diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index f0eda349b5..261306b721 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -102,7 +102,7 @@ Out-of-date ActiveX control blocking includes 4 new Group Policy settings that y
Here’s a list of the new Group Policy info, including the settings, location, requirements, and Help text strings. All of these settings can be set in either the Computer Configuration or User Configuration scope, but Computer Configuration takes precedence over User Configuration.
**Important**
-Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone; therefore, intranet websites and line-of-business apps will continue to use out-of-date ActiveX controls without disruption.
+Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and the Trusted Sites Zone; therefore, intranet websites and line-of-business apps will continue to use out-of-date ActiveX controls without disruption.
|Setting |Category path |Supported on |Help text |
|--------|--------------|-------------|----------|
diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md
index 3c0bd54506..fb6a9d0d0d 100644
--- a/windows/keep-secure/create-edp-policy-using-intune.md
+++ b/windows/keep-secure/create-edp-policy-using-intune.md
@@ -37,15 +37,13 @@ Microsoft Intune helps you create and deploy your enterprise data protection (ED
After you’ve installed and set up Intune for your organization, you must create an EDP-specific policy.
**To add an EDP policy**
-1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
+1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area.
-2. Click **Add Policy** from the **Tasks** area.
-
-3. Go to **Windows**, click the **Enterprise Data Protection (Windows 10 and Mobile and later) policy**, pick the EDP template, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
+2. Go to **Windows**, click the **Enterprise Data Protection (Windows 10 and Mobile and later) policy**, pick the EDP template, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
-4. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
@@ -93,7 +91,7 @@ The steps to add your apps are based on the type of app it is; either a Universa
**To find the Publisher and Product name values for apps installed on Windows 10 Mobile phones**
- 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the Windows Device Portal feature.
+ 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
**Note**
Your PC and phone must be on the same wireless network.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
@@ -104,10 +102,11 @@ The steps to add your apps are based on the type of app it is; either a Universa
5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
- 6. On the **Apps** tab of the website, click the drop-down box to choose the app you want to know more about.
-
The **Publisher** and **Product Name** values appear.
+ 6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
+
+ 7. Start the app for which you're looking for the publisher and product name values
- 7. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
+ 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example:
``` json
@@ -157,8 +156,6 @@ The steps to add your apps are based on the type of app it is; either a Universa
- 
-
If you’re unsure about what to include for the publisher, you can run this PowerShell command:
``` ps1
@@ -175,6 +172,8 @@ Path Publisher
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
+
+
## Exempt apps from EDP restrictions
If you're running into compatibility issues where your app is incompatible with EDP, but still needs to be used with enterprise data, you can exempt the app from the EDP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
@@ -233,7 +232,7 @@ We recommend that you start with **Silent** or **Override** while verifying with
| Off |
- EDP is turned off and doesn't help to protect or audit your data. |
+ EDP is turned off and doesn't help to protect or audit your data. After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
@@ -246,15 +245,15 @@ You can also specify all the domains owned by your enterprise that are used for
This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed.
-
-
**To add your primary domain**
- Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.
-If you have multiple domains, you must separate them with the "|" character. For example, contoso.com|fabrikam.com.
+If you have multiple domains, you must separate them with the "|" character. For example, `contoso.com|fabrikam.com`.
+
+ 
## Choose where apps can access enterprise data
-After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.
+After you've added a protection level to your apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.
**Important**
- Every EDP policy should include policy that defines your enterprise network locations.
@@ -272,7 +271,7 @@ After you've added a protection mode to your apps, you'll need to decide where t
| Enterprise Cloud Domain |
contoso.sharepoint.com,proxy1.contoso.com|
office.com|proxy2.contoso.com |
- Specify the cloud resources traffic to restrict to your protected apps. For each cloud resource, you may also specify an internal proxy server that routes your traffic from your **Enterprise Internal Proxy Server** policy. If you have multiple resources, you must use the | delimiter. Include the "|" delimiter just before the "|" if you don’t use proxies. For example: [URL,Proxy]|[URL,Proxy]. |
+ Specify the cloud resources traffic to restrict to your protected apps. For each cloud resource, you may also specify an internal proxy server that routes your traffic from your **Enterprise Internal Proxy Server** policy. If you have multiple resources, you must use the | delimiter. Include the "," delimiter just before the "|" if you don’t use proxies. For example:
`[URL,Proxy]|[URL,Proxy]` |
| Enterprise Network Domain |
diff --git a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md
index 42c19efa73..91d076761a 100644
--- a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md
+++ b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md
@@ -30,7 +30,7 @@ Follow these steps to create the VPN policy you want to use with EDP.
-3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+3. Type *EdpModeID* into the **Name** box, along with an optional description for your policy into the **Description** box.
@@ -99,6 +99,7 @@ The final step to making your VPN configuration work with EDP, is to link your t
6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.**
+
**To deploy your linked policy**
1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md
index c1679e75fa..d0c4802441 100644
--- a/windows/keep-secure/protect-enterprise-data-using-edp.md
+++ b/windows/keep-secure/protect-enterprise-data-using-edp.md
@@ -26,7 +26,7 @@ You’ll need this software to run EDP in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
-|Windows 10 Insider Preview | Microsoft Intune
-OR-
System Center Configuration Manager (version 1511 or later)
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [Custom URI - Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=733963) documentation.|
+|Windows 10 Insider Preview | Microsoft Intune
-OR-
System Center Configuration Manager (version 1511 or later)
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
## How EDP works
EDP helps address your everyday challenges in the enterprise. Including:
@@ -37,7 +37,7 @@ EDP helps address your everyday challenges in the enterprise. Including:
- Helping to maintain the ownership and control of your enterprise data.
-- Managing apps that aren’t enterprise aware, especially on mobile devices.
+- Managing apps that aren’t enterprise aware.
### EDP-protection modes
You can set EDP to 1 of 4 protection and management modes:
@@ -69,7 +69,7 @@ EDP gives you a new way to manage data security for apps and documents, along wi
- **Continuous data encryption.** EDP helps protect enterprise data when it leaves a device. For example, when an employee saves to public cloud storage, or synchronizes with another device.
Apps such as Microsoft Word work with EDP to continue your data encryption across locations and services. These apps are being referred to as, *enterprise aware*. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document, maintaining the encryption.
- - **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, file syncing apps not on your **Protected App** list, such as Dropbox™, won’t be able to sync encrypted files to the employee’s personal cloud storage. Instead, if an employee stores content in their Microsoft OneDrive for Business folder, which is automatically synced with OneDrive for Business (an app on your **Protected App** list), then the document maintains its encryption and can sync freely.
+ - **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your **Protected App** list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your **Protected Apps** list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the cloud, while maintaining the encryption.
- **Helping prevent accidental data disclosure to other devices.** EDP helps prevent enterprise data from leaking when it's copied or transferred to other devices. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
diff --git a/windows/keep-secure/testing-scenarios-for-edp.md b/windows/keep-secure/testing-scenarios-for-edp.md
index 7b52b7889d..3a44cb99ff 100644
--- a/windows/keep-secure/testing-scenarios-for-edp.md
+++ b/windows/keep-secure/testing-scenarios-for-edp.md
@@ -25,7 +25,7 @@ You can try any of the processes included in these scenarios, but you should foc
|Scenario |Processes |
|---------|----------|
|Automatically encrypt files from enterprise apps |
- Start an unmodified (for example, EDP-unaware) line-of-business app that's on your **Protected Apps** list and then create, edit, write, and save files.
- Make sure that all of the files you worked with from the EDP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
- Open File Explorer and make sure your modified files are appearing with a **Lock** icon.
**Note**
Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.
|
-|Block enterprise data from non-enterprise apps |- Start an app that doesn't appear on your **Protected Apps** list, and then try to open an enterprise-encrypted file.
The app shouldn't be able to access the file.
- Try double-clicking or tapping on the enterprise-encrypted file.
If your default app association is an app not your **Protected Apps** list, you should get an **Access Denied** error message.
|
+|Block enterprise data from non-enterprise apps |- Start an app that doesn't appear on your **Protected Apps** list, and then try to open an enterprise-encrypted file.
The app shouldn't be able to access the file.
- Try double-clicking or tapping on the enterprise-encrypted file.
If your default app association is an app not on your **Protected Apps** list, you should get an **Access Denied** error message.
|
|Copy and paste from enterprise apps to non-enterprise apps |- Copy (CTRL+C) content from an app on your **Protected Apps** list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your **Protected Apps** list.
You should see an EDP-related warning box, asking you to click either **Got it** or **Cancel**.
- Click **Cancel**.
The content isn't pasted into the non-enterprise app.
- Repeat Step 1, but this time click **Got it**, and try to paste the content again.
The content is pasted into the non-enterprise app.
- Try copying and pasting content between apps on your **Protected Apps** list.
The content should copy and paste between apps without any warning messages.
|
|Drag and drop from enterprise apps to non-enterprise apps |- Drag content from an app on your **Protected Apps** list, and then try to drop the content into an app that doesn't appear on your **Protected Apps** list.
You should see an EDP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.
- Click **Cancel**.
The content isn't dropped into the non-enterprise app.
- Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.
The content is dropped into the non-enterprise app.
- Try dragging and dropping content between apps on your **Protected Apps** list.
The content should move between the apps without any warning messages.
|
|Share between enterprise apps and non-enterprise apps |- Open an app on your **Protected Apps** list, like Microsoft Photos, and try to share content with an app that doesn't appear on your **Protected Apps** list, like Facebook.
You should see an EDP-related warning box, asking you to click either **Share Anyway** or **Cancel**.
- Click **Cancel**.
The content isn't shared into Facebook.
- Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.
The content is shared into Facebook.
- Try sharing content between apps on your **Protected Apps** list.
The content should share between the apps without any warning messages.
|