Merge remote-tracking branch 'refs/remotes/origin/rs5' into jd5kiosk

2025-05-29 05:37:22 +00:00 · 2018-08-20 07:29:54 -07:00 · 2018-08-20 07:29:54 -07:00 · 160a3f3300
commit 160a3f3300
parent 9fe2a36e71 3919a02fc1
29 changed files with 94 additions and 35 deletions
--- a/browsers/edge/emie-to-improve-compatibility.md
+++ b/browsers/edge/emie-to-improve-compatibility.md
@ -64,12 +64,14 @@ You must turn on the **Configure the Enterprise Mode Site List** Group Policy se

    -   **HTTP location**: *“SiteList”=”http://localhost:8080/sites.xml”*

-    -   **Local network**: *"SiteList"="\\\\network\\shares\\sites.xml"*
+    -   **Local network**: *"SiteList"="\\\network\\shares\\sites.xml"*

-    -   **Local file**: *"SiteList"="file:///c:\\\\Users\\\\&lt;user&gt;\\\\Documents\\\\testList.xml"*
+    -   **Local file**: *"SiteList"="file:///c:/Users/&#060;_username_&#062;/Documents/testList.xml"*

        All of your managed devices must have access to this location if you want them to be able to access and use Enterprise Mode and your site list.

+
+
 3.  Refresh your policy in your organization and then view the affected sites in Microsoft Edge.<p>The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is.

 ## Fix your intranet sites
--- a/browsers/edge/images/allow-shared-books-folder_sm.png
+++ b/browsers/edge/images/allow-shared-books-folder_sm.png
--- a/browsers/edge/images/home-button-hide-sm.png
+++ b/browsers/edge/images/home-button-hide-sm.png
--- a/browsers/edge/images/home-button-hide-v4-sm.png
+++ b/browsers/edge/images/home-button-hide-v4-sm.png
--- a/browsers/edge/images/home-button-hide-v4.png
+++ b/browsers/edge/images/home-button-hide-v4.png
--- a/browsers/edge/images/home-button-hide.png
+++ b/browsers/edge/images/home-button-hide.png
--- a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png
+++ b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png
--- a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md
+++ b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md
@ -8,8 +8,8 @@

 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled or not configured<br>**(default)** |0 |0 |Depending on the device configuration, Microsoft Edge gathers only basic diagnostic data. |![Most restricted value](../images/check-gn.png) |
-|Enabled |1 |1 |Gathers both basic and additional diagnostic data. | |
+|Disabled or not configured<br>**(default)** |0 |0 |Microsofot gathers only basic diagnostic data. |![Most restricted value](../images/check-gn.png) |
+|Enabled |1 |1 |Microsoft gathers all diagnostic data. For this policy to work correctly, you must set the diagnostic data in _Settings > Diagnostics & feedback_ to **Full**. | |
 ---

 ### ADMX info and settings
--- a/browsers/edge/includes/allow-shared-folder-books-include.md
+++ b/browsers/edge/includes/allow-shared-folder-books-include.md
@ -8,9 +8,11 @@
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
 |Disabled or not configured<br>**(default)** |0 |0 |Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. |![Most restricted value](../images/check-gn.png) |
-|Enabled |1 |1 |Allowed. Microsoft Edge downloads book files to a shared folder.| |
+|Enabled |1 |1 |Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy.  Also, the users must be signed in with a school or work account.| |
 ---

+![Allow a shared books folder](../images/allow-shared-books-folder_sm.png)
+
 ### ADMX info and settings

 #### ADMX info
@ -30,4 +32,8 @@
 - **Value name:** UseSharedFolderForBooks
 - **Value type:** REG_DWORD

+### Related policies 
+
+**Allow a Windows app to share application data between users:** [!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../shortdesc/allow-windows-app-to-share-data-users-shortdesc.md)]
+
 <hr>
--- a/browsers/edge/includes/do-not-sync-include.md
+++ b/browsers/edge/includes/do-not-sync-include.md
@ -9,7 +9,7 @@
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
 |Disabled or not configured<br>**(default)** |0 |0 |Allowed/turned on. Users can choose what to sync to their device. | |
-|Enabled |2 |2 |Prevented/turned off. Disables the Sync your Settings toggle and prevents syncing. |![Most restricted value](../images/check-gn.png) |
+|Enabled |2 |2 |Prevented/turned off. Disables the _Sync your Settings_ toggle and prevents syncing. |![Most restricted value](../images/check-gn.png) |
 ---

 ### ADMX info and settings
--- a/browsers/edge/includes/prevent-certificate-error-overrides-include.md
+++ b/browsers/edge/includes/prevent-certificate-error-overrides-include.md
@ -7,7 +7,7 @@

 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled or not configured<br>**(default)** |0 |0 |Allowed/turned on. Override the security warning to sites that have SSL errors.  | |
+|Disabled or not configured<br>**(default)** |0 |0 |Allowed/turned on. Overrides the security warning to sites that have SSL errors.  | |
 |Enabled |1 |1 |Prevented/turned on.  |![Most restricted value](../images/check-gn.png) |
 ---

--- a/browsers/edge/includes/prevent-first-run-webpage-open-include.md
+++ b/browsers/edge/includes/prevent-first-run-webpage-open-include.md
@ -8,7 +8,7 @@

 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled or not configured<br>**(default)** |0 |0 |Allowed. Microsoft Edge loads the welcome page. | |
+|Disabled or not configured<br>**(default)** |0 |0 |Allowed. Load the First Run webpage. | |
 |Enabled |1 |1 |Prevented. |![Most restricted value](../images/check-gn.png) |
 ---

--- a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md
+++ b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md
@ -10,7 +10,7 @@
 |Group Policy  |Description |
 |---|---|
 |Disabled or not configured<br>**(default)** |Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored.  | 
-|Enabled |Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office Online extension prevents users from turning it off:<p><p>_Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe_ <p>After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune. Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. | 
+|Enabled |Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office Online extension prevents users from turning it off:<p><p>_Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe_ <p>After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.<p>Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../available-policies.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. | 
 ---

 ### ADMX info and settings
--- a/browsers/edge/includes/provision-favorites-include.md
+++ b/browsers/edge/includes/provision-favorites-include.md
@ -11,7 +11,7 @@

 |Group Policy  |Description |Most restricted |
 |---|---|:---:|
-|Disabled or not configured<br>**(default)** |Default list of favorites not defined in Microsoft Edge. In this case, the Favorites list is customizable, such as adding folders, or adding and removing favorites. | |
+|Disabled or not configured<br>**(default)** |Users can customize the favorites list, such as adding folders, or adding and removing favorites. | |
 |Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.<p>To define a default list of favorites, do the following:<ol><li>In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.</li><li>Click **Import from another browser**, click **Export to file**, and save the file.</li><li>In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision.  Specify the URL as: <ul><li>HTTP location: "SiteList"=http://localhost:8080/URLs.html</li><li>Local network: "SiteList"="\network\shares\URLs.html"</li><li>Local file: "SiteList"=file:///c:\Users\\Documents\URLs.html</li></ul></li></ol> |![Most restricted value](../images/check-gn.png) | 
 ---

--- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md
+++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md
@ -5,7 +5,7 @@
 [!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] 

 >[!TIP]
->Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. Allowed values.
+>Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. 


 ### Supported values
@ -13,7 +13,7 @@
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
 |Disabled or not configured<br>**(default)** |0 |0 |All sites, including intranet sites, open in Microsoft Edge automatically. |![Most restricted value](../images/check-gn.png) |
-|Enabled |1 |1 |Only intranet sites open in Internet Explorer 11 automatically.<p><p>Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.<ol><li>In Group Policy Editor, navigate to:<br><br>**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**<p></li><li>Click **Enabled**, refresh the policy, and then view the affected sites in Microsoft Edge.<p><p>A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.</li></ol>| |
+|Enabled |1 |1 |Only intranet sites open in Internet Explorer 11 automatically.<p><p>Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.<ol><li>In Group Policy Editor, navigate to:<br><br>**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** and click **Enable**.<p></li><li>Refresh the policy and then view the affected sites in Microsoft Edge.<p><p>A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.</li></ol>| |
 ---


--- a/browsers/edge/includes/show-message-opening-sites-ie-include.md
+++ b/browsers/edge/includes/show-message-opening-sites-ie-include.md
@ -12,7 +12,7 @@
 |---|:---:|:---:|---|:---:|
 |Disabled or not configured<br>**(default)** |0 |0 |No additional message displays. |![Most restricted value](../images/check-gn.png) |
 |Enabled |1 |1 |Show an additional message stating that a site has opened in IE11. | |
-|Enabled |2 |2 |Show an additional message with a "Keep going in Microsoft Edge" link to allow users to open the site in Microsoft Edge. | |
+|Enabled |2 |2 |Show an additional message with a _Keep going in Microsoft Edge_ link to allow users to open the site in Microsoft Edge. | |
 ---

 ### Configuration options  
--- a/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md
@ -1 +1 @@
-You can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads book files automatically to a common, shared folder, and prevents users from removing the book from the library. When disabled, Microsoft Edge does not use a shared folder but downloads book files to a folder for each user. For this policy to work properly, users must be signed in with a school or work account.  
+Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy.  Also, the users must be signed in with a school or work account.
--- a/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md
@ -1 +1 @@
-Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user.  Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. You can also configure Microsoft Edge to prevent Microsoft Edge from pre-launching.
+Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user.  Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start Microsoft Edge. You can also configure Microsoft Edge to prevent from pre-launching.
--- a/browsers/edge/shortdesc/allow-printing-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-printing-shortdesc.md
@ -1 +1 @@
-Microsoft Edge allows users to print web content by default. With this policy though, you can configure Microsoft Edge to prevent users from printing web content. 
+Microsoft Edge allows users to print web content by default. With this policy, you can configure Microsoft Edge to prevent users from printing web content. 
--- a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md
@ -1 +1 @@
-Microsoft Edge loads the default New tab page by default. Disabling this policy loads a blank page instead of the New tab page and prevents users from changing it. Not configuring this policy lets users choose how the New tab page appears.
+By default, Microsoft Edge loads the default New tab page. Disabling this policy loads a blank page instead of the New tab page and prevents users from changing it. Not configuring this policy lets users choose what loads on the New tab page.
--- a/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md
@ -0,0 +1 @@
+With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app.  Data is shared through the SharedLocal folder, which is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder.
--- a/browsers/edge/shortdesc/do-not-sync-shortdesc.md
+++ b/browsers/edge/shortdesc/do-not-sync-shortdesc.md
@ -1 +1 @@
-By default, Microsoft Edge turns on the Sync your Settings toggle in Settings and let users choose what to sync on their device. Enabling this policy turns off and disables the Sync your Settings toggle in Settings, preventing syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option. 
+By default, Microsoft Edge turns on the Sync your Settings toggle in Settings and let users choose what to sync on their device. Enabling this policy turns off and disables the Sync your Settings toggle in Settings, preventing syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option in this policy. 
--- a/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md
+++ b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md
@ -1 +1 @@
-Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge.  If you want users to continue in Microsoft Edge, enable this policy to show the “Keep going in Microsoft Edge” link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both.
+Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge.  If you want users to continue in Microsoft Edge, enable this policy to show the _Keep going in Microsoft Edge_ link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both.
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@ -353,9 +353,8 @@ The following list shows the supported values:

 <!--/Scope-->
 <!--Description-->
-Specifies whether multiple users of the same app can share data.

-Most restricted value is 0.
+[!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../../../browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md)]

 <!--/Description-->
 <!--ADMXMapped-->
@ -369,9 +368,10 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:

-   0 (default) – Not allowed.
-   1 – Allowed.
+-   0 (default) – Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. 
+-   1 – Allowed. Microsoft Edge downloads book files into a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy.  Also, the users must be signed in with a school or work account.

+Most restricted value: 0
 <!--/SupportedValues-->
 <!--/Policy-->

--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-ms.date: 07/18/2018
+ms.date: 08/16/2018
 ms.localizationpriority: medium
 ---

@ -125,8 +125,7 @@ SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /Mode:Offline /LogsPath:D:\Dump
 ## Known issues

 1. Some rules can take a long time to process if the log files involved are large.
-2. SetupDiag only outputs data in a text format.
-3. If the failing computer is opted into the Insider program and getting regular pre-release updates, or an update is already pending on the computer when SetupDiag is run, it can encounter problems trying to open these log files. This will likely cause a failure to determine a root cause.  In this case, try gathering the log files and running SetupDiag in offline mode.
+2. If the failing computer is opted into the Insider program and getting regular pre-release updates, or an update is already pending on the computer when SetupDiag is run, it can encounter problems trying to open these log files. This will likely cause a failure to determine a root cause.  In this case, try gathering the log files and running SetupDiag in offline mode.


 ## Sample output
--- a/windows/deployment/upgrade/upgrade-error-codes.md
+++ b/windows/deployment/upgrade/upgrade-error-codes.md
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-ms.date: 03/30/2018
+ms.date: 08/18/2018
 ms.localizationpriority: medium
 ---

@ -47,7 +47,7 @@ The following set of result codes are associated with [Windows Setup](https://do
 | 0xC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The computer is not eligible for Windows 10 |
 | 0xC190020E | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The computer does not have enough free space to install |

-A list of modern setup (mosetup) errors with descriptions in the range is available in the [Resolution procudures](resolution-procedures.md#modern-setup-errors) topic in this article.
+A list of modern setup (mosetup) errors with descriptions in the range is available in the [Resolution procedures](resolution-procedures.md#modern-setup-errors) topic in this article.

 Other result codes can be matched to the specific type of error encountered. To match a result code to an error:

--- a/windows/deployment/windows-autopilot/add-devices.md
+++ b/windows/deployment/windows-autopilot/add-devices.md
@ -44,7 +44,10 @@ To use this script, you can download it from the PowerShell Gallery and run it o

 *Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv*

-Note that you must run this PowerShell script with administrator privileges (elevated). It can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information.
+You must run this PowerShell script with administrator privileges (elevated). It can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information.
+
+>[!NOTE]
+>With Windows 10 version 1803 and above, devices will download an Autopilot profile as soon as they connect to the internet. For devices that are not yet registered with the Autopilot deployment service, a profile will be downloaded that indicates the device should not be deployed using Autopilot. If the device connects to the internet as part of the collection process, you will need to reset the PC, reimage the PC, or re-generalize the OS (using sysprep /generalize /oobe).

 ## Collecting the hardware ID from existing devices using System Center Configuration Manager

--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@ -30,7 +30,7 @@ The distributed systems on which these technologies were built involved several
 * [Device Registration](#device-registration)
  
 ## Directories ##
-Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory.  The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. The 
+Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory.  The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.  

 A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription.  The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.

--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 author: jsuther1974
-ms.date: 07/16/2018
+ms.date: 08/16/2018
 ---

 # Microsoft recommended block rules
@ -134,7 +134,9 @@ Microsoft recommends that you block the following Microsoft-signed applications
  <Deny ID="ID_DENY_LXRUN" FriendlyName="lxrun.exe" FileName="lxrun.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
  <Deny ID="ID_DENY_PWRSHLCUSTOMHOST" FriendlyName="powershellcustomhost.exe" FileName="powershellcustomhost.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
  <Deny ID="ID_DENY_TEXTTRANSFORM" FriendlyName="texttransform.exe" FileName="texttransform.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
-  <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
+  <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
+  <Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" /> 
+  <Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />   
  <Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6"/> 
  <Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF"/> 
  <Deny ID="ID_DENY_D_3" FriendlyName="Powershell 3" Hash="148972F670E18790D62D753E01ED8D22B351A57E45544D88ACE380FEDAF24A40"/> 
@ -681,7 +683,29 @@ Microsoft recommends that you block the following Microsoft-signed applications
  <Deny ID="ID_DENY_D_580" FriendlyName="PowerShellShell 580" Hash="8838FE3D8E2505F3D3D8B98C64739115838A0B443BBBBFB487342F1EE7801360"/>
  <Deny ID="ID_DENY_D_581" FriendlyName="PowerShellShell 581" Hash="28C5E53DE197E872F7E4772BF40F728F56FE3ACC"/>
  <Deny ID="ID_DENY_D_582" FriendlyName="PowerShellShell 582" Hash="3493DAEC6EC03E56ECC4A15432C750735F75F9CB38D8779C7783B4DA956BF037"/>
-
+  <Deny ID="ID_DENY_D_585" FriendlyName="PowerShellShell 585" Hash="DBB5A6F5388C574A3B5B63E65F7810AB271E9A77"/>
+  <Deny ID="ID_DENY_D_586" FriendlyName="PowerShellShell 586" Hash="6DB24D174CCF06C9138B5A9320AE4261CA0CF305357DEF1B7054DD84758E92AB"/>
+  <Deny ID="ID_DENY_D_587" FriendlyName="PowerShellShell 587" Hash="757626CF5D444F5A4AF79EDE38E9EF65FA2C9802"/>
+  <Deny ID="ID_DENY_D_588" FriendlyName="PowerShellShell 588" Hash="1E17D036EBB5E82BF2FD5BDC3ABAB08B5EA9E4504D989D2BAAAA0B6047988996"/>
+  <Deny ID="ID_DENY_D_589" FriendlyName="PowerShellShell 589" Hash="2965DC840B8F5F7ED2AEC979F21EADA664E3CB70"/>
+  <Deny ID="ID_DENY_D_590" FriendlyName="PowerShellShell 590" Hash="5449560095D020687C268BD34D9425E7A2739E1B9BFBC0886142519293E02B9D"/>
+  <Deny ID="ID_DENY_D_591" FriendlyName="PowerShellShell 591" Hash="BB47C1251866F87723A7EDEC9A01D3B955BAB846"/>
+  <Deny ID="ID_DENY_D_592" FriendlyName="PowerShellShell 592" Hash="B05F3BE23DE6AE2557D6661C6FE35E114E8A69B326A3C855023B7AC5CE9FC31B"/>
+  <Deny ID="ID_DENY_D_593" FriendlyName="PowerShellShell 593" Hash="2F3D30827E02D5FEF051E54C74ECA6AD4CC4BAD2"/>
+  <Deny ID="ID_DENY_D_594" FriendlyName="PowerShellShell 594" Hash="F074589A1FAA76A751B05AD61B968683134F3FFC10DE3077FBCEE4E263EAEB0D"/>
+  <Deny ID="ID_DENY_D_595" FriendlyName="PowerShellShell 595" Hash="10096BD0A359142A13F2B8023A341C79A4A97975"/>
+  <Deny ID="ID_DENY_D_596" FriendlyName="PowerShellShell 596" Hash="A271D72CDE48F69EB694B753BF9417CD6A72F7DA06C52E47BAB40EC2BD9DD819"/>
+  <Deny ID="ID_DENY_D_597" FriendlyName="PowerShellShell 597" Hash="F8E803E1623BA66EA2EE0751A648834130B8BE5D"/>
+  <Deny ID="ID_DENY_D_598" FriendlyName="PowerShellShell 598" Hash="E70DB033B773FE01B1D4464CAC112AF41C09E75D25FEA25AE8DAE67ED941E797"/>
+  <Deny ID="ID_DENY_D_599" FriendlyName="PowerShellShell 599" Hash="665BE52329F9CECEC1CD548A1B4924C9B1F79BD8"/>
+  <Deny ID="ID_DENY_D_600" FriendlyName="PowerShellShell 600" Hash="24CC5B946D9469A39CF892DD4E92117E0E144DC7C6FAA65E71643DEAB87B2A91"/>
+  <Deny ID="ID_DENY_D_601" FriendlyName="PowerShellShell 601" Hash="C4627F2CF69A8575D7BF7065ADF5354D96707DFD"/>
+  <Deny ID="ID_DENY_D_602" FriendlyName="PowerShellShell 602" Hash="7F1DF759C050E0EF4F9F96FF43904B418C674D4830FE61818B60CC68629F5ABA"/>
+  <Deny ID="ID_DENY_D_603" FriendlyName="PowerShellShell 603" Hash="4126DD5947E63DB50AD5C135AC39856B6ED4BF33"/>
+  <Deny ID="ID_DENY_D_604" FriendlyName="PowerShellShell 604" Hash="B38E1198F82E7C2B3123984C017417F2A48BDFF5B6DBAD20B2438D7B65F6E39F"/>
+  <Deny ID="ID_DENY_D_605" FriendlyName="PowerShellShell 605" Hash="DE16A6B93178B6C6FC33FBF3E9A86CFF070DA6D3"/>
+  <Deny ID="ID_DENY_D_606" FriendlyName="PowerShellShell 606" Hash="A3EF9A95D1E859958DEBE44C033B4562EBB9B4C6E32005CA5C07B2E07A42E2BE"/>
+  
  <!-- pubprn.vbs
  --> 
  <!-- rs2 x86fre
@ -767,7 +791,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
  --> 
  <Deny ID="ID_DENY_D_583" FriendlyName="Winrm 583" Hash="3FA2D2963CBF47FFD5F7F5A9B4576F34ED42E552"/> 
  <Deny ID="ID_DENY_D_584" FriendlyName="Winrm 584" Hash="6C96E976DC47E0C99B77814E560E0DC63161C463C75FA15B7A7CA83C11720E82"/> 
- 
+
  </FileRules>
  <!-- Signers
  --> 
@ -814,7 +838,9 @@ Microsoft recommends that you block the following Microsoft-signed applications
  <FileRuleRef RuleID="ID_DENY_LXRUN"/> 
  <FileRuleRef RuleID="ID_DENY_PWRSHLCUSTOMHOST"/> 
  <FileRuleRef RuleID="ID_DENY_TEXTTRANSFORM"/> 
-  <FileRuleRef RuleID="ID_DENY_WMIC"/> 
+  <FileRuleRef RuleID="ID_DENY_WMIC"/>
+  <FileRuleRef RuleID="ID_DENY_MWFC" /> 
+  <FileRuleRef RuleID="ID_DENY_WFC" />   
  <FileRuleRef RuleID="ID_DENY_D_1"/> 
  <FileRuleRef RuleID="ID_DENY_D_2"/> 
  <FileRuleRef RuleID="ID_DENY_D_3"/> 
@ -1399,6 +1425,28 @@ Microsoft recommends that you block the following Microsoft-signed applications
  <FileRuleRef RuleID="ID_DENY_D_582"/>
  <FileRuleRef RuleID="ID_DENY_D_583"/>
  <FileRuleRef RuleID="ID_DENY_D_584"/>
+  <FileRuleRef RuleID="ID_DENY_D_585"/>
+  <FileRuleRef RuleID="ID_DENY_D_586"/>
+  <FileRuleRef RuleID="ID_DENY_D_587"/>
+  <FileRuleRef RuleID="ID_DENY_D_588"/>
+  <FileRuleRef RuleID="ID_DENY_D_589"/>
+  <FileRuleRef RuleID="ID_DENY_D_590"/>
+  <FileRuleRef RuleID="ID_DENY_D_591"/>
+  <FileRuleRef RuleID="ID_DENY_D_592"/>
+  <FileRuleRef RuleID="ID_DENY_D_593"/>
+  <FileRuleRef RuleID="ID_DENY_D_594"/>
+  <FileRuleRef RuleID="ID_DENY_D_595"/>
+  <FileRuleRef RuleID="ID_DENY_D_596"/>
+  <FileRuleRef RuleID="ID_DENY_D_597"/>
+  <FileRuleRef RuleID="ID_DENY_D_598"/>
+  <FileRuleRef RuleID="ID_DENY_D_599"/>
+  <FileRuleRef RuleID="ID_DENY_D_600"/>
+  <FileRuleRef RuleID="ID_DENY_D_601"/>
+  <FileRuleRef RuleID="ID_DENY_D_602"/>
+  <FileRuleRef RuleID="ID_DENY_D_603"/>
+  <FileRuleRef RuleID="ID_DENY_D_604"/>
+  <FileRuleRef RuleID="ID_DENY_D_605"/>
+  <FileRuleRef RuleID="ID_DENY_D_606"/>
  </FileRulesRef>
  </ProductSigners>
  </SigningScenario>
				`@ -0,0 +1 @@`
				`With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data is shared through the SharedLocal folder, which is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder.`