Merge remote-tracking branch 'refs/remotes/origin/master' into jd5holo

browsers/edge/group-policies/favorites-management-gp.md

@@ -18,6 +18,9 @@ ms.sitesec: library
 
 You can customize the favorites bar, for example, you can turn off features such as Save a Favorite and Import settings, and hide or show the favorites bar on all pages.  Another customization you can make is provisioning a standard list of favorites, including folders, to appear in addition to the user’s favorites. If it’s important to keep the favorites in both IE11 and Microsoft Edge synced, you can turn on syncing where changes to the list of favorites in one browser reflect in the other. 
 
+>[!TIP]
+>You can find the Favorites under C:\\Users\\<_username_>\\Favorites.
+
 You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
 
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**

browsers/edge/group-policies/start-pages-gp.md

@@ -27,7 +27,7 @@ You can find the Microsoft Edge Group Policy settings in the following location
 
 ## Configuration options 
 
-![Load URLs defined in Configure Start Pages](../images/load-urls-defined-in-configure-open-edge-with-main-sm.png)
+![Load URLs defined in Configure Start pages](../images/load-urls-defined-in-configure-open-edge-with-sm.png)
 
 
 ## Configure Open Microsoft Edge With

browsers/edge/img-microsoft-edge-infographic-lg.md

@@ -1,13 +0,0 @@
----
-description: A full-sized view of the Microsoft Edge infographic.
-title: Full-sized view of the Microsoft Edge infographic
-ms.date: 11/10/2016
-ms.author: pashort
-author: shortpatti
----
-
-Return to: [Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)<br>
-Download image: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
-
-![Full-sized Microsoft Edge infographic](images/img-microsoft-edge-infographic-lg.png)
-

browsers/edge/includes/allow-extensions-include.md

@@ -41,7 +41,6 @@ ms:topic: include
 
 ### Related topics
 
-[Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy):
-This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**.
+[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)]
 
 <hr>

browsers/edge/includes/browser-extension-policy-shortdesc-include.md

@@ -1,9 +0,0 @@
----
-author: shortpatti
-ms.author: pashort
-ms.date:  10/02/2018
-ms.prod: edge
-ms:topic: include
----
-
-[Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**.

browsers/edge/includes/configure-additional-search-engines-include.md

@@ -48,7 +48,7 @@ ms:topic: include
 
 ### Related topics
 
-- [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**.
+- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)]
 
 - [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. 
 

browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md

@@ -20,7 +20,7 @@ For this policy to work, you must configure Microsoft Edge in assigned access; o
 | | |
 |---|---|
 |(0) Default or not configured |<ul><li>If it’s a single app, Microsoft Edge runs InPrivate full screen for digital signage or interactive displays.</li><li>If it’s one of many apps, Microsoft Edge runs as normal.</li></ul> |
-|(1) Enabled |<ul><li>If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy.<p>**_For single-app public browsing_**: If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time.</li><li>If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge.</li></ul> |
+|(1) Enabled |<ul><li>If it’s a single app, it runs InPrivate with a tailored experience for kiosks and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy.<p>**_For single-app public browsing_**: If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time.</li><li>If it’s one of many apps, it runs InPrivate with  multi-tabs for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge.</li></ul> |
 ---
 
 ![Microsoft Edge kiosk experience](../images/microsoft-edge-kiosk-mode.png)

browsers/edge/includes/disable-lockdown-of-start-pages-include.md

@@ -50,6 +50,6 @@ ms:topic: include
 
 ### Related topics
 
-[!INCLUDE [browser-extension-policy-shortdesc-include](browser-extension-policy-shortdesc-include.md)]
+[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)]
 
 <hr>

browsers/edge/includes/provision-favorites-include.md

@@ -12,6 +12,7 @@ ms:topic: include
 
 [!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)]
 
+
 >[!IMPORTANT]
 >Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
 

browsers/edge/includes/set-default-search-engine-include.md

@@ -50,7 +50,7 @@ ms:topic: include
 
 ### Related topics
 
-- [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**.
+- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)]
 
 - [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. 
 

browsers/edge/microsoft-browser-extension-policy-include.md

@@ -1 +0,0 @@
-[Microsoft browser extention policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy)

browsers/edge/microsoft-edge-kiosk-mode-deploy.md

@@ -75,7 +75,9 @@ Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Ed
 
 -  Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education).
 
--  Configuration and deployment service, such as Windows PowerShell, Microsoft Intune or other MDM service, or Windows Configuration Designer.  With these methods, you must have the  [AppUserModelID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app); this does not apply to the Windows Settings method.
+-  Configuration and deployment service, such as Windows PowerShell, Microsoft Intune or other MDM service, or Windows Configuration Designer.  With these methods, you must have the AppUserModelID (AUMID) to set up Microsoft Edge: 
+ 
+   Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
 
 
 ### Use Windows Settings 

browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md

@@ -6,4 +6,4 @@ ms.prod: edge
 ms:topic: include
 ---
 
-Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal browsing in Microsoft Edge.
+Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with a tailored experience for kiosks, or normal browsing in Microsoft Edge.

browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md

@@ -6,4 +6,5 @@ ms.prod: edge
 ms:topic: include
 ---
 
-In this topic, we describe the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**.
+[Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy):
+This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**.

browsers/edge/shortdesc/shortdesc-test.md

@@ -1,9 +0,0 @@
----
-author: shortpatti
-ms.author: pashort
-ms.date:  10/02/2018
-ms.prod: edge
-ms:topic: include
----
-
-UI settings for the home button are disabled preventing your users from making changes

browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md

@@ -96,7 +96,7 @@ Support for some of the Internet Explorer settings on the wizard pages varies de
 Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
 
 -   **External Distribution**  
-    You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [!INCLUDE [microsoft-browser-extension-policy-include](../../edge/microsoft-browser-extension-policy-include.md)].
+    You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy).
 
 -   **Internal Distribution - corporate intranet**  
     The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet.

devices/hololens/hololens-install-apps.md

@@ -8,7 +8,7 @@ author: jdeckerms
 ms.author: jdecker
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 09/11/2018
+ms.date: 12/20/2017
 ---
 
 # Install apps on HoloLens
@@ -55,7 +55,8 @@ The method that you use to install an app from your Microsoft Store for Business
 
 ## Use MDM to deploy apps to HoloLens
 
-
+>[!IMPORTANT]
+>Online-licensed apps cannot be deployed with Microsoft Store for Business on HoloLens via an MDM provider. If attempted, apps will remain in “downloading” state. Instead, you can use your MDM provider to deploy MDM-hosted apps to HoloLens, or deploy offline-licensed apps to HoloLens via Store for Business
 
 
 You can deploy UWP apps to HoloLens using your MDM provider. For Intune instructions, see [Deploy apps in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/add-apps).
@@ -63,8 +64,6 @@ You can deploy UWP apps to HoloLens using your MDM provider. For Intune instruct
 Using Intune, you can also [monitor your app deployment](https://docs.microsoft.com/intune/deploy-use/monitor-apps-in-microsoft-intune).
 
 
->[!TIP]
->In Windows 10, version 1607, online-licensed apps cannot be deployed with Microsoft Store for Business on HoloLens via an MDM provider. If attempted, apps will remain in “downloading” state. [Update your HoloLens to a later build](https://support.microsoft.com/help/12643/hololens-update-hololens) for this capability.
 
 ## Use the Windows Device Portal to install apps on HoloLens
 
@@ -80,15 +79,13 @@ Using Intune, you can also [monitor your app deployment](https://docs.microsoft.
     >[!TIP]
     >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#security_certificate).
 
-4. In the Windows Device Portal, click **Views** and select **Apps**.
+4. In the Windows Device Portal, click **Apps**.
 
     ![App Manager](images/apps.png)
     
-5. Click **Add** to open the **Deploy or Install Application dialog**.
+5. In **Install app**, select an **app package** from a folder on your computer or network. If the app package requires additional software, click **Add dependency**.
 
-6. Select an **app package** from a folder on your computer or network. If the app package requires additional software or framework packages, click **I want to specify framework packages**.
-
-7. Click **Next** to deploy the app package and added dependencies to the connected HoloLens.
+6. In **Deploy**, click **Go** to deploy the app package and added dependencies to the connected HoloLens.
 
 
 

devices/hololens/hololens-kiosk.md

@@ -14,11 +14,11 @@ ms.date: 11/13/2018
 
 
 
-In Windows 10, version 1803 and later, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#guest)
+In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#guest)
 
 When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. 
 
-Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app.  
+Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings. 
 
 The following table lists the device capabilities in the different kiosk modes.
 
@@ -35,15 +35,14 @@ The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft
 >[!WARNING]
 >The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access.
 >
->Be aware that voice commands are enabled for multi-app kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app. 
+>Be aware that voice commands are enabled for kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app. 
 
-For HoloLens devices running Windows 10, version 1803 or later, there are three methods that you can use to configure the device as a kiosk:
+For HoloLens devices running Windows 10, version 1803, there are three methods that you can use to configure the device as a kiosk:
 - You can use [Microsoft Intune or other mobile device management (MDM) service](#intune-kiosk) to configure single-app and multi-app kiosks.
 - You can [use a provisioning package](#ppkg-kiosk) to configure single-app and multi-app kiosks.
 - You can [use the Windows Device Portal](#portal-kiosk) to configure single-app kiosks. This method is recommended only for demonstrations, as it requires that developer mode be enabled on the device.
 
->[!NOTE]
->For HoloLens devices running Windows 10, version 1607, [use the Windows Device Portal](#portal-kiosk) to configure single-app kiosks.
+For HoloLens devices running Windows 10, version 1607, you can [use the Windows Device Portal](#portal-kiosk) to configure single-app kiosks.
 
 <span id="start-kiosk"/>
 ## Start layout for HoloLens 
@@ -220,10 +219,10 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest*
 - We recommend that you do **not** select the Settings app and the File Explorer app as a kiosk app.
 - You can select Cortana as a kiosk app. 
 - To enable photo or video capture, the HoloCamera app must be enabled as a kiosk app.
+
 ## More information
 
 
 
 Watch how to configure a kiosk in a provisioning package.
 >[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
-

devices/hololens/hololens-provisioning.md

@@ -137,7 +137,7 @@ After you're done, click **Create**. It only takes a few seconds. When the packa
 10. When the build completes, click **Finish**. 
 
 <span id="apply" />
-## Apply a provisioning package to HoloLens during setup
+## Apply a provisioning package to HoloLens
 
 1. Connect the device via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box).
 
@@ -156,23 +156,6 @@ After you're done, click **Create**. It only takes a few seconds. When the packa
 >[!NOTE]
 >If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package.
 
-## Apply a provisioning package to HoloLens after setup
-
->[!NOTE]
->Windows 10, version 1809 only
-
-On your PC:
-1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md). 
-2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC. 
-3. Drag and drop the provisioning package to the Documents folder on the HoloLens. 
-
-On your HoloLens: 
-1. Go to **Settings > Accounts > Access work or school**. 
-2. In **Related Settings**, select **Add or remove a provisioning package**.
-3. On the next page, select **Add a package** to launch the file picker and select your provisioning package. If the folder is empty, make sure you select **This Device** and select **Documents**.
-
-After your package has been applied, it will show in the list of **Installed packages**. To view package details or to remove the package from the device, select the listed package.
-
 ## What you can configure
 
 Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).

devices/hololens/hololens-setup.md

@@ -7,7 +7,7 @@ author: jdeckerms
 ms.author: jdecker
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 08/02/2018
+ms.date: 07/27/2017
 ---
 
 # Set up HoloLens
@@ -30,12 +30,7 @@ The HoloLens setup process combines a quick tutorial on using HoloLens with the
 2. [Turn on HoloLens](https://support.microsoft.com/help/12642). You will be guided through a calibration procedure and how to perform [the gestures](https://support.microsoft.com/help/12644/hololens-use-gestures) that you will use to operate HoloLens.
 3. Next, you'll be guided through connecting to a Wi-Fi network. 
 4. After HoloLens connects to the Wi-Fi network, you select between **My work or school owns it** and **I own it**. 
-    - When you choose **My work or school owns it**, you sign in with an Azure AD account.
-
-        >[!NOTE]
-        >[To share your HoloLens device with multiple Azure AD accounts](hololens-multiple-users.md), the HoloLens device must be running Windows 10, version 1803, and be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md).
-    
-        If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app).
+    - When you choose **My work or school owns it**, you sign in with an Azure AD account. If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app).
         1. Enter your organizational account. 
         2. Accept privacy statement.
         3. Sign in using your Azure AD credentials. This may redirect to your organization's sign-in page.

devices/surface/TOC.md

@@ -10,6 +10,7 @@
 ### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
 #### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
 #### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md)
+### [Battery Limit setting](battery-limit.md)
 ## [Surface firmware and driver updates](update.md)
 ### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
 ### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)

devices/surface/battery-limit.md

@@ -0,0 +1,84 @@
+---
+title: Battery Limit setting (Surface)
+description: Battery Limit is a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: brecords
+ms.date: 10/02/2018
+ms.author: jdecker
+ms.topic: article
+---
+
+# Battery Limit settings
+
+Battery Limit option is a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity. This setting is recommended in  cases  in which the device is continuously connected to power, for example when devices are integrated into kiosk solutions.  
+
+## Battery Limit information
+
+Setting the device on Battery Limit changes the protocol for charging the device battery. When Battery Limit is enabled, the battery charge will be limited to 50% of its maximum capacity. The charge level reported in Windows will reflect this limit. Therefore, it will show that the battery is charged up to 50% and will not charge beyond  this limit. If you enable Battery Limit while the device is above 50% charge, the Battery icon will show that the device is plugged in but discharging until the device reaches 50% of its maximum charge capacity.  
+
+Adding the Battery Limit option to Surface UEFI will require a [Surface UEFI firmware update](update.md), which will be made available through Windows Update or via the MSI driver and firmware packages on the Microsoft Download Center. Check [support article](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each device and supported devices. Currently, Battery Limit is only supported on Surface Pro 4 and Surface Pro 3. However, the setting will be available in the future on other Surface device models. 
+
+## Enabling Battery Limit in Surface UEFI (Surface Pro 4 and later)
+
+The Surface UEFI Battery Limit setting can be configured by booting into Surface UEFI (**Power + Vol Up** when turning on the device). Choose **boot configuration**, and then, under **Advanced Options**, toggle **Enable Battery Limit Mode** to **On**.  
+
+![Screenshot of Advanced options](images/enable-bl.png) 
+
+## Enabling Battery Limit in Surface UEFI (Surface Pro 3)
+
+The Surface UEFI Battery Limit setting can be configured by booting into Surface UEFI (**Power + Vol Up** when turning on the device). Choose **Kiosk Mode**, select **Battery Limit**, and then choose **Enabled**.
+
+![Screenshot of Advanced options](images/enable-bl-sp3.png) 
+
+![Screenshot of Advanced options](images/enable-bl-sp3-2.png) 
+
+## Enabling Battery Limit using Surface Enterprise Management Mode (SEMM) or Surface Pro 3 firmware PowerShell scripts
+
+The Surface UEFI battery limit is also available for configuration via the following methods:
+
+- Surface Pro 4 and later 
+    - [Microsoft Surface UEFI Configurator](https://docs.microsoft.com/en-us/surface/surface-enterprise-management-mode)  
+    - Surface UEFI Manager Powershell scripts (SEMM_Powershell.zip) in the [Surface Tools for IT downloads](https://www.microsoft.com/download/details.aspx?id=46703)
+- Surface Pro 3 
+    - [SP3_Firmware_Powershell_Scripts.zip](https://www.microsoft.com/download/details.aspx?id=46703)
+
+### Using Microsoft Surface UEFI Configurator
+
+To configure Battery Limit mode, set the **Kiosk Overrides** setting on the **Advanced Settings** configuration page in SEMM (Surface Pro 4 and later).
+
+![Screenshot of advanced settings](images/semm-bl.png)
+
+### Using Surface UEFI Manager PowerShell scripts
+
+The battery limit feature is controlled via the following setting:  
+
+`407 = Battery Profile`
+
+**Description**:  Active management scheme for battery usage pattern
+
+**Default**:  `0` 
+
+Set this to `1` to enable Battery Limit.
+
+### Using Surface Pro 3 firmware tools
+
+The battery limit feature is controlled via the following setting:  
+
+**Name**: BatteryLimitEnable
+
+**Description**:  BatteryLimit
+
+**Current Value**:  `0` 
+
+**Default Value**: `0`
+
+**Proposed Value**: `0` 
+
+Set this to `1` to enable Battery Limit.
+
+>[!NOTE]
+>To configure this setting, you must use [SP3_Firmware_Powershell_Scripts.zip](https://www.microsoft.com/download/details.aspx?id=46703). 
+

devices/surface/change-history-for-surface.md

@@ -7,13 +7,19 @@ ms.sitesec: library
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
-ms.date: 05/15/2018
+ms.date: 10/02/2018
 ---
 
 # Change history for Surface documentation
 
 This topic lists new and updated topics in the Surface documentation library.
 
+## October 2018
+
+New or changed topic | Description
+--- | ---
+[Battery Limit setting](battery-limit.md) | New
+
 ## May 2018
 
 |New or changed topic | Description |

devices/surface/deploy.md

@@ -6,14 +6,14 @@ ms.mktglfcycl: manage
 ms.pagetype: surface, devices
 ms.sitesec: library
 author: brecords
-ms.date: 01/29/2018
+ms.date: 10/02/2018
 ms.author: jdecker
 ms.topic: article
 ---
 
 # Deploy Surface devices
 
-Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator.
+Get deployment guidance for your Surface devices including information about Microsoft Deployment Toolkit (MDT), out-of-box-experience (OOBE) customization, Ethernet adaptors, Surface Deployment Accelerator, and the Battery Limit setting.
 
 ## In this section
 
@@ -26,6 +26,7 @@ Get deployment guidance for your Surface devices including information about MDT
 | [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.|
 | [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)| Get guidance and answers to help you perform a network deployment to Surface devices.|
 | [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)| See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. |
+[Battery Limit setting](battery-limit.md) | Learn how to use Battery Limit, a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity.
 
 
 

windows/client-management/manage-settings-app-with-group-policy.md

@@ -8,9 +8,20 @@ author: brianlic-msft
 ms.date: 04/19/2017
 ---
 
+**Applies to**
+
+-   Windows 10, Windows Server 2016
+
+
 # Manage the Settings app with Group Policy
 
-Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely.
+You can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely.
+To make use of the Settings App group polices on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. 
+
+>[!Note]
+>Each server that you want to manage access to the Settings App must be patched.
+
+To centrally manage the new policies copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) if your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management.
 
 This policy is available at **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**.
 

windows/client-management/mdm/accounts-ddf-file.md

@@ -68,7 +68,7 @@ The XML below is for Windows 10, version 1803.
               <AccessType>
                 <Add />
               </AccessType>
-              <Description>This node specifies the name for a device.  This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution:  %RAND:&lt;# of digits&gt;% and %SERIAL%.  Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456").  (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. The server must explicitly reboot the device for this value to take effect.</Description>
+              <Description>This node specifies the name for a device.  This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution:  %RAND:&lt;# of digits>% and %SERIAL%.  Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456").  (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. The server must explicitly reboot the device for this value to take effect.</Description>
               <DFFormat>
                 <chr />
               </DFFormat>

windows/client-management/mdm/activesync-csp.md

@@ -89,7 +89,7 @@ Required. A character string that specifies the location of the icon associated
 
 Supported operations are Get, Replace, and Add (cannot Add after the account is created).
 
-The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings > email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
+The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings > email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
 
 <a href="" id="account-guid-accounttype"></a>***Account GUID*/AccountType**  
 Required. A character string that specifies the account type.

windows/client-management/mdm/appv-deploy-and-config.md

@@ -106,7 +106,7 @@ ms.date: 06/26/2017
 		<Target>
 			<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppvClient</LocURI>
 		</Target>
-		<Data>&lt;enabled/&gt;</Data>
+		<Data><enabled/></Data>
 	</Item>
 </Replace>
 ```
@@ -126,7 +126,7 @@ ms.date: 06/26/2017
 		<Target> 
 			<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts</LocURI> 
 		</Target> 
-		<Data>&lt;enabled/&gt;</Data> 
+		<Data><enabled/></Data> 
 	</Item> 
 </Replace> 
 ```

windows/client-management/mdm/azure-active-directory-integration-with-mdm.md

@@ -60,7 +60,7 @@ In the out-of-the-box scenario, the web view is 100% full screen, which gives th
 
 For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](https://go.microsoft.com/fwlink/?LinkId=690246).
 
-Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar.
+Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar.
 
 > **Note**  Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
 
@@ -122,7 +122,7 @@ Use the following steps to register a cloud-based MDM application with Azure AD.
 6.  Click **Add an application my organization is developing**.
 7.  Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then click **Next**.
 8.  Enter the login URL for your MDM service.
-9.  For the App ID, enter **https://<your\_tenant\_name>/ContosoMDM**, then click OK.
+9.  For the App ID, enter **https://<your\_tenant\_name>/ContosoMDM**, then click OK.
 10. While still in the Azure portal, click the **Configure** tab of your application.
 11. Mark your application as **multi-tenant**.
 12. Find the client ID value and copy it.

windows/client-management/mdm/browserfavorite-csp.md

@@ -33,7 +33,7 @@ The following diagram shows the BrowserFavorite configuration service provider i
 <a href="" id="favorite-name-------------"></a>***favorite name***   
 Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
 
-> **Note**  The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " &lt; &gt; |
+> **Note**  The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " < > |
 
  
 

windows/client-management/mdm/certificatestore-csp.md

@@ -194,7 +194,7 @@ Required. Specifies the root CA thumbprint. It is a 20-byte value of the SHA1 ce
 Supported operations are Get, Add, Delete, and Replace.
 
 <a href="" id="my-scep-uniqueid-install-subjectalternativenames"></a>**My/SCEP/*UniqueID*/Install/SubjectAlternativeNames**  
-Optional. Specifies the subject alternative name. Multiple alternative names can be specified. Each name is the combination of name format+actual name. Refer to the name type definition in MSDN. Each pair is separated by semicolon. For example, multiple subject alternative names are presented in the format *&lt;nameformat1&gt;*+*&lt;actual name1&gt;*;*&lt;name format 2&gt;*+*&lt;actual name2&gt;*. Value type is chr.
+Optional. Specifies the subject alternative name. Multiple alternative names can be specified. Each name is the combination of name format+actual name. Refer to the name type definition in MSDN. Each pair is separated by semicolon. For example, multiple subject alternative names are presented in the format *<nameformat1>*+*<actual name1>*;*<name format 2>*+*<actual name2>*. Value type is chr.
 
 Supported operations are Get, Add, Delete, and Replace.
 
@@ -299,7 +299,7 @@ For ROBO renewal failure, the client retries the renewal periodically until the
 
 For manual retry failure, there are no built-in retries. The user can retry later. At the next scheduled certificate renewal retry period, the device prompts the credential dialog again.
 
-The default value is 7 and the valid values are 1 – 1000 AND =&lt; RenewalPeriod, otherwise it will result in errors. Value type is an integer.
+The default value is 7 and the valid values are 1 – 1000 AND =< RenewalPeriod, otherwise it will result in errors. Value type is an integer.
 
 Supported operations are Add, Get, Delete, and Replace.
 

windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md

@@ -32,7 +32,7 @@ To help diagnose enrollment or device management issues in Windows 10 devices m
 
 Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location:
 
--   Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider
+-   Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider
 
 Here's a screenshot:
 
@@ -138,7 +138,7 @@ Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medi
     ![field medic screenshot](images/diagnose-mdm-failures5.png)
 
 7.  Save the logs. They will be stored in the Field Medic log location on the device.
-8.  You can send the logs via email by attaching the files from **Documents > Field Medic > Reports > ...** folder.
+8.  You can send the logs via email by attaching the files from **Documents > Field Medic > Reports > ...** folder.
 
     ![device documents folder](images/diagnose-mdm-failures6.png)![device folder screenshot](images/diagnose-mdm-failures7.png)![device folder screenshot](images/diagnose-mdm-failures8.png)
 

windows/client-management/mdm/dynamicmanagement-csp.md

@@ -93,8 +93,8 @@ Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 me
           <Type xmlns="syncml:metinf">text/plain</Type>
           <Format xmlns="syncml:metinf">chr</Format>
         </Meta>
-        <Data>&lt;SyncML&gt;
-  &lt;SyncBody&gt;&lt;Replace&gt;&lt;CmdID&gt;1001&lt;/CmdID&gt;&lt;Item&gt;&lt;Target&gt;&lt;LocURI&gt;./Vendor/MSFT/Policy/Config/Experience/AllowCortana&lt;/LocURI&gt;&lt;/Target&gt;&lt;Meta&gt;&lt;Format xmlns=&quot;syncml:metinf&quot;&gt;int&lt;/Format&gt;&lt;/Meta&gt;&lt;Data&gt;0&lt;/Data&gt;&lt;/Item&gt;&lt;/Replace&gt;&lt;Final/&gt;&lt;/SyncBody&gt;&lt;/SyncML&gt;</Data>
+        <Data><SyncML>
+  <SyncBody><Replace><CmdID>1001</CmdID><Item><Target><LocURI>./Vendor/MSFT/Policy/Config/Experience/AllowCortana</LocURI></Target><Meta><Format xmlns="syncml:metinf">int</Format></Meta><Data>0</Data></Item></Replace><Final/></SyncBody></SyncML></Data>
       </Item>
     </Replace>
     <Replace>
@@ -108,15 +108,15 @@ Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 me
           <Format xmlns="syncml:metinf">chr</Format>
         </Meta>
         <Data>
-          &lt;rule schemaVersion=&quot;1.0&quot;&gt;
+          <rule schemaVersion="1.0">
           
-           &lt;and&gt;
-                    &lt;signal type="geoloc" latitude="47.6375" longitude="-122.1402" radiusInMeters="100"/&gt;        
-                    &lt;signal type=&quot;time&quot;&gt;
-                              &lt;daily startTime=&quot;09:00:00&quot; endTime=&quot;17:00:00&quot;/&gt;
-                    &lt;/signal&gt;           
-           &lt;/and&gt;
-          &lt;/rule&gt;
+           <and>
+                    <signal type="geoloc" latitude="47.6375" longitude="-122.1402" radiusInMeters="100"/>        
+                    <signal type="time">
+                              <daily startTime="09:00:00" endTime="17:00:00"/>
+                    </signal>           
+           </and>
+          </rule>
         </Data>
       </Item>
     </Replace>
@@ -147,31 +147,31 @@ Disable camera using network trigger with time trigger, from 9-5, when ip4 gatew
           <Type xmlns="syncml:metinf">text/plain</Type>
           <Format xmlns="syncml:metinf">chr</Format>
         </Meta>
-        <Data>&lt;SyncML&gt;
-  &lt;SyncBody&gt;&lt;Replace&gt;&lt;CmdID&gt;1002&lt;/CmdID&gt;&lt;Item&gt;&lt;Target&gt;&lt;LocURI&gt;./Vendor/MSFT/Policy/Config/Camera/AllowCamera&lt;/LocURI&gt;&lt;/Target&gt;&lt;Meta&gt;&lt;Format xmlns=&quot;syncml:metinf&quot;&gt;int&lt;/Format&gt;&lt;/Meta&gt;&lt;Data&gt;0&lt;/Data&gt;&lt;/Item&gt;&lt;/Replace&gt; &lt;Final/&gt;&lt;/SyncBody&gt;&lt;/SyncML&gt;</Data>
+        <Data><SyncML>
+  <SyncBody><Replace><CmdID>1002</CmdID><Item><Target><LocURI>./Vendor/MSFT/Policy/Config/Camera/AllowCamera</LocURI></Target><Meta><Format xmlns="syncml:metinf">int</Format></Meta><Data>0</Data></Item></Replace> <Final/></SyncBody></SyncML></Data>
       </Item>
     </Replace>
     <Replace>
       <CmdID>301</CmdID>
       <Item>
         <Target>
-          <LocURI>./Vendor/MSFT/DynamicManagement/Contexts/ NetworkWithTime /SignalDefinition</LocURI>
+          <LocURI>./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime/SignalDefinition</LocURI>
         </Target>
         <Meta>
           <Type xmlns="syncml:metinf">text/plain</Type>
           <Format xmlns="syncml:metinf">chr</Format>
         </Meta>
         <Data>
-          &lt;rule schemaVersion=&quot;1.0&quot;&gt;          
-           &lt;and&gt;
-             &lt;signal type="ipConfig"&gt; 
-                   &lt;ipv4Gateway&gt;192.168.0.1&lt;/ipv4Gateway&gt; 
-             &lt;/signal&gt; 
-                    &lt;signal type=&quot;time&quot;&gt;
-                              &lt;daily startTime=&quot;09:00:00&quot; endTime=&quot;17:00:00&quot;/&gt;
-                    &lt;/signal&gt;  
-           &lt;/and&gt;
-          &lt;/rule&gt;
+          <rule schemaVersion="1.0">          
+           <and>
+             <signal type="ipConfig"> 
+                   <ipv4Gateway>192.168.0.1</ipv4Gateway> 
+             </signal> 
+                    <signal type="time">
+                              <daily startTime="09:00:00" endTime="17:00:00"/>
+                    </signal>  
+           </and>
+          </rule>
         </Data>
       </Item>
     </Replace>
@@ -179,7 +179,7 @@ Disable camera using network trigger with time trigger, from 9-5, when ip4 gatew
       <CmdID>302</CmdID>
       <Item>
         <Target>
-          <LocURI>./Vendor/MSFT/DynamicManagement/Contexts/ NetworkWithTime /Altitude</LocURI>
+          <LocURI>./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime/Altitude</LocURI>
         </Target>
         <Meta>
           <Format xmlns="syncml:metinf">int</Format>

windows/client-management/mdm/eap-configuration.md

@@ -124,7 +124,7 @@ A production ready deployment must have the appropriate certificate details as p
 
 EAP XML must be updated with relevant information for your environment This can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
 
--   For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
+-   For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
 -   For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
 
 For information about EAP Settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>

windows/client-management/mdm/email2-csp.md

@@ -302,7 +302,7 @@ Value is one of the following:
 
 When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted and all messages and other properties that the transport (for example, Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
 
-For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it is left out in the <LocURI></LocURI> block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
+For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it is left out in the \<LocURI>\</LocURI\> block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
 
 -   The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.
 

windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md

@@ -70,7 +70,7 @@ Summary of steps to enable a policy:
         <Target>
           <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppVClient </LocURI>
         </Target>
-        <Data>&lt;Enabled/&gt;</Data>
+        <Data><Enabled/></Data>
       </Item>
     </Replace>
     <Final/>
@@ -270,7 +270,7 @@ The \<Data> payload is \<disabled/>. Here is an example to disable AppVirtualiza
         <Target>
           <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
         </Target>
-        <Data>&lt;disabled/&gt;</Data>
+        <Data><disabled/></Data>
       </Item>
     </Replace>
     <Final/>

windows/client-management/mdm/enterpriseassignedaccess-csp.md

@@ -40,7 +40,7 @@ Supported operations are Add, Delete, Get and Replace.
 The Apps and Settings sections of lockdown XML constitute an Allow list. Any app or setting that is not specified in AssignedAccessXML will not be available on the device to users. The following table describes the entries in lockdown XML.
 
 > [!Important]    
-> When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as \< instead of < because it is embedded in an XML. The examples provided in the topic are formatted for readability.
+> When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as \< instead of < because it is embedded in an XML. The examples provided in the topic are formatted for readability.
 
 When using the AssignedAccessXml in a provisioning package using the Windows Configuration Designer tool, do not use escaped characters.
 
@@ -51,8 +51,8 @@ ActionCenter | Example: `<ActionCenter enabled="true"></ActionCenter>`
 ActionCenter | In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled;  **AboveLock/AllowActionCenterNotifications** and **AboveLock/AllowToasts**. For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md)
 ActionCenter | You can also add the following optional attributes to the ActionCenter element to override the default behavior: **aboveLockToastEnabled** and **actionCenterNotificationEnabled**. Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled). In this example, the Action Center is enabled and both policies are disabled.: `<ActionCenter enabled="true" aboveLockToastEnabled="0" actionCenterNotificationEnabled="0"/>`
 ActionCenter | These optional attributes are independent of each other. In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set. `<ActionCenter enabled="true" actionCenterNotificationEnabled="0"/>`
-StartScreenSize | Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: **Small** - sets the width to 4 columns on device with short axis &lt;400epx or 6 columns on devices with short axis &gt;=400epx. **Large** - sets the width to 6 columns on devices with short axis &lt;400epx or 8 columns on devices with short axis &gt;=400epx.
-StartScreenSize | If you have existing lockdown XML, you must update it if your device has &gt;=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. Example: `<StartScreenSize>Large</StartScreenSize>`
+StartScreenSize | Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: **Small** - sets the width to 4 columns on device with short axis <400epx or 6 columns on devices with short axis >=400epx. **Large** - sets the width to 6 columns on devices with short axis <400epx or 8 columns on devices with short axis >=400epx.
+StartScreenSize | If you have existing lockdown XML, you must update it if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. Example: `<StartScreenSize>Large</StartScreenSize>`
 Application | Provide the product ID for each app that will be available on the device. You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid).
 Application | To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface. Example: `<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail"/>`
 Application | <img src="images/enterpriseassignedaccess-csp.png" alt="modern app notification" />
@@ -105,7 +105,7 @@ aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.m
 
 Entry | Description
 ----------- | ------------
-Folder | A folder should be contained in &lt;Applications/&gt; node among with other &lt;Application/&gt; nodes, it shares most grammar with the Application Node, **folderId** is mandatory, **folderName** is optional, which is the folder name displayed on Start. **folderId** is a unique unsigned integer for each folder.
+Folder | A folder should be contained in <Applications/> node among with other <Application/> nodes, it shares most grammar with the Application Node, **folderId** is mandatory, **folderName** is optional, which is the folder name displayed on Start. **folderId** is a unique unsigned integer for each folder.
 
 Folder example:
 ``` syntax
@@ -403,7 +403,7 @@ The Search and custom buttons can be <em>remapped</em> or configured to open a s
 >
 > Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.
 
-To remap a button in lockdown XML, you supply the button name, the button event (typically &quot;press&quot;), and the product ID for the application the button will open.
+To remap a button in lockdown XML, you supply the button name, the button event (typically "press"), and the product ID for the application the button will open.
 
 ``` syntax
 <ButtonRemapList>
@@ -1199,7 +1199,7 @@ The following example shows how to add a new policy.
   <characteristic type="EnterpriseAssignedAccess">
     <characteristic type="AssignedAccess">
       <parm name=" AssignedAccessXml" datatype="string"
-            value="&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;&lt;HandheldLockdown version=&quot;1.0&quot;&gt;&lt;Default&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;0&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;ButtonLockdownList&gt;&lt;Button name=&quot;Start&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;Button name=&quot;Camera&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;Button name=&quot;Search&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;/ButtonLockdownList&gt;&lt;ButtonRemapList/&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Default&gt;&lt;RoleList&gt;&lt;Role guid=&quot;{76C01983-A872-4C4E-B4C6-321EAC709CEA}&quot; name=&quot;Associate&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;ButtonLockdownList&gt;&lt;Button name=&quot;Start&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;Button name=&quot;Camera&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;/ButtonLockdownList&gt;&lt;ButtonRemapList/&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;Role guid=&quot;{8ABB8A10-4418-4467-9E18-99D11FA54E30}&quot; name=&quot;Manager&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;ButtonLockdownList&gt;&lt;Button name=&quot;Start&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;/ButtonLockdownList&gt;&lt;ButtonRemapList/&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;/RoleList&gt;&lt;/HandheldLockdown&gt;"/>
+            value="<?xml version="1.0" encoding="utf-8"?><HandheldLockdown version="1.0"><Default><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="0"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><ButtonLockdownList><Button name="Start"><ButtonEvent name="Press" /><ButtonEvent name="PressAndHold" /></Button><Button name="Camera"><ButtonEvent name="Press" /><ButtonEvent name="PressAndHold" /></Button><Button name="Search"><ButtonEvent name="Press" /><ButtonEvent name="PressAndHold" /></Button></ButtonLockdownList><ButtonRemapList/></Buttons><MenuItems><DisableMenuItems/></MenuItems></Default><RoleList><Role guid="{76C01983-A872-4C4E-B4C6-321EAC709CEA}" name="Associate"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><ButtonLockdownList><Button name="Start"><ButtonEvent name="Press" /><ButtonEvent name="PressAndHold" /></Button><Button name="Camera"><ButtonEvent name="Press" /><ButtonEvent name="PressAndHold" /></Button></ButtonLockdownList><ButtonRemapList/></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role><Role guid="{8ABB8A10-4418-4467-9E18-99D11FA54E30}" name="Manager"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /></Settings><Buttons><ButtonLockdownList><Button name="Start"><ButtonEvent name="Press" /><ButtonEvent name="PressAndHold" /></Button></ButtonLockdownList><ButtonRemapList/></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role></RoleList></HandheldLockdown>"/>
     </characteristic>
   </characteristic>
 </wap-provisioningdoc>
@@ -1237,7 +1237,7 @@ The following example shows how to lock down a device.
             <Target>
                <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/AssignedAccess/AssignedAccessXml</LocURI>
             </Target>
-            <Data>&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;&lt;HandheldLockdown version=&quot;1.0&quot;&gt;&lt;Default&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;2&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;Button name=&quot;Start&quot; disableEvents=&quot;PressAndHold&quot; /&gt;&lt;Button name=&quot;Camera&quot; disableEvents=&quot;All&quot; /&gt;&lt;Button name=&quot;Search&quot; disableEvents=&quot;All&quot; /&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Default&gt;&lt;RoleList&gt;&lt;Role guid=&quot;{76C01983-A872-4C4E-B4C6-321EAC709CEA}&quot; name=&quot;Associate&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;Button name=&quot;Start&quot; disableEvents=&quot;PressAndHold&quot; /&gt;&lt;Button name=&quot;Camera&quot; disableEvents=&quot;All&quot; /&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;Role guid=&quot;{8ABB8A10-4418-4467-9E18-99D11FA54E30}&quot; name=&quot;Manager&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;Button name=&quot;Start&quot; disableEvents=&quot;PressAndHold&quot; /&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;/RoleList&gt;&lt;/HandheldLockdown&gt;</Data>
+            <Data><?xml version="1.0" encoding="utf-8"?><HandheldLockdown version="1.0"><Default><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="2"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /><Button name="Camera" disableEvents="All" /><Button name="Search" disableEvents="All" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Default><RoleList><Role guid="{76C01983-A872-4C4E-B4C6-321EAC709CEA}" name="Associate"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /><Button name="Camera" disableEvents="All" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role><Role guid="{8ABB8A10-4418-4467-9E18-99D11FA54E30}" name="Manager"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role></RoleList></HandheldLockdown></Data>
          </Item>
       </Add>
       <Final/>

windows/client-management/mdm/enterpriseassignedaccess-xsd.md

@@ -13,7 +13,7 @@ ms.date: 06/26/2017
 # EnterpriseAssignedAccess XSD
 
 
-This XSD can be used to validate that the lockdown XML in the <Data> block of the AssignedAccessXML node.
+This XSD can be used to validate that the lockdown XML in the \<Data\> block of the AssignedAccessXML node.
 
 ``` syntax
 <?xml version="1.0" encoding="utf-16LE" ?>

windows/client-management/mdm/enterprisedataprotection-csp.md

@@ -60,7 +60,7 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.
 
 <p style="margin-left: 20px">Here are the steps to create canonical domain names:
 
-1.  Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -&gt; microsoft.com.
+1.  Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com.
 2.  Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
 3.  Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0).
 

windows/client-management/mdm/enterpriseext-csp.md

@@ -32,7 +32,7 @@ The root node for the EnterpriseExt configuration service provider. Supported op
 Node for setting the custom device ID and string.
 
 <a href="" id="devicecustomdata-customid"></a>**DeviceCustomData/CustomID**  
-Any string value as the device ID. This value appears in **Settings** &gt; **About** &gt; **Info**.
+Any string value as the device ID. This value appears in **Settings** > **About** > **Info**.
 
 Here's an example for getting custom data.
 

windows/client-management/mdm/enterprisemodernappmanagement-csp.md

@@ -593,7 +593,7 @@ Query the device for a specific app subcategory, such as nonStore apps.
 </Get>
 ```
 
-The result contains a list of apps, such as &lt;Data&gt;App1/App2/App3&lt;/Data&gt;.
+The result contains a list of apps, such as \<Data>App1/App2/App\</Data\>.
 
 Subsequent query for a specific app for its properties.
 

windows/client-management/mdm/index.md

@@ -25,6 +25,23 @@ There are two parts to the Windows 10 management component:
 
 Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
 
+## MDM security baseline
+
+With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices.
+
+The MDM security baseline includes policies that cover the following areas:
+
+- Microsoft inbox security technology (not deprecated) such as Bitlocker, Smartscreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall
+- Restricting remote access to devices
+- Setting credential requirements for passwords and PINs
+- Restricting use of legacy technology
+- Legacy technology policies that offer alternative solutions with modern technology
+- And much more
+
+For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [Security baseline (DRAFT) for Windows 10 v1809 and Windows Server 2019](https://blogs.technet.microsoft.com/secguide/2018/10/01/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019/).
+
+
+
 <span id="mmat" />
 ## Learn about migrating to MDM
 

windows/client-management/mdm/management-tool-for-windows-store-for-business.md

@@ -123,7 +123,7 @@ MTS requires calls to be authenticated using an Azure AD OAuth bearer token. The
 
 Here are the details for requesting an authorization token:
 
--   Login Authority = https:<span></span>//login.windows.net/&lt;TargetTenantId&gt;
+-   Login Authority = https:<span></span>//login.windows.net/\<TargetTenantId\>
 -   Resource/audience\* = https:<span></span>//onestore.microsoft.com
 -   ClientId = your AAD application client id
 -   ClientSecret = your AAD application client secret/key

windows/client-management/mdm/nodecache-csp.md

@@ -334,7 +334,7 @@ A Get operation on ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/Expect
 A Get operation on the ChangedNodesData returns an encoded XML. Here is example:
 
 ```syntax
-<Nodes><Node Id="10" Uri=""></Node><Node Id="20" Uri="./DevDetail/Ext/Microsoft/DeviceName">U09NRU5FV1ZBTFVF</Node></Nodes>
+<Nodes><Node Id="10" Uri=""></Node><Node Id="20" Uri="./DevDetail/Ext/Microsoft/DeviceName">U09NRU5FV1ZBTFVF</Node></Nodes>
 ```
 It represents this:
 

windows/client-management/mdm/policy-csp-browser.md

@@ -6,7 +6,7 @@ ms.prod: w10
 ms.technology: windows
 author: shortpatti
 ms.author: pashort
-ms.date: 08/08/2018
+ms.date: 10/02/2018
 ---
 
 # Policy CSP - Browser
@@ -873,7 +873,6 @@ Most restricted value: 1
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810* 
 
 
 [!INCLUDE [allow-fullscreen-mode-shortdesc](../../../browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md)]
@@ -1211,7 +1210,6 @@ To verify AllowPopups is set to 0 (not allowed):
 <!--Description-->
 
 
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
 
 [!INCLUDE [allow-prelaunch-shortdesc](../../../browsers/edge/shortdesc/allow-prelaunch-shortdesc.md)]
 
@@ -1280,7 +1278,6 @@ Most restricted value: 0
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
 
 
 [!INCLUDE [allow-printing-shortdesc](../../../browsers/edge/shortdesc/allow-printing-shortdesc.md)]
@@ -1350,7 +1347,6 @@ Most restricted value: 0
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
 
 
 [!INCLUDE [allow-saving-history-shortdesc](../../../browsers/edge/shortdesc/allow-saving-history-shortdesc.md)]
@@ -1549,7 +1545,6 @@ Most restricted value: 0
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
 
 
 [!INCLUDE [allow-sideloading-of-extensions-shortdesc](../../../browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md)]
@@ -1688,7 +1683,6 @@ To verify AllowSmartScreen is set to 0 (not allowed):
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
 
 
 [!INCLUDE [allow-tab-preloading-shortdesc](../../../browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md)]
@@ -1757,7 +1751,6 @@ Most restricted value: 1
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
 
 
 [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../../../browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)]
@@ -2029,7 +2022,6 @@ Most restricted value: 0
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
 
 
 [!INCLUDE [configure-favorites-bar-shortdesc](../../../browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md)]
@@ -2099,8 +2091,6 @@ Supported values:
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
-
 
 [!INCLUDE [configure-home-button-shortdesc](../../../browsers/edge/shortdesc/configure-home-button-shortdesc.md)]
 
@@ -2174,8 +2164,6 @@ Supported values:
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
-
 
 [!INCLUDE [configure-kiosk-mode-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md)]
 
@@ -2252,7 +2240,6 @@ Supported values:
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
 
 
 [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)]
@@ -2324,8 +2311,6 @@ Supported values:
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
-
 
 [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../../../browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md)]
 
@@ -2407,8 +2392,6 @@ Supported values:
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
-
 
 [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../../../browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)]
 
@@ -2781,7 +2764,7 @@ Starting with this version, the HomePages policy enforces that users cannot chan
 **Version 1703**<br>
 If you don't want to send traffic to Microsoft, use the \<about:blank\> value, which honors both domain and non-domain-joined devices when it's the only configured URL. 
 
-**Next Windows 10 major release**<br>
+**Version 1809**<br>
 When you enable the Configure Open Microsoft Edge With policy and select an option, and you enter the URLs of the pages your want to load as the Start pages in this policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the HomePages policy. 
 
 
@@ -2970,7 +2953,6 @@ Most restricted value: 1
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
 
 [!INCLUDE [prevent-certificate-error-overrides-shortdesc](../../../browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md)]
 
@@ -3620,8 +3602,6 @@ Most restricted value: 1
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
-
 
 [!INCLUDE [set-home-button-url-shortdesc](../../../browsers/edge/shortdesc/set-home-button-url-shortdesc.md)]
 
@@ -3689,8 +3669,6 @@ Supported values:
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
-
 
 [!INCLUDE [set-new-tab-url-shortdesc](../../../browsers/edge/shortdesc/set-new-tab-url-shortdesc.md)]
 
@@ -3897,7 +3875,6 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
 
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1810*
 
 
 [!INCLUDE [unlock-home-button-shortdesc](../../../browsers/edge/shortdesc/unlock-home-button-shortdesc.md)]
@@ -3994,7 +3971,7 @@ Footnote:
 -   2 - Supported versions, version 1703.
 -   3 - Supported versions, version 1709.
 -   4 - Supported versions, version 1803.
--   5 - Added in the next major update to Windows of Windows 10.
+-   5 - Supported versions, version 1809.
 
 <!--/Policies-->
 

windows/client-management/mdm/policy-ddf-file.md

@@ -1420,12 +1420,12 @@ Related policy:
 
 If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format:
 
-      <support.contoso.com><support.microsoft.com>
+      <support.contoso.com><support.microsoft.com>
 
 If disabled or not configured, the webpages specified in App settings loads as the default Start pages.
 
 Version 1703 or later:
-If you do not want to send traffic to Microsoft, enable this policy and use the &lt;about&#58;blank&gt; value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
+If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
 
 Version 1809:
 If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy.
@@ -10603,12 +10603,12 @@ Related policy:
 
 If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format:
 
-      &lt;support.contoso.com&gt;&lt;support.microsoft.com&gt;
+      <support.contoso.com><support.microsoft.com>
 
 If disabled or not configured, the webpages specified in App settings loads as the default Start pages.
 
 Version 1703 or later:
-If you do not want to send traffic to Microsoft, enable this policy and use the &lt;about&#58;blank&gt; value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
+If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
 
 Version 1809:
 If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy.
@@ -22414,12 +22414,12 @@ Related policy:
 
 If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format:
 
-      &lt;support.contoso.com&gt;&lt;support.microsoft.com&gt;
+      <support.contoso.com><support.microsoft.com>
 
 If disabled or not configured, the webpages specified in App settings loads as the default Start pages.
 
 Version 1703 or later:
-If you do not want to send traffic to Microsoft, enable this policy and use the &lt;about&#58;blank&gt; value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
+If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
 
 Version 1809:
 If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy.
@@ -49724,12 +49724,12 @@ Related policy:
 
 If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format:
 
-      &lt;support.contoso.com&gt;&lt;support.microsoft.com&gt;
+      <support.contoso.com><support.microsoft.com>
 
 If disabled or not configured, the webpages specified in App settings loads as the default Start pages.
 
 Version 1703 or later:
-If you do not want to send traffic to Microsoft, enable this policy and use the &lt;about&#58;blank&gt; value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
+If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
 
 Version 1809:
 If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy.

windows/client-management/mdm/uefi-csp.md

@@ -6,13 +6,16 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 02/01/2018
+ms.date: 10/02/2018
 ---
 
 # UEFI CSP
 
 
-The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1803.
+The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809.
+
+> [!Note]  
+> The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809).
 
 The following diagram shows the UEFI CSP in tree format.
 
@@ -23,62 +26,102 @@ The following list describes the characteristics and parameters.
 <a href="" id="uefi"></a>**./Vendor/MSFT/Uefi**  
 Root node.
 
-<a href="" id="uefideviceidentifier"></a>**UefiDeviceIdentifier**  
-Retrieves XML from UEFI which describes the device identifier.
+<a href="" id="deviceidentifier"></a>**DeviceIdentifier**  
+Retrieves XML from UEFI that describes the device identifier.
 
 Supported operation is Get.
 
-<a href="" id="identityinfo"></a>**IdentityInfo**  
-Node for provisioned signers operations.
-
-
-<a href="" id="identityinfo-current"></a>**IdentityInfo/Current**  
-Retrieves XML from UEFI which describes the current UEFI identity information.
+<a href="" id="identity"></a>**Identity**  
+Node for identity certificate operations.
 
 Supported operation is Get.
 
-<a href="" id="identityinfo-apply"></a>**IdentityInfo/Apply**  
-Apply an identity information package to UEFI. Input is the signed package in base64 encoded format.
-
-Supported operation is Replace.
-
-<a href="" id="identityinfo-applyresult"></a>**IdentityInfo/ApplyResult**  
-Retrieves XML describing the results of previous ApplyIdentityInfo operation.
+<a href="" id="identity-current"></a>**Identity/Current**  
+Retrieves XML from UEFI that describes the current UEFI identity certificate information.
 
 Supported operation is Get.
 
-<a href="" id="authinfo"></a>**AuthInfo**  
-Node for permission information operations.
+<a href="" id="identity-apply"></a>**Identity/Apply**  
+Applies an identity information package to UEFI. Input is the signed package in base64 encoded format.
 
-<a href="" id="authinfo-current"></a>**AuthInfo/Current**  
-Retrieves XML from UEFI which describes the current UEFI permission/authentication information.
+Value type is Base64. Supported operation is Replace.
+
+<a href="" id="identity-result"></a>**Identity/Result**  
+Retrieves the binary result package of the previous Identity/Apply operation.
 
 Supported operation is Get.
 
-<a href="" id="authinfo-apply"></a>**AuthInfo/Apply**  
-Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format.
+<a href="" id="permissions"></a>**Permissions**  
+Node for settings permission operations..
 
-Supported operation is Replace.
-
-<a href="" id="authinfo-applyresult"></a>**AuthInfo/ApplyResult**  
-Retrieves XML describing the results of previous ApplyAuthInfo operation.
+<a href="" id="permissions-current"></a>**Permissions/Current**  
+Retrieves XML from UEFI that describes the current UEFI settings permissions.
 
 Supported operation is Get.
 
-<a href="" id="config"></a>**Config**  
-Node for device configuration
+<a href="" id="permissions-apply"></a>**Permissions/Apply**  
+Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format.
 
-<a href="" id="config-current"></a>**Config/Current**  
-Retrieves XML from UEFI which describes the current UEFI configuration.
+Value type is Base64. Supported operation is Replace.
+
+<a href="" id="permissions-result"></a>**Permissions/Result**  
+Retrieves the binary result package of the previous Permissions/Apply operation.  This binary package contains XML describing the action taken for each individual permission.
 
 Supported operation is Get.
 
-<a href="" id="config-apply"></a>**Config/Apply**  
-Apply a configuration package to UEFI. Input is the signed package in base64 encoded format.
+<a href="" id="settings"></a>**Settings**  
+Node for device settings operations.
 
-Supported operation is Replace.
-
-<a href="" id="config-applyresult"></a>**Config/ApplyResult**  
-Retrieves XML describing the results of previous ApplyConfig operation.
+<a href="" id="settings-current"></a>**Settings/Current**  
+Retrieves XML from UEFI that describes the current UEFI settings.
+
+Supported operation is Get.
+
+<a href="" id="settings-apply"></a>**Settings/Apply**  
+Apply a settings information package to UEFI. Input is the signed package in base64 encoded format.
+
+Value type is Base64. Supported operation is Replace.
+
+<a href="" id="settings-result"></a>**Settings/Result**  
+Retrieves the binary result package of the previous Settings/Apply operation. This binary package contains XML describing the action taken for each individual setting.
+
+Supported operation is Get.
+
+<a href="" id="identity2"></a>**Identity2**  
+Node for identity certificate operations. Alternate endpoint for sending a second identity package without an OS restart.
+
+<a href="" id="identity2-apply"></a>**Identity2/Apply**  
+Apply an identity information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two identity packages in the same session.
+
+Value type is Base64. Supported operation is Replace.
+
+<a href="" id="identity2-result"></a>**Identity2/Result**  
+Retrieves the binary result package of the previous Identity2/Apply operation.
+
+Supported operation is Get.
+
+<a href="" id="permissions2"></a>**Permissions2**  
+Node for settings permission operations. Alternate endpoint for sending a second permission package without an OS restart.
+
+<a href="" id="permissions2-apply"></a>**Permissions2/Apply**  
+Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format.  Alternate location for sending two permissions information packages in the same session.
+
+Value type is Base64. Supported operation is Replace.
+
+<a href="" id="permissions2-result"></a>**Permissions2/Result**  
+Retrieves the binary result package from the previous Permissions2/Apply operation.  This binary package contains XML describing the action taken for each individual permission.
+
+Supported operation is Get.
+
+<a href="" id="settings2"></a>**Settings2**  
+Nodefor device settings operations. Alternate endpoint for sending a second settings package without an OS restart.
+
+<a href="" id="settings2-apply"></a>**Settings2/Apply**  
+Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two settings information packages in the same session.
+
+Value type is Base64. Supported operation is Replace.
+
+<a href="" id="settings2-result"></a>**Settings2/Result**  
+Retrieves the binary result package of previous Settings2/Apply operation. This binary package contains XML describing the action taken for each individual setting.
 
 Supported operation is Get.

windows/client-management/mdm/uefi-ddf.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 02/01/2018
+ms.date: 10/02/2018
 ---
 
 # UEFI DDF file
@@ -16,7 +16,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Uefi**
 
 Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
 
-The XML below is the current version for this CSP. 
+The XML below is for Windows 10, version 1809. 
 
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
@@ -32,6 +32,7 @@ The XML below is the current version for this CSP.
           <AccessType>
             <Get />
           </AccessType>
+          <Description>UEFI Firmware Configuration Service Provider.</Description>
           <DFFormat>
             <node />
           </DFFormat>
@@ -46,12 +47,12 @@ The XML below is the current version for this CSP.
           </DFType>
         </DFProperties>
         <Node>
-          <NodeName>UefiDeviceIdentifier</NodeName>
+          <NodeName>DeviceIdentifier</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
             </AccessType>
-            <Description>Retrieves XML from UEFI which describes the device identifier.</Description>
+            <Description>Retrieves XML from UEFI which contains the device identifier.</Description>
             <DFFormat>
               <xml />
             </DFFormat>
@@ -61,21 +62,18 @@ The XML below is the current version for this CSP.
             <Scope>
               <Permanent />
             </Scope>
-            <CaseSense>
-              <CIS />
-            </CaseSense>
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>IdentityInfo</NodeName>
+          <NodeName>Identity</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
             </AccessType>
-            <Description>Provisioned signers</Description>
+            <Description>Identity certificate operations.</Description>
             <DFFormat>
               <node />
             </DFFormat>
@@ -95,7 +93,7 @@ The XML below is the current version for this CSP.
               <AccessType>
                 <Get />
               </AccessType>
-              <Description>Retrieves XML from UEFI which describes the current UEFI identity information</Description>
+              <Description>Retrieves XML from UEFI which describes the current UEFI identity certificate information.</Description>
               <DFFormat>
                 <xml />
               </DFFormat>
@@ -132,14 +130,14 @@ The XML below is the current version for this CSP.
             </DFProperties>
           </Node>
           <Node>
-            <NodeName>ApplyResult</NodeName>
+            <NodeName>Result</NodeName>
             <DFProperties>
               <AccessType>
                 <Get />
               </AccessType>
-              <Description>Retrieves XML describing the results of previous ApplyIdentityInfo operation.</Description>
+              <Description>Retrieves the binary result package of the previous Identity/Apply operation.</Description>
               <DFFormat>
-                <xml />
+                <b64 />
               </DFFormat>
               <Occurrence>
                 <One />
@@ -148,18 +146,18 @@ The XML below is the current version for this CSP.
                 <Permanent />
               </Scope>
               <DFType>
-                <MIME>text/plain</MIME>
+                <DDFName></DDFName>
               </DFType>
             </DFProperties>
           </Node>
         </Node>
         <Node>
-          <NodeName>AuthInfo</NodeName>
+          <NodeName>Permissions</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
             </AccessType>
-            <Description>Permission Information</Description>
+            <Description>Settings permission operations.</Description>
             <DFFormat>
               <node />
             </DFFormat>
@@ -179,7 +177,7 @@ The XML below is the current version for this CSP.
               <AccessType>
                 <Get />
               </AccessType>
-              <Description>Retrieves XML from UEFI which describes the current UEFI permission/authentication information.</Description>
+              <Description>Retrieves XML from UEFI which describes the current UEFI settings permissions.</Description>
               <DFFormat>
                 <xml />
               </DFFormat>
@@ -200,7 +198,7 @@ The XML below is the current version for this CSP.
               <AccessType>
                 <Replace />
               </AccessType>
-              <Description>Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format.</Description>
+              <Description>Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format.</Description>
               <DFFormat>
                 <b64 />
               </DFFormat>
@@ -216,14 +214,14 @@ The XML below is the current version for this CSP.
             </DFProperties>
           </Node>
           <Node>
-            <NodeName>ApplyResult</NodeName>
+            <NodeName>Result</NodeName>
             <DFProperties>
               <AccessType>
                 <Get />
               </AccessType>
-              <Description>Retrieves XML describing the results of previous ApplyAuthInfo operation.</Description>
+              <Description>Retrieves the binary result package of the previous Permissions/Apply operation.  This binary package contains XML describing the action taken for each individual permission.</Description>
               <DFFormat>
-                <xml />
+                <b64 />
               </DFFormat>
               <Occurrence>
                 <One />
@@ -232,18 +230,18 @@ The XML below is the current version for this CSP.
                 <Permanent />
               </Scope>
               <DFType>
-                <MIME>text/plain</MIME>
+                <DDFName></DDFName>
               </DFType>
             </DFProperties>
           </Node>
         </Node>
         <Node>
-          <NodeName>Config</NodeName>
+          <NodeName>Settings</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
             </AccessType>
-            <Description>Device Configuration</Description>
+            <Description>Device settings operations.</Description>
             <DFFormat>
               <node />
             </DFFormat>
@@ -263,7 +261,7 @@ The XML below is the current version for this CSP.
               <AccessType>
                 <Get />
               </AccessType>
-              <Description>Retrieves XML from UEFI which describes the current UEFI configuration.</Description>
+              <Description>Retrieves XML from UEFI which describes the current UEFI settings.</Description>
               <DFFormat>
                 <xml />
               </DFFormat>
@@ -284,7 +282,7 @@ The XML below is the current version for this CSP.
               <AccessType>
                 <Replace />
               </AccessType>
-              <Description>Apply a configuration package to UEFI. Input is the signed package in base64 encoded format.</Description>
+              <Description>Apply a settings information package to UEFI. Input is the signed package in base64 encoded format.</Description>
               <DFFormat>
                 <b64 />
               </DFFormat>
@@ -300,14 +298,14 @@ The XML below is the current version for this CSP.
             </DFProperties>
           </Node>
           <Node>
-            <NodeName>ApplyResult</NodeName>
+            <NodeName>Result</NodeName>
             <DFProperties>
               <AccessType>
                 <Get />
               </AccessType>
-              <Description>Retrieves XML describing the results of previous ApplyConfig operation.</Description>
+              <Description>Retrieves the binary result package of the previous Settings/Apply operation. This binary package contains XML describing the action taken for each individual setting.</Description>
               <DFFormat>
-                <xml />
+                <b64 />
               </DFFormat>
               <Occurrence>
                 <One />
@@ -316,7 +314,196 @@ The XML below is the current version for this CSP.
                 <Permanent />
               </Scope>
               <DFType>
-                <MIME>text/plain</MIME>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>Identity2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Identity certificate operations. Alternate endpoint for sending a second identity package without an OS restart.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Apply</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Replace />
+              </AccessType>
+              <Description>Apply an identity information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two identity packages in the same session.</Description>
+              <DFFormat>
+                <b64 />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>Result</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <Description>Retrieves the binary result package of the previous Identity2/Apply operation.</Description>
+              <DFFormat>
+                <b64 />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>Permissions2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Settings permission operations. Alternate endpoint for sending a second permission package without an OS restart.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Apply</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Replace />
+              </AccessType>
+              <Description>Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format.  Alternate location for sending two permissions information packages in the same session.</Description>
+              <DFFormat>
+                <b64 />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>Result</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <Description>Retrieves the binary result package from the previous Permissions2/Apply operation.  This binary package contains XML describing the action taken for each individual permission.</Description>
+              <DFFormat>
+                <b64 />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>Settings2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Device settings operations. Alternate endpoint for sending a second settings package without an OS restart.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Apply</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Replace />
+              </AccessType>
+              <Description>Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two settings information packages in the same session.</Description>
+              <DFFormat>
+                <b64 />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>Result</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <Description>Retrieves the binary result package of previous Settings2/Apply operation. This binary package contains XML describing the action taken for each individual setting.</Description>
+              <DFFormat>
+                <b64 />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <DDFName></DDFName>
               </DFType>
             </DFProperties>
           </Node>

windows/client-management/mdm/understanding-admx-backed-policies.md

@@ -176,7 +176,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
         <Target>
           <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
         </Target>
-        <Data>&lt;disabled/&gt;</Data>
+        <Data><disabled/></Data>
       </Item>
     </Replace>
     <Final/>
@@ -340,7 +340,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and
         <Target>
           <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/VirtualComponentsAllowList</LocURI>
         </Target>
-        <Data>&lt;enabled/&gt;&lt;data id=&quot;Virtualization_JITVAllowList_Prompt&quot; value=&quot;C:\QuickPatch\TEST\snot.exe&#xF000;C:\QuickPatch\TEST\foo.exe&#xF000;C:\QuickPatch\TEST\bar.exe&quot;/&gt;</Data>
+        <Data><enabled/><data id="Virtualization_JITVAllowList_Prompt" value="C:\QuickPatch\TEST\snot.exe&#xF000;C:\QuickPatch\TEST\foo.exe&#xF000;C:\QuickPatch\TEST\bar.exe"/></Data>
       </Item>
     </Replace>
     <Final/>
@@ -384,7 +384,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
         <Target>
           <LocURI>./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecondaryHomePageChange</LocURI>
         </Target>
-        <Data>&lt;Enabled/&gt;&lt;Data id=&quot;SecondaryHomePagesList&quot; value=&quot;http://name1&#xF000;http://name1&#xF000;http://name2&#xF000;http://name2&quot;/&gt;</Data>
+        <Data><Enabled/><Data id="SecondaryHomePagesList" value="http://name1&#xF000;http://name1&#xF000;http://name2&#xF000;http://name2"/></Data>
       </Item>
     </Replace>
     <Final/>
@@ -416,7 +416,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
         <Target>
           <LocURI>./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableUpdateCheck</LocURI>
         </Target>
-        <Data>&lt;Enabled/&gt;</Data>
+        <Data><Enabled/></Data>
       </Item>
     </Replace>
     <Final/>
@@ -470,8 +470,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar
           <LocURI>./Device/Vendor/MSFT/Policy/Config/BitLocker/EncryptionMethodByDriveType</LocURI>
         </Target>
         <Data>
-          &lt;enabled/&gt;
-          &lt;data id=&quot;EncryptionMethodWithXtsOsDropDown_Name&quot; value=&quot;4&quot;/&gt;
+          <enabled/>
+          <data id="EncryptionMethodWithXtsOsDropDown_Name" value="4"/>
         </Data>
       </Item>
     </Replace>
@@ -507,8 +507,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar
           <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowReestablishmentInterval</LocURI>
         </Target>
         <Data>
-          &lt;enabled/&gt;
-          &lt;data id=&quot;Streaming_Reestablishment_Interval_Prompt&quot; value=&quot;4&quot;/&gt;
+          <enabled/>
+          <data id="Streaming_Reestablishment_Interval_Prompt" value="4"/>
         </Data>
       </Item>
     </Replace>
@@ -560,8 +560,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar
           <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses</LocURI>
         </Target>
         <Data>
-          &lt;enabled/&gt;&lt;data id=&quot;DeviceInstall_Classes_Deny_Retroactive&quot; value=&quot;true&quot;/&gt;
-          &lt;Data id=&quot;DeviceInstall_Classes_Deny_List&quot; value=&quot;1&#xF000;deviceId1&#xF000;2&#xF000;deviceId2&quot;/&gt;
+          <enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/>
+          <Data id="DeviceInstall_Classes_Deny_List" value="1&#xF000;deviceId1&#xF000;2&#xF000;deviceId2"/>
         </Data>
       </Item>
     </Replace>

windows/client-management/mdm/vpnv2-csp.md

@@ -603,41 +603,41 @@ Profile example
           <Target>
             <LocURI>./Vendor/MSFT/VPNv2/VPN_Demo/ProfileXML</LocURI>
           </Target>
-          <Data>&lt;VPNProfile&gt;
-  &lt;ProfileName&gt;VPN_Demo&lt;/ProfileName&gt;
-  &lt;NativeProfile&gt;
-    &lt;Servers&gt;VPNServer.contoso.com&lt;/Servers&gt;
-    &lt;NativeProtocolType&gt;Automatic&lt;/NativeProtocolType&gt;
-    &lt;Authentication&gt;
-      &lt;UserMethod&gt;Eap&lt;/UserMethod&gt;
-      &lt;Eap&gt;
-        &lt;Configuration&gt;
-&lt;EapHostConfig xmlns=&quot;http://www.microsoft.com/provisioning/EapHostConfig&quot;&gt; &lt;EapMethod&gt; &lt;Type xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;25&lt;/Type&gt; &lt;VendorId xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;0&lt;/VendorId&gt; &lt;VendorType xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;0&lt;/VendorType&gt; &lt;AuthorId xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;0&lt;/AuthorId&gt; &lt;/EapMethod&gt; &lt;Config xmlns=&quot;http://www.microsoft.com/provisioning/EapHostConfig&quot;&gt; &lt;Eap xmlns=&quot;http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1&quot;&gt; &lt;Type&gt;25&lt;/Type&gt; &lt;EapType xmlns=&quot;http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1&quot;&gt; &lt;ServerValidation&gt; &lt;DisableUserPromptForServerValidation&gt;false&lt;/DisableUserPromptForServerValidation&gt; &lt;ServerNames&gt;&lt;/ServerNames&gt; &lt;/ServerValidation&gt; &lt;FastReconnect&gt;true&lt;/FastReconnect&gt; &lt;InnerEapOptional&gt;false&lt;/InnerEapOptional&gt; &lt;Eap xmlns=&quot;http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1&quot;&gt; &lt;Type&gt;13&lt;/Type&gt; &lt;EapType xmlns=&quot;http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1&quot;&gt; &lt;CredentialsSource&gt; &lt;CertificateStore&gt; &lt;SimpleCertSelection&gt;false&lt;/SimpleCertSelection&gt; &lt;/CertificateStore&gt; &lt;/CredentialsSource&gt; &lt;ServerValidation&gt; &lt;DisableUserPromptForServerValidation&gt;false&lt;/DisableUserPromptForServerValidation&gt; &lt;ServerNames&gt;&lt;/ServerNames&gt; &lt;/ServerValidation&gt; &lt;DifferentUsername&gt;false&lt;/DifferentUsername&gt; &lt;PerformServerValidation xmlns=&quot;http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2&quot;&gt;false&lt;/PerformServerValidation&gt; &lt;AcceptServerName xmlns=&quot;http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2&quot;&gt;false&lt;/AcceptServerName&gt; &lt;TLSExtensions xmlns=&quot;http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2&quot;&gt; &lt;FilteringInfo xmlns=&quot;http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3&quot;&gt; &lt;EKUMapping&gt; &lt;EKUMap&gt; &lt;EKUName&gt;Unknown Key Usage&lt;/EKUName&gt; &lt;EKUOID&gt;1.3.6.1.4.1.311.87&lt;/EKUOID&gt; &lt;/EKUMap&gt; &lt;/EKUMapping&gt; &lt;ClientAuthEKUList Enabled=&quot;true&quot;&gt; &lt;EKUMapInList&gt; &lt;EKUName&gt;Unknown Key Usage&lt;/EKUName&gt; &lt;/EKUMapInList&gt; &lt;/ClientAuthEKUList&gt; &lt;/FilteringInfo&gt; &lt;/TLSExtensions&gt; &lt;/EapType&gt; &lt;/Eap&gt; &lt;EnableQuarantineChecks&gt;false&lt;/EnableQuarantineChecks&gt; &lt;RequireCryptoBinding&gt;false&lt;/RequireCryptoBinding&gt; &lt;PeapExtensions&gt; &lt;PerformServerValidation xmlns=&quot;http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2&quot;&gt;false&lt;/PerformServerValidation&gt; &lt;AcceptServerName xmlns=&quot;http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2&quot;&gt;false&lt;/AcceptServerName&gt; &lt;/PeapExtensions&gt; &lt;/EapType&gt; &lt;/Eap&gt; &lt;/Config&gt; &lt;/EapHostConfig&gt;
-    &lt;/Configuration&gt;
-      &lt;/Eap&gt;
-    &lt;/Authentication&gt;
-    &lt;RoutingPolicyType&gt;SplitTunnel&lt;/RoutingPolicyType&gt;
-  &lt;/NativeProfile&gt;
-  &lt;DomainNameInformation&gt;
-    &lt;DomainName&gt;.contoso.com&lt;/DomainName&gt;
-    &lt;DNSServers&gt;10.5.5.5&lt;/DNSServers&gt;
-  &lt;/DomainNameInformation&gt;
- &lt;TrafficFilter&gt;  
-    &lt;App&gt;%ProgramFiles%\Internet Explorer\iexplore.exe&lt;/App&gt; 
-  &lt;/TrafficFilter&gt; 
-  &lt;TrafficFilter&gt;  
-    &lt;App&gt;Microsoft.MicrosoftEdge_8wekyb3d8bbwe&lt;/App&gt;  
-  &lt;/TrafficFilter&gt;
-  &lt;Route&gt;
-    &lt;Address&gt;10.0.0.0&lt;/Address&gt;
-    &lt;PrefixSize&gt;8&lt;/PrefixSize&gt;
-  &lt;/Route&gt;
-  &lt;Route&gt;
-    &lt;Address&gt;25.0.0.0&lt;/Address&gt;
-    &lt;PrefixSize&gt;8&lt;/PrefixSize&gt;
-  &lt;/Route&gt;
-    &lt;RememberCredentials&gt;true&lt;/RememberCredentials&gt;
-  &lt;/VPNProfile&gt;</Data>
+          <Data><VPNProfile>
+  <ProfileName>VPN_Demo</ProfileName>
+  <NativeProfile>
+    <Servers>VPNServer.contoso.com</Servers>
+    <NativeProtocolType>Automatic</NativeProtocolType>
+    <Authentication>
+      <UserMethod>Eap</UserMethod>
+      <Eap>
+        <Configuration>
+<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </EapMethod> <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>25</Type> <EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <FastReconnect>true</FastReconnect> <InnerEapOptional>false</InnerEapOptional> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>13</Type> <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"> <CredentialsSource> <CertificateStore> <SimpleCertSelection>false</SimpleCertSelection> </CertificateStore> </CredentialsSource> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <DifferentUsername>false</DifferentUsername> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName> <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"> <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"> <EKUMapping> <EKUMap> <EKUName>Unknown Key Usage</EKUName> <EKUOID>1.3.6.1.4.1.311.87</EKUOID> </EKUMap> </EKUMapping> <ClientAuthEKUList Enabled="true"> <EKUMapInList> <EKUName>Unknown Key Usage</EKUName> </EKUMapInList> </ClientAuthEKUList> </FilteringInfo> </TLSExtensions> </EapType> </Eap> <EnableQuarantineChecks>false</EnableQuarantineChecks> <RequireCryptoBinding>false</RequireCryptoBinding> <PeapExtensions> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName> </PeapExtensions> </EapType> </Eap> </Config> </EapHostConfig>
+    </Configuration>
+      </Eap>
+    </Authentication>
+    <RoutingPolicyType>SplitTunnel</RoutingPolicyType>
+  </NativeProfile>
+  <DomainNameInformation>
+    <DomainName>.contoso.com</DomainName>
+    <DNSServers>10.5.5.5</DNSServers>
+  </DomainNameInformation>
+ <TrafficFilter>  
+    <App>%ProgramFiles%\Internet Explorer\iexplore.exe</App> 
+  </TrafficFilter> 
+  <TrafficFilter>  
+    <App>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</App>  
+  </TrafficFilter>
+  <Route>
+    <Address>10.0.0.0</Address>
+    <PrefixSize>8</PrefixSize>
+  </Route>
+  <Route>
+    <Address>25.0.0.0</Address>
+    <PrefixSize>8</PrefixSize>
+  </Route>
+    <RememberCredentials>true</RememberCredentials>
+  </VPNProfile></Data>
         </Item>
       </Add>
 
@@ -1166,7 +1166,7 @@ PluginPackageFamilyName
           <Target>
             <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/CustomConfiguration</LocURI>
           </Target>
-          <Data>&lt;pluginschema&gt;&lt;ipAddress&gt;auto&lt;/ipAddress&gt;&lt;port&gt;443&lt;/port&gt;&lt;networksettings&gt;&lt;routes&gt;&lt;includev4&gt;&lt;route&gt;&lt;address&gt;172.10.10.0&lt;/address&gt;&lt;prefix&gt;24&lt;/prefix&gt;&lt;/route&gt;&lt;/includev4&gt;&lt;/routes&gt;&lt;namespaces&gt;&lt;namespace&gt;&lt;space&gt;.vpnbackend.com&lt;/space&gt;&lt;dnsservers&gt;&lt;server&gt;172.10.10.11&lt;/server&gt;&lt;/dnsservers&gt;&lt;/namespace&gt;&lt;/namespaces&gt;&lt;/networksettings&gt;&lt;/pluginschema&gt;</Data>
+          <Data><pluginschema><ipAddress>auto</ipAddress><port>443</port><networksettings><routes><includev4><route><address>172.10.10.0</address><prefix>24</prefix></route></includev4></routes><namespaces><namespace><space>.vpnbackend.com</space><dnsservers><server>172.10.10.11</server></dnsservers></namespace></namespaces></networksettings></pluginschema></Data>
         </Item>
       </Add>
 ```

windows/client-management/mdm/vpnv2-profile-xsd.md

@@ -347,7 +347,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
     <PluginProfile>
         <ServerUrlList>testserver1.contoso.com;testserver2.contoso..com</ServerUrlList>
         <PluginPackageFamilyName>JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy</PluginPackageFamilyName>
-        <CustomConfiguration>&lt;pulse-schema&gt;&lt;isSingleSignOnCredential&gt;true&lt;/isSingleSignOnCredential&gt;&lt;/pulse-schema&gt;</CustomConfiguration>
+        <CustomConfiguration><pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema></CustomConfiguration>
     </PluginProfile>
     <Route>
         <Address>192.168.0.0</Address>

windows/client-management/mdm/wifi-csp.md

@@ -23,7 +23,7 @@ Programming considerations:
 -   Because the Windows 10 Mobile emulator does not support Wi-Fi, you cannot test the Wi-Fi configuration with an emulator. You can still provision a Wi-Fi network using the WiFi CSP, then check it in the Wi-Fi settings page, but you cannot test the network connectivity in the emulator.
 -   For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it is stored on the device.
 -   The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported.
--   The <name>*name\_goes\_here*</name><SSIDConfig> must match <SSID><name> *name\_goes\_here*</name></SSID>.
+-   The <name>*name\_goes\_here*</name><SSIDConfig> must match <SSID><name> *name\_goes\_here*</name></SSID>.
 -   For the WiFi CSP, you cannot use the Replace command unless the node already exists.
 -   Using Proxyis only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) will result in failure.
 
@@ -41,10 +41,10 @@ Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is
 
 Supported operation is Get.
 
-<a href="" id="-ssid-"></a>***&lt;SSID&gt;***
+<a href="" id="-ssid-"></a>***<SSID>***
 Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. The SSID is added when the WlanXML node is added. When the SSID node is deleted, then all the subnodes are also deleted.
 
-SSID is the name of network you are connecting to, while Profile name is the name of the Profile which contains the WiFi settings information. If the Profile name is not set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, &lt;LocURI&gt;./Vendor/MSFT/WiFi/Profile/&lt;*MUST BE NAME OF PROFILE AS PER WIFI XML*&gt;/WlanXml&lt;/LocURI&gt;.
+SSID is the name of network you are connecting to, while Profile name is the name of the Profile which contains the WiFi settings information. If the Profile name is not set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, <LocURI>./Vendor/MSFT/WiFi/Profile/<*MUST BE NAME OF PROFILE AS PER WIFI XML*>/WlanXml</LocURI>.
 
 The supported operations are Add, Get, Delete, and Replace.
 
@@ -130,7 +130,7 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwor
           <Meta>
             <Format xmlns="syncml:metinf">chr</Format>
           </Meta>
-          <Data>&lt;?xml version=&quot;1.0&quot;?&gt;&lt;WLANProfile xmlns=&quot;http://contoso.com/networking/WLAN/profile/v1&quot;&gt;&lt;name&gt;MyNetwork&lt;/name&gt;&lt;SSIDConfig&gt;&lt;SSID&gt;&lt;hex&gt;412D4D534654574C414E&lt;/hex&gt;&lt;name&gt;MyNetwork&lt;/name&gt;&lt;/SSID&gt;&lt;nonBroadcast&gt;false&lt;/nonBroadcast&gt;&lt;/SSIDConfig&gt;&lt;connectionType&gt;ESS&lt;/connectionType&gt;&lt;connectionMode&gt;manual&lt;/connectionMode&gt;&lt;MSM&gt;&lt;security&gt;&lt;authEncryption&gt;&lt;authentication&gt;WPA2&lt;/authentication&gt;&lt;encryption&gt;AES&lt;/encryption&gt;&lt;useOneX&gt;true&lt;/useOneX&gt;&lt;/authEncryption&gt;&lt;OneX xmlns=&quot;http://contoso.com/networking/OneX/v1&quot;&gt;&lt;authMode&gt;user&lt;/authMode&gt;&lt;EAPConfig&gt;&lt;EapHostConfig xmlns=&quot;http://contoso.com/provisioning/EapHostConfig&quot;&gt;&lt;EapMethod&gt;&lt;Type xmlns=&quot;http://contoso.com/provisioning/EapCommon&quot;&gt;25&lt;/Type&gt;&lt;VendorId xmlns=&quot;http://contoso.com/provisioning/EapCommon&quot;&gt;0&lt;/VendorId&gt;&lt;VendorType xmlns=&quot;http://contoso.com/provisioning/EapCommon&quot;&gt;0&lt;/VendorType&gt;&lt;AuthorId xmlns=&quot;http://contoso.com/provisioning/EapCommon&quot;&gt;0&lt;/AuthorId&gt;&lt;/EapMethod&gt;&lt;Config xmlns=&quot;http://contoso.com/provisioning/EapHostConfig&quot;&gt;&lt;Eap xmlns=&quot;http://contoso.com/provisioning/BaseEapConnectionPropertiesV1&quot;&gt;&lt;Type&gt;25&lt;/Type&gt;&lt;EapType xmlns=&quot;http://contoso.com/provisioning/MsPeapConnectionPropertiesV1&quot;&gt;&lt;ServerValidation&gt;&lt;DisableUserPromptForServerValidation&gt;true&lt;/DisableUserPromptForServerValidation&gt;&lt;ServerNames&gt;&lt;/ServerNames&gt;&lt;/ServerValidation&gt;&lt;FastReconnect&gt;true&lt;/FastReconnect&gt;&lt;InnerEapOptional&gt;false&lt;/InnerEapOptional&gt;&lt;Eap xmlns=&quot;http://contoso.com/provisioning/BaseEapConnectionPropertiesV1&quot;&gt;&lt;Type&gt;26&lt;/Type&gt;&lt;EapType xmlns=&quot;http://contoso.com/provisioning/MsChapV2ConnectionPropertiesV1&quot;&gt;&lt;UseWinLogonCredentials&gt;false&lt;/UseWinLogonCredentials&gt;&lt;/EapType&gt;&lt;/Eap&gt;&lt;EnableQuarantineChecks&gt;false&lt;/EnableQuarantineChecks&gt;&lt;RequireCryptoBinding&gt;false&lt;/RequireCryptoBinding&gt;&lt;PeapExtensions&gt;&lt;PerformServerValidation xmlns=&quot;http://contoso.com/provisioning/MsPeapConnectionPropertiesV2&quot;&gt;false&lt;/PerformServerValidation&gt;&lt;AcceptServerName xmlns=&quot;http://contoso.com/provisioning/MsPeapConnectionPropertiesV2&quot;&gt;false&lt;/AcceptServerName&gt;&lt;/PeapExtensions&gt;&lt;/EapType&gt;&lt;/Eap&gt;&lt;/Config&gt;&lt;/EapHostConfig&gt;&lt;/EAPConfig&gt;&lt;/OneX&gt;&lt;/security&gt;&lt;/MSM&gt;&lt;/WLANProfile&gt; </Data>
+          <Data><?xml version="1.0"?><WLANProfile xmlns="http://contoso.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><hex>412D4D534654574C414E</hex><name>MyNetwork</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><OneX xmlns="http://contoso.com/networking/OneX/v1"><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://contoso.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://contoso.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://contoso.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://contoso.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://contoso.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://contoso.com/provisioning/EapHostConfig"><Eap xmlns="http://contoso.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://contoso.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://contoso.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile> </Data>
         </Item>
       </Add>
       <Add>
@@ -215,7 +215,7 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetw
           <Meta>
             <Format xmlns="syncml:metinf">chr</Format>
           </Meta>
-          <Data>&lt;?xml version=&quot;1.0&quot;?&gt;&lt;WLANProfile xmlns=&quot;http://www.microsoft.com/networking/WLAN/profile/v1&quot;&gt;&lt;name&gt;MyNetwork&lt;/name&gt;&lt;SSIDConfig&gt;&lt;SSID&gt;&lt;name&gt;MyNetwork&lt;/name&gt;&lt;/SSID&gt;&lt;nonBroadcast&gt;false&lt;/nonBroadcast&gt;&lt;/SSIDConfig&gt;&lt;connectionType&gt;ESS&lt;/connectionType&gt;&lt;connectionMode&gt;manual&lt;/connectionMode&gt;&lt;MSM&gt;&lt;security&gt;&lt;authEncryption&gt;&lt;authentication&gt;WPA2&lt;/authentication&gt;&lt;encryption&gt;AES&lt;/encryption&gt;&lt;useOneX&gt;true&lt;/useOneX&gt;&lt;/authEncryption&gt;&lt;OneX xmlns=&quot;http://www.microsoft.com/networking/OneX/v1&quot;&gt;&lt;authMode&gt;user&lt;/authMode&gt;&lt;EAPConfig&gt;&lt;EapHostConfig xmlns=&quot;http://www.microsoft.com/provisioning/EapHostConfig&quot;&gt;&lt;EapMethod&gt;&lt;Type xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;25&lt;/Type&gt;&lt;VendorId xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;0&lt;/VendorId&gt;&lt;VendorType xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;0&lt;/VendorType&gt;&lt;AuthorId xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;0&lt;/AuthorId&gt;&lt;/EapMethod&gt;&lt;Config xmlns=&quot;http://www.microsoft.com/provisioning/EapHostConfig&quot;&gt;&lt;Eap xmlns=&quot;http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1&quot;&gt;&lt;Type&gt;25&lt;/Type&gt;&lt;EapType xmlns=&quot;http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1&quot;&gt;&lt;ServerValidation&gt;&lt;DisableUserPromptForServerValidation&gt;true&lt;/DisableUserPromptForServerValidation&gt;&lt;ServerNames&gt;&lt;/ServerNames&gt;&lt;TrustedRootCA&gt; InsertCertThumbPrintHere &lt;/TrustedRootCA&gt;&lt;/ServerValidation&gt;&lt;FastReconnect&gt;true&lt;/FastReconnect&gt;&lt;InnerEapOptional&gt;false&lt;/InnerEapOptional&gt;&lt;Eap xmlns=&quot;http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1&quot;&gt;&lt;Type&gt;26&lt;/Type&gt;&lt;EapType xmlns=&quot;http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1&quot;&gt;&lt;UseWinLogonCredentials&gt;false&lt;/UseWinLogonCredentials&gt;&lt;/EapType&gt;&lt;/Eap&gt;&lt;EnableQuarantineChecks&gt;false&lt;/EnableQuarantineChecks&gt;&lt;RequireCryptoBinding&gt;false&lt;/RequireCryptoBinding&gt;&lt;PeapExtensions&gt;&lt;PerformServerValidation xmlns=&quot;http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2&quot;&gt;true&lt;/PerformServerValidation&gt;&lt;AcceptServerName xmlns=&quot;http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2&quot;&gt;false&lt;/AcceptServerName&gt;&lt;/PeapExtensions&gt;&lt;/EapType&gt;&lt;/Eap&gt;&lt;/Config&gt;&lt;/EapHostConfig&gt;&lt;/EAPConfig&gt;&lt;/OneX&gt;&lt;/security&gt;&lt;/MSM&gt;&lt;/WLANProfile&gt; </Data>
+          <Data><?xml version="1.0"?><WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><name>MyNetwork</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><OneX xmlns="http://www.microsoft.com/networking/OneX/v1"><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames><TrustedRootCA> InsertCertThumbPrintHere </TrustedRootCA></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile> </Data>
         </Item>
       </Add>
 </Atomic>

windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md

@@ -205,136 +205,136 @@ The following example shows an ADMX file in SyncML format:
         <Target>
           <LocURI>./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/ContosoCompanyApp/Policy/AppAdmxFile01</LocURI>
         </Target>
-        <Data>&lt;policyDefinitions revision=&quot;1.0&quot; schemaVersion=&quot;1.0&quot;&gt;
-          &lt;categories&gt;
-          &lt;category name=&quot;ParentCategoryArea&quot;/&gt;
-          &lt;category name=&quot;Category1&quot;&gt;
-          &lt;parentCategory ref=&quot;ParentCategoryArea&quot; /&gt;
-          &lt;/category&gt;
-          &lt;category name=&quot;Category2&quot;&gt;
-          &lt;parentCategory ref=&quot;ParentCategoryArea&quot; /&gt;
-          &lt;/category&gt;
-          &lt;category name=&quot;Category3&quot;&gt;
-          &lt;parentCategory ref=&quot;Category2&quot; /&gt;
-          &lt;/category&gt;
-          &lt;/categories&gt;
-          &lt;policies&gt;
-          &lt;policy name=&quot;L_PolicyConfigurationMode&quot; class=&quot;Machine&quot; displayName=&quot;$(string.L_PolicyConfigurationMode)&quot; explainText=&quot;$(string.L_ExplainText_ConfigurationMode)&quot; presentation=&quot;$(presentation.L_PolicyConfigurationMode)&quot; key=&quot;software\policies\contoso\companyApp&quot; valueName=&quot;configurationmode&quot;&gt;
-          &lt;parentCategory ref=&quot;Category1&quot; /&gt;
-          &lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
-          &lt;enabledValue&gt;
-          &lt;decimal value=&quot;1&quot; /&gt;
-          &lt;/enabledValue&gt;
-          &lt;disabledValue&gt;
-          &lt;decimal value=&quot;0&quot; /&gt;
-          &lt;/disabledValue&gt;
-          &lt;elements&gt;
-          &lt;text id=&quot;L_ServerAddressInternal_VALUE&quot; key=&quot;software\policies\contoso\companyApp&quot; valueName=&quot;serveraddressinternal&quot; required=&quot;true&quot; /&gt;
-          &lt;text id=&quot;L_ServerAddressExternal_VALUE&quot; key=&quot;software\policies\contoso\companyApp&quot; valueName=&quot;serveraddressexternal&quot; required=&quot;true&quot; /&gt;
-          &lt;/elements&gt;
-          &lt;/policy&gt;
-          &lt;policy name=&quot;L_PolicyEnableSIPHighSecurityMode&quot; class=&quot;Machine&quot; displayName=&quot;$(string.L_PolicyEnableSIPHighSecurityMode)&quot; explainText=&quot;$(string.L_ExplainText_EnableSIPHighSecurityMode)&quot; presentation=&quot;$(presentation.L_PolicyEnableSIPHighSecurityMode)&quot; key=&quot;software\policies\contoso\companyApp&quot; valueName=&quot;enablesiphighsecuritymode&quot;&gt;
-          &lt;parentCategory ref=&quot;Category1&quot; /&gt;
-          &lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
-          &lt;enabledValue&gt;
-          &lt;decimal value=&quot;1&quot; /&gt;
-          &lt;/enabledValue&gt;
-          &lt;disabledValue&gt;
-          &lt;decimal value=&quot;0&quot; /&gt;
-          &lt;/disabledValue&gt;
-          &lt;/policy&gt;
-          &lt;policy name=&quot;L_PolicySipCompression&quot; class=&quot;Machine&quot; displayName=&quot;$(string.L_PolicySipCompression)&quot; explainText=&quot;$(string.L_ExplainText_SipCompression)&quot; presentation=&quot;$(presentation.L_PolicySipCompression)&quot; key=&quot;software\policies\contoso\companyApp&quot;&gt;
-          &lt;parentCategory ref=&quot;Category1&quot; /&gt;
-          &lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
-          &lt;elements&gt;
-          &lt;enum id=&quot;L_PolicySipCompression&quot; valueName=&quot;sipcompression&quot;&gt;
-          &lt;item displayName=&quot;$(string.L_SipCompressionVal0)&quot;&gt;
-          &lt;value&gt;
-          &lt;decimal value=&quot;0&quot; /&gt;
-          &lt;/value&gt;
-          &lt;/item&gt;
-          &lt;item displayName=&quot;$(string.L_SipCompressionVal1)&quot;&gt;
-          &lt;value&gt;
-          &lt;decimal value=&quot;1&quot; /&gt;
-          &lt;/value&gt;
-          &lt;/item&gt;
-          &lt;item displayName=&quot;$(string.L_SipCompressionVal2)&quot;&gt;
-          &lt;value&gt;
-          &lt;decimal value=&quot;2&quot; /&gt;
-          &lt;/value&gt;
-          &lt;/item&gt;
-          &lt;item displayName=&quot;$(string.L_SipCompressionVal3)&quot;&gt;
-          &lt;value&gt;
-          &lt;decimal value=&quot;3&quot; /&gt;
-          &lt;/value&gt;
-          &lt;/item&gt;
-          &lt;/enum&gt;
-          &lt;/elements&gt;
-          &lt;/policy&gt;
-          &lt;policy name=&quot;L_PolicyPreventRun&quot; class=&quot;Machine&quot; displayName=&quot;$(string.L_PolicyPreventRun)&quot; explainText=&quot;$(string.L_ExplainText_PreventRun)&quot; presentation=&quot;$(presentation.L_PolicyPreventRun)&quot; key=&quot;software\policies\contoso\companyApp&quot; valueName=&quot;preventrun&quot;&gt;
-          &lt;parentCategory ref=&quot;Category1&quot; /&gt;
-          &lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
-          &lt;enabledValue&gt;
-          &lt;decimal value=&quot;1&quot; /&gt;
-          &lt;/enabledValue&gt;
-          &lt;disabledValue&gt;
-          &lt;decimal value=&quot;0&quot; /&gt;
-          &lt;/disabledValue&gt;
-          &lt;/policy&gt;
-          &lt;policy name=&quot;L_PolicyConfiguredServerCheckValues&quot; class=&quot;Machine&quot; displayName=&quot;$(string.L_PolicyConfiguredServerCheckValues)&quot; explainText=&quot;$(string.L_ExplainText_ConfiguredServerCheckValues)&quot; presentation=&quot;$(presentation.L_PolicyConfiguredServerCheckValues)&quot; key=&quot;software\policies\contoso\companyApp&quot;&gt;
-          &lt;parentCategory ref=&quot;Category2&quot; /&gt;
-          &lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
-          &lt;elements&gt;
-          &lt;text id=&quot;L_ConfiguredServerCheckValues_VALUE&quot; valueName=&quot;configuredservercheckvalues&quot; required=&quot;true&quot; /&gt;
-          &lt;/elements&gt;
-          &lt;/policy&gt;
-          &lt;policy name=&quot;L_PolicySipCompression_1&quot; class=&quot;User&quot; displayName=&quot;$(string.L_PolicySipCompression)&quot; explainText=&quot;$(string.L_ExplainText_SipCompression)&quot; presentation=&quot;$(presentation.L_PolicySipCompression_1)&quot; key=&quot;software\policies\contoso\companyApp&quot;&gt;
-          &lt;parentCategory ref=&quot;Category2&quot; /&gt;
-          &lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
-          &lt;elements&gt;
-          &lt;enum id=&quot;L_PolicySipCompression&quot; valueName=&quot;sipcompression&quot;&gt;
-          &lt;item displayName=&quot;$(string.L_SipCompressionVal0)&quot;&gt;
-          &lt;value&gt;
-          &lt;decimal value=&quot;0&quot; /&gt;
-          &lt;/value&gt;
-          &lt;/item&gt;
-          &lt;item displayName=&quot;$(string.L_SipCompressionVal1)&quot;&gt;
-          &lt;value&gt;
-          &lt;decimal value=&quot;1&quot; /&gt;
-          &lt;/value&gt;
-          &lt;/item&gt;
-          &lt;item displayName=&quot;$(string.L_SipCompressionVal2)&quot;&gt;
-          &lt;value&gt;
-          &lt;decimal value=&quot;2&quot; /&gt;
-          &lt;/value&gt;
-          &lt;/item&gt;
-          &lt;item displayName=&quot;$(string.L_SipCompressionVal3)&quot;&gt;
-          &lt;value&gt;
-          &lt;decimal value=&quot;3&quot; /&gt;
-          &lt;/value&gt;
-          &lt;/item&gt;
-          &lt;/enum&gt;
-          &lt;/elements&gt;
-          &lt;/policy&gt;
-          &lt;policy name=&quot;L_PolicyPreventRun_1&quot; class=&quot;User&quot; displayName=&quot;$(string.L_PolicyPreventRun)&quot; explainText=&quot;$(string.L_ExplainText_PreventRun)&quot; presentation=&quot;$(presentation.L_PolicyPreventRun_1)&quot; key=&quot;software\policies\contoso\companyApp&quot; valueName=&quot;preventrun&quot;&gt;
-          &lt;parentCategory ref=&quot;Category3&quot; /&gt;
-          &lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
-          &lt;enabledValue&gt;
-          &lt;decimal value=&quot;1&quot; /&gt;
-          &lt;/enabledValue&gt;
-          &lt;disabledValue&gt;
-          &lt;decimal value=&quot;0&quot; /&gt;
-          &lt;/disabledValue&gt;
-          &lt;/policy&gt;
-          &lt;policy name=&quot;L_PolicyGalDownloadInitialDelay_1&quot; class=&quot;User&quot; displayName=&quot;$(string.L_PolicyGalDownloadInitialDelay)&quot; explainText=&quot;$(string.L_ExplainText_GalDownloadInitialDelay)&quot; presentation=&quot;$(presentation.L_PolicyGalDownloadInitialDelay_1)&quot; key=&quot;software\policies\contoso\companyApp&quot;&gt;
-          &lt;parentCategory ref=&quot;Category3&quot; /&gt;
-          &lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
-          &lt;elements&gt;
-          &lt;decimal id=&quot;L_GalDownloadInitialDelay_VALUE&quot; valueName=&quot;galdownloadinitialdelay&quot; minValue=&quot;0&quot; required=&quot;true&quot; /&gt;
-          &lt;/elements&gt;
-          &lt;/policy&gt;
-          &lt;/policies&gt;
-          &lt;/policyDefinitions&gt;</Data>
+        <Data><policyDefinitions revision="1.0" schemaVersion="1.0">
+          <categories>
+          <category name="ParentCategoryArea"/>
+          <category name="Category1">
+          <parentCategory ref="ParentCategoryArea" />
+          </category>
+          <category name="Category2">
+          <parentCategory ref="ParentCategoryArea" />
+          </category>
+          <category name="Category3">
+          <parentCategory ref="Category2" />
+          </category>
+          </categories>
+          <policies>
+          <policy name="L_PolicyConfigurationMode" class="Machine" displayName="$(string.L_PolicyConfigurationMode)" explainText="$(string.L_ExplainText_ConfigurationMode)" presentation="$(presentation.L_PolicyConfigurationMode)" key="software\policies\contoso\companyApp" valueName="configurationmode">
+          <parentCategory ref="Category1" />
+          <supportedOn ref="windows:SUPPORTED_Windows7" />
+          <enabledValue>
+          <decimal value="1" />
+          </enabledValue>
+          <disabledValue>
+          <decimal value="0" />
+          </disabledValue>
+          <elements>
+          <text id="L_ServerAddressInternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressinternal" required="true" />
+          <text id="L_ServerAddressExternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressexternal" required="true" />
+          </elements>
+          </policy>
+          <policy name="L_PolicyEnableSIPHighSecurityMode" class="Machine" displayName="$(string.L_PolicyEnableSIPHighSecurityMode)" explainText="$(string.L_ExplainText_EnableSIPHighSecurityMode)" presentation="$(presentation.L_PolicyEnableSIPHighSecurityMode)" key="software\policies\contoso\companyApp" valueName="enablesiphighsecuritymode">
+          <parentCategory ref="Category1" />
+          <supportedOn ref="windows:SUPPORTED_Windows7" />
+          <enabledValue>
+          <decimal value="1" />
+          </enabledValue>
+          <disabledValue>
+          <decimal value="0" />
+          </disabledValue>
+          </policy>
+          <policy name="L_PolicySipCompression" class="Machine" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression)" key="software\policies\contoso\companyApp">
+          <parentCategory ref="Category1" />
+          <supportedOn ref="windows:SUPPORTED_Windows7" />
+          <elements>
+          <enum id="L_PolicySipCompression" valueName="sipcompression">
+          <item displayName="$(string.L_SipCompressionVal0)">
+          <value>
+          <decimal value="0" />
+          </value>
+          </item>
+          <item displayName="$(string.L_SipCompressionVal1)">
+          <value>
+          <decimal value="1" />
+          </value>
+          </item>
+          <item displayName="$(string.L_SipCompressionVal2)">
+          <value>
+          <decimal value="2" />
+          </value>
+          </item>
+          <item displayName="$(string.L_SipCompressionVal3)">
+          <value>
+          <decimal value="3" />
+          </value>
+          </item>
+          </enum>
+          </elements>
+          </policy>
+          <policy name="L_PolicyPreventRun" class="Machine" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun)" key="software\policies\contoso\companyApp" valueName="preventrun">
+          <parentCategory ref="Category1" />
+          <supportedOn ref="windows:SUPPORTED_Windows7" />
+          <enabledValue>
+          <decimal value="1" />
+          </enabledValue>
+          <disabledValue>
+          <decimal value="0" />
+          </disabledValue>
+          </policy>
+          <policy name="L_PolicyConfiguredServerCheckValues" class="Machine" displayName="$(string.L_PolicyConfiguredServerCheckValues)" explainText="$(string.L_ExplainText_ConfiguredServerCheckValues)" presentation="$(presentation.L_PolicyConfiguredServerCheckValues)" key="software\policies\contoso\companyApp">
+          <parentCategory ref="Category2" />
+          <supportedOn ref="windows:SUPPORTED_Windows7" />
+          <elements>
+          <text id="L_ConfiguredServerCheckValues_VALUE" valueName="configuredservercheckvalues" required="true" />
+          </elements>
+          </policy>
+          <policy name="L_PolicySipCompression_1" class="User" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression_1)" key="software\policies\contoso\companyApp">
+          <parentCategory ref="Category2" />
+          <supportedOn ref="windows:SUPPORTED_Windows7" />
+          <elements>
+          <enum id="L_PolicySipCompression" valueName="sipcompression">
+          <item displayName="$(string.L_SipCompressionVal0)">
+          <value>
+          <decimal value="0" />
+          </value>
+          </item>
+          <item displayName="$(string.L_SipCompressionVal1)">
+          <value>
+          <decimal value="1" />
+          </value>
+          </item>
+          <item displayName="$(string.L_SipCompressionVal2)">
+          <value>
+          <decimal value="2" />
+          </value>
+          </item>
+          <item displayName="$(string.L_SipCompressionVal3)">
+          <value>
+          <decimal value="3" />
+          </value>
+          </item>
+          </enum>
+          </elements>
+          </policy>
+          <policy name="L_PolicyPreventRun_1" class="User" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun_1)" key="software\policies\contoso\companyApp" valueName="preventrun">
+          <parentCategory ref="Category3" />
+          <supportedOn ref="windows:SUPPORTED_Windows7" />
+          <enabledValue>
+          <decimal value="1" />
+          </enabledValue>
+          <disabledValue>
+          <decimal value="0" />
+          </disabledValue>
+          </policy>
+          <policy name="L_PolicyGalDownloadInitialDelay_1" class="User" displayName="$(string.L_PolicyGalDownloadInitialDelay)" explainText="$(string.L_ExplainText_GalDownloadInitialDelay)" presentation="$(presentation.L_PolicyGalDownloadInitialDelay_1)" key="software\policies\contoso\companyApp">
+          <parentCategory ref="Category3" />
+          <supportedOn ref="windows:SUPPORTED_Windows7" />
+          <elements>
+          <decimal id="L_GalDownloadInitialDelay_VALUE" valueName="galdownloadinitialdelay" minValue="0" required="true" />
+          </elements>
+          </policy>
+          </policies>
+          </policyDefinitions></Data>
       </Item>
     </Add>
     <Final/>
@@ -423,7 +423,7 @@ The following examples describe how to set an ADMX-ingested app policy.
         <Target>
           <LocURI>./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode</LocURI>
         </Target>
-        <Data>&lt;enabled/&gt;&lt;data id=&quot;L_ServerAddressInternal_VALUE&quot; value=&quot;TextValue1&quot;/&gt;&lt;data id=&quot;L_ServerAddressExternal_VALUE&quot; value=&quot;TextValue2&quot;/&gt;</Data>
+        <Data><enabled/><data id="L_ServerAddressInternal_VALUE" value="TextValue1"/><data id="L_ServerAddressExternal_VALUE" value="TextValue2"/></Data>
       </Item>
     </Replace>
     <Final/>
@@ -457,7 +457,7 @@ The following examples describe how to set an ADMX-ingested app policy.
         <Target>
           <LocURI>./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode</LocURI>
         </Target>
-        <Data>&lt;disabled/&gt;</Data>
+        <Data><disabled/></Data>
       </Item>
     </Replace>
     <Final/>

windows/client-management/reset-a-windows-10-mobile-device.md

@@ -65,7 +65,7 @@ To perform a "wipe and persist" reset, preserving the provisioning applied to th
 ##  Reset using the UI
 
 
-1.  On your mobile device, go to **Settings** > **System** > **About** > **Reset your Phone**
+1.  On your mobile device, go to **Settings** > **System** > **About** > **Reset your Phone**
 
 2.  When you tap **Reset your phone**, the dialog box will present an option to **Also remove provisioned content** if:
 

windows/configuration/kiosk-mdm-bridge.md

@@ -32,54 +32,54 @@ $nameSpaceName="root\cimv2\mdm\dmmap"
 $className="MDM_AssignedAccess"
 $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
 $obj.Configuration = @"
-<?xml version="1.0" encoding="utf-8" ?>
-<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
-  <Profiles>
-    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
-      <AllAppsList>
-        <AllowedApps>
-          <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
-          <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
-          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
-          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
-          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
-          <App DesktopAppPath="%windir%\system32\mspaint.exe" />
-          <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
-        </AllowedApps>
-      </AllAppsList>
-      <StartLayout>
-        <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
-                      <LayoutOptions StartTileGroupCellWidth="6" />
-                      <DefaultLayoutOverride>
-                        <StartLayoutCollection>
-                          <defaultlayout:StartLayout GroupCellWidth="6">
-                            <start:Group Name="Group1">
-                              <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
-                              <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
-                              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
-                              <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
-                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
-                            </start:Group>
-                            <start:Group Name="Group2">
-                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
-                              <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
-                            </start:Group>
-                          </defaultlayout:StartLayout>
-                        </StartLayoutCollection>
-                      </DefaultLayoutOverride>
-                    </LayoutModificationTemplate>
-                ]]>
-      </StartLayout>
-      <Taskbar ShowTaskbar="true"/>
-    </Profile>
-  </Profiles>
-  <Configs>
-    <Config>
-      <Account>MultiAppKioskUser</Account>
-      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
-    </Config>
-  </Configs>
-</AssignedAccessConfiguration>
+<?xml version="1.0" encoding="utf-8" ?>
+<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
+  <Profiles>
+    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
+      <AllAppsList>
+        <AllowedApps>
+          <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
+          <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
+          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
+          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
+          <App DesktopAppPath="%windir%\system32\mspaint.exe" />
+          <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
+        </AllowedApps>
+      </AllAppsList>
+      <StartLayout>
+        <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
+                      <LayoutOptions StartTileGroupCellWidth="6" />
+                      <DefaultLayoutOverride>
+                        <StartLayoutCollection>
+                          <defaultlayout:StartLayout GroupCellWidth="6">
+                            <start:Group Name="Group1">
+                              <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
+                              <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
+                              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
+                              <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
+                            </start:Group>
+                            <start:Group Name="Group2">
+                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
+                              <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
+                            </start:Group>
+                          </defaultlayout:StartLayout>
+                        </StartLayoutCollection>
+                      </DefaultLayoutOverride>
+                    </LayoutModificationTemplate>
+                ]]>
+      </StartLayout>
+      <Taskbar ShowTaskbar="true"/>
+    </Profile>
+  </Profiles>
+  <Configs>
+    <Config>
+      <Account>MultiAppKioskUser</Account>
+      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+    </Config>
+  </Configs>
+</AssignedAccessConfiguration>
 "@
  
 Set-CimInstance -CimInstance $obj

windows/configuration/kiosk-shelllauncher.md

@@ -34,13 +34,15 @@ Using Shell Launcher, you can configure a kiosk device that runs a Windows deskt
 >
 >You can also configure a kiosk device that runs a Windows desktop application by using the [Provision kiosk devices wizard](#wizard).
 
->[!WARNING]
->Windows 10 doesn’t support setting a custom shell prior to the out-of-box-experience (OOBE). If you do, you won’t be able to deploy the resulting image.
->
->Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell.  
+ 
 
 ### Requirements
 
+>[!WARNING]
+>- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image.
+>
+>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. 
+
 -   A domain or local user account.
 
 -   A Windows desktop application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.

windows/deployment/update/windows-analytics-azure-portal.md

@@ -27,15 +27,13 @@ Go to the [Azure portal](https://portal.azure.com), select **All services**, and
 ### Permissions
 
 >[!IMPORTANT]
->Unlike the OMS portal, the Azure portal requires access to both an Azure Log Analytics subscription and a linked Azure subscription.
+>Unlike the OMS portal (which only requires permission to access the Azure Log Analytics workspace), the Azure portal also requires access to be configured to either the linked Azure subscription or Azure resource group.
 
 To check the Log Analytics workspaces you can access, select **Log Analytics**. You should see a grid control listing all workspaces, along with the Azure subscription each is linked to:
 
 [![Log Analytics workspace page showing accessible workspaces and linked Azure subscriptions](images/azure-portal-LAmain-wkspc-subname-sterile.png)](images/azure-portal-LAmain-wkspc-subname-sterile.png)
 
-If you do not see your workspace in this view, you do not have access to the underlying Azure subscription. To view and assign permissions for a workspace, select its name and then, in the flyout that opens, select **Access control (IAM)**. You can view and assign permissions for a subscription similarly by selecting the subscription name and selecting **Access control (IAM)**.
-
-The Azure subscription requires at least "Log Analytics Reader" permission. Making changes (for example, to set app importance in Upgrade Readiness) requires "Log Analytics Contributor" permission. You can view your current role and make changes in other roles by using the Access control (IAM) tab in Azure. These permissions will be inherited by Azure Log Analytics.
+If you do not see your workspace in this view, but you are able to access the workspace from the classic portal, that means you do not have access to the workspaces's Azure subscription or resource group. To remedy this, you will need to find someone with admin rights to grant you access, which they can do by selecting the subscription name and selecting **Access control (IAM)** (alternatively they can configure your access at the resource group level). They should either grant you "Log Analytics Reader" access (for read-only access) or "Log Analytics Contributor" access (which enables making changes such as creating deployment plans and changing application readiness states).
 
 When permissions are configured, you can select the workspace and then select **Workspace summary** to see information similar to what was shown in the OMS overview page.
 

windows/hub/index.md

@@ -8,7 +8,7 @@ author: greg-lindsay
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.date: 04/30/2018
+ms.date: 10/02/2018
 ---
 
 # Windows 10 and Windows 10 Mobile
@@ -18,15 +18,16 @@ Find the latest how to and support content that IT pros need to evaluate, plan,
 
  
 
-> [!video https://www.microsoft.com/en-us/videoplayer/embed/RE21ada?autoplay=false]
+
+> [!video https://www.youtube.com/embed/hAva4B-wsVA]
 
 
-## Check out [what's new in Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803).
+## Check out [what's new in Windows 10, version 1809](/windows/whats-new/whats-new-windows-10-version-1809).
 <br>
 <table border="0" width="100%" align="center">
   <tr style="text-align:center;">
     <td align="center" style="width:25%; border:0;">
-      <a href="/windows/whats-new/whats-new-windows-10-version-1803"> 
+      <a href="/windows/whats-new/whats-new-windows-10-version-1809"> 
         <img src="images/whatsnew.png" alt="Read what's new in Windows 10" title="Whats new" />
       <br/>What's New? </a><br>
     </td>