|X|
+|Poland|X|X|
+|Portugal|X|X|
+|Romania|X|X|
+|Russia| |X|
+|Singapore|X|X|
+|Slovakia|X|X|
+|South Africa|X|X|
+|Spain|X|X|
+|Sweden|X|X|
+|Switzerland (French, German)|X|X|
+|Taiwan| |X|
+|Thailand|X|X|
+|Turkey|X|X|
+|Ukraine| |X|
+|United Kingdom|X|X|
+|United States|X|X|
+|Vietnam|X|X|
+
+## ISVs and the Store for Business
+
+
+Developers in your organization, or ISVs can create content specific to your organization. In the Store for Business, we call these app line-of-business (LOB) apps, and the devs that create them are LOB publishers. The process looks like this:
+
+- Admin invites devs to be LOB publishers for your organization. These devs can be internal devs, or external ISVs.
+
+- LOB publishers accept the invitation, develop apps, and submits the app to the Windows Dev Center. LOB publishers use Enterprise associations when submitting the app to make the app exclusive to your organization.
+
+- Admin adds the app to Store for Business inventory.
+
+Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in the Store for Business. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in the Store for Business will work only on Windows 10.
+
+For more information on line-of-business apps, see [Working with Line-of-Business apps](../manage/working-with-line-of-business-apps.md).
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
index 63869a1878..a49967a2c0 100644
--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@@ -11,7 +11,7 @@ localizationpriority: high
# What's new in Windows 10
-Windows 10 provides IT professionals with advanced protection against modern security threats and comprehensive management and control over devices and apps, as well as flexible deployment, update, and support options. Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Windows Hello, Device Guard, and more.
+Windows 10 provides IT professionals with advanced protection against modern security threats and comprehensive management and control over devices and apps, as well as flexible deployment, update, and support options. Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more.
## In this section
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index 0221cdb67d..1e0c6c19dd 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -298,6 +298,14 @@ A standard, customized Start layout can be useful on devices that are common to
Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](../manage/windows-spotlight.md).
+### Windows Store for Business
+**New in Windows 10, version 1511**
+
+With the Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
+
+For more information, see [Windows Store for Business overview](../manage/windows-store-for-business-overview.md).
+
+
## Updates
Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index bb0c229571..f31f532c25 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -20,7 +20,7 @@ Below is a list of some of the new and updated features in Windows 10, version 1
### Windows Imaging and Configuration Designer (ICD)
-In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
+In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in version 1607, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
Windows ICD now includes simplified workflows for creating provisioning packages:
@@ -38,23 +38,24 @@ Isolated User Mode is now included with Hyper-V so you don't have to install it
### Windows Hello for Business
-When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
Additional changes for Windows Hello in Windows 10, version 1607:
-- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
-- Group Policy for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
-- Users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser.
+- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
+- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
+
[Learn more about Windows Hello for Business.](../keep-secure/manage-identity-verification-using-microsoft-passport.md)
-### VPN
+### VPN
- The VPN client can integrate with the Conditional Access Framework, a cloud-pased policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](../keep-secure/protect-enterprise-data-using-edp.md), previously known as Enterprise Data Protection.
- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607)
- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
+
### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP)
With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
@@ -65,6 +66,16 @@ Windows Information Protection (WIP) helps to protect against this potential dat
[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip)
+### Windows Defender
+Several new features and management options have been added to Windows Defender in Windows 10, version 1607.
+
+- [Windows Defender Offline in Windows 10](../keep-secure/windows-defender-offline.md) can be run directly from within Windows, without having to create bootable media.
+- [Use PowerShell cmdlets for Windows Defender](../keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md) to configure options and run scans.
+- [Enable the Block at First Sight feature in Windows 10](../keep-secure/windows-defender-block-at-first-sight.md) to leverage the Windows Defender cloud for near-instant protection against new malware.
+- [Configure enhanced notifications for Windows Defender in Windows 10](../keep-secure/windows-defender-enhanced-notifications.md) to see more informaiton about threat detections and removal.
+- [Run a Windows Defender scan from the command line](../keep-secure/run-cmd-scan-windows-defender-for-windows-10.md).
+- [Detect and block Potentially Unwanted Applications with Windows Defender](../keep-secure/enable-pua-windows-defender-for-windows-10.md) during download and install times.
+
## Management
### Use Remote Desktop Connection for PCs joined to Azure Active Directory
diff --git a/windows/whats-new/windows-store-for-business-overview.md b/windows/whats-new/windows-store-for-business-overview.md
index e1934201c2..abb7c7f8f3 100644
--- a/windows/whats-new/windows-store-for-business-overview.md
+++ b/windows/whats-new/windows-store-for-business-overview.md
@@ -6,281 +6,6 @@ ms.prod: w10
ms.pagetype: store, mobile
ms.mktglfcycl: manage
ms.sitesec: library
+redirect_url: https://technet.microsoft.com/itpro/windows/manage/windows-store-for-business-overview
author: TrudyHa
---
-
-# Windows Store for Business overview
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
-
-## Features
-
-
-Organizations of any size can benefit from using the Store for Business provides:
-
-- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Businessare available to you, or you can integrate the Store for Businesswith management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
-
-- **Bulk app acquisition** - Acquire apps in volume from the Store for Business.
-
-- **Private store** - Curate a private store for your business that’s easily available from any Windows 10 device.
-
-- **Flexible distribution options** - Flexible options for distributing content and apps to your employee devices:
-
- - Distribute through Store for Business services. You can assign apps to individual employees, or make apps available to all employees in your private store.
-
- - Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images.
-
- - Offline licensing model allows you to distribute apps without connecting to Store services, and for managing images.
-
-- **Line-of-business apps** - Privately add and distribute your internal line-of-business apps using any of the distribution options.
-
-- **App license management**: Admins can reclaim and reuse app licenses. Online and offline licenses allow you to customize how you decide to deploy apps.
-
-- **Up-to-date apps** - The Store for Business manages the update process for apps with online licenses. Apps are automatically updated so you are always current with the most recent software updates and product features. Store for Business apps also uninstall cleanly, without leaving behind extra files, for times when you need to switch apps for specific employees.
-
-## Prerequisites
-
-
-You'll need this software to work with the Store for Business.
-
-### Required
-
-- IT Pros that are administering Store for Business need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox.
-
-- Employees using apps from Store for Business need Windows 10, version 1511 running on a PC or mobile device.
-
-Microsoft Azure Active Directory (AD) accounts for your employees:
-
-- Admins need Azure AD accounts to sign up for the Store for Business, and then to sign in, get apps, distribute apps, and manage app licenses.
-
-- Employees need Azure AD account when they access Store for Business content from Windows devices.
-
-- If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
-
-- For offline-licensed apps, Azure AD accounts are not required for employees.
-
-For more information on Azure AD, see [About Office 365 and Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=708612), and [Intro to Azure: identity and access](http://go.microsoft.com/fwlink/p/?LinkId=708611).
-
-### Optional
-
-While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. A couple of things to note about management tools:
-
-- Need to integrate with Windows 10 management framework and Azure AD.
-
-- Need to sync with the Store for Business inventory to distribute apps.
-
-## How does the Store for Business work?
-
-
-### Sign up!
-
-The first step for getting your organization started with the Store for Business is signing up. To sign up for the Business store, you need an Azure AD account and you must be a Global Administrator for your organization.
-
-For more information, see [Sign up for the Store for Business](../manage/sign-up-windows-store-for-business.md).
-
-### Set up
-
-After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Admin |
-X |
-X |
-X |
- |
-
-
-Purchaser |
- |
-X |
-X |
- |
-
-
-Device Guard signer |
- |
- |
- |
-X |
-
-
-
-
-
-
-In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](../manage/manage-users-and-groups-windows-store-for-business.md).
-
-Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with the Store for Business.
-
-### Get apps and content
-
-Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time.
-
-**App types** -- These app types are supported in the Store for Business:
-
-- Universal Windows Platform apps
-
-- Universal Windows apps, by device: Phone, Surface Hub, IOT devices , HoloLens
-
-Apps purchased from the Store for Business only work on Windows 10 devices.
-
-Line-of-business (LOB) apps are also supported via the Business store. You can invite IT developers or ISVs to be LOB publishers for your organization. This allows them to submit apps via the developer center that are only available to your organization. These apps can be distributed using the distribution methods discussed in this topic. For more information, see Working with Line-of-Business apps.
-
-**App licensing model**
-
-The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
-
-For more information, see [Apps in the Store for Business](../manage/apps-in-windows-store-for-business.md#licensing-model).
-
-### Distribute apps and content
-
-App distribution is handled through two channels, either through the Store for Business, or using a management tool. You can use either or both distribution methods in your organization.
-
-**Using the Store for Business** – Distribution options for the Store for Business:
-
-- Email link – After purchasing an app, admins can send employees a link in an email message. Employees can click the link to install the app.
-
-- Curate private store for all employees – A private store can include content you’ve purchased from the Store, and your line-of-business apps that you’ve submitted to the Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
-
-- To use the options above users must be signed in with an Azure AD account on a Windows 10 device.
-
-**Using a management tool** – For larger organizations that might want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
-
-- Scoped content distribution – Ability to scope content distribution to specific groups of employees.
-
-- Install apps for employees – Employees are not responsible for installing apps. Management tool installs apps for employees.
-
-Management tools can synchronize content that has been acquired in the Store for Business. If an offline application has been purchased this will also include the app package, license and metadata for the app (like, icons, count, or localized product descriptions). Using the metadata, management tools can enable portals or apps as a destination for employees to acquire apps.
-
-For more information, see [Distribute apps to your employees from the Store for Business](../manage/distribute-apps-to-your-employees-windows-store-for-business.md).
-
-### Manage Store for Business settings and content
-
-Once you are signed up with the Business store and have purchased apps, Admins can manage Store for Business settings and inventory.
-
-**Manage Store for Business settings**
-
-- Assign and change roles for employees or groups
-
-- Device Guard signing
-
-- Register a management server to deploy and install content
-
-- Manage relationships with LOB publishers
-
-- Manage offline licenses
-
-- Update the name of your private store
-
-**Manage inventory**
-
-- Assign app licenses to employees
-
-- Reclaim and reassign app licenses
-
-- Manage app updates for all apps, or customize updates for each app. Online apps will automatically update from the Store. Offline apps can be updated using a management server.
-
-- Download apps for offline installs
-
-For more information, see [Manage settings in the Store for Business](../manage/manage-settings-windows-store-for-business.md) and [Manage apps](../manage/manage-apps-windows-store-for-business-overview.md).
-
-## Supported markets
-
-
-Store for Business is currently available in these markets.
-
-|Country or locale|Paid apps|Free apps|
-|-----------------|---------|---------|
-|Argentina|X|X|
-|Australia|X|X|
-|Austria|X|X|
-|Belgium (Dutch, French)|X|X|
-|Brazil| |X|
-|Canada (English, French)|X|X|
-|Chile|X|X|
-|Columbia|X|X|
-|Croatia|X|X|
-|Czech Republic|X|X|
-|Denmark|X|X|
-|Finland|X|X|
-|France|X|X|
-|Germany|X|X|
-|Greece|X|X|
-|Hong Kong SAR|X|X|
-|Hungary|X|X|
-|India| |X|
-|Indonesia|X|X|
-|Ireland|X|X|
-|Italy|X|X|
-|Japan|X|X|
-|Malaysia|X|X|
-|Mexico|X|X|
-|Netherlands|X|X|
-|New Zealand|X|X|
-|Norway|X|X|
-|Philippines|X|X|
-|Poland|X|X|
-|Portugal|X|X|
-|Romania|X|X|
-|Russia| |X|
-|Singapore|X|X|
-|Slovakia|X|X|
-|South Africa|X|X|
-|Spain|X|X|
-|Sweden|X|X|
-|Switzerland (French, German)|X|X|
-|Taiwan| |X|
-|Thailand|X|X|
-|Turkey|X|X|
-|Ukraine| |X|
-|United Kingdom|X|X|
-|United States|X|X|
-|Vietnam|X|X|
-
-## ISVs and the Store for Business
-
-
-Developers in your organization, or ISVs can create content specific to your organization. In the Store for Business, we call these app line-of-business (LOB) apps, and the devs that create them are LOB publishers. The process looks like this:
-
-- Admin invites devs to be LOB publishers for your organization. These devs can be internal devs, or external ISVs.
-
-- LOB publishers accept the invitation, develop apps, and submits the app to the Windows Dev Center. LOB publishers use Enterprise associations when submitting the app to make the app exclusive to your organization.
-
-- Admin adds the app to Store for Business inventory.
-
-Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in the Store for Business. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in the Store for Business will work only on Windows 10.
-
-For more information on line-of-business apps, see [Working with Line-of-Business apps](../manage/working-with-line-of-business-apps.md).
-
-
-
-
-
-
-
-
-
|