"`. For example, _InstallUtil "C:\EMIEService\bin\Debug\EMIEWebPortal.SchedulerService.exe"._
+
+ You'll be asked for your user name and password for the service.
+
+4. Open the **Run** command, type `Services.msc`, and then start the EMIEScheduler service.
+
+## Related topics
+- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
+
+- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
+
+- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
new file mode 100644
index 0000000000..a478fd9557
--- /dev/null
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
@@ -0,0 +1,79 @@
+---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal.
+ms.prod: ie11
+title: Use the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+---
+
+# Use the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+
+The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.
+
+You can use IE11 and the Enterprise Mode Site List Portal to manage your Enterprise Mode Site List, hosted by the app, with multiple users.
+
+## Minimum system requirements for portal and test machines
+Some of the components in this table might also need additional system resources. Check the component's documentation for more information.
+
+|Item |Description |
+|-----|------------|
+|Operating system |Windows 7 or later |
+|Memory |16 GB RAM |
+|Hard drive space |At least 8 GB of free space, formatted using the NTFS file system for better security |
+|Active Directory (AD) |Devices must be domain-joined |
+|SQL Server |Microsoft SQL Server Enterprise Edition 2012 or later |
+|Visual Studio |Visual Studio 2015 or later |
+|Node.js® package manager |npm Developer version or higher |
+|Additional server infrastructure |Internet Information Service (IIS) 6.0 or later |
+
+## Role assignments and available actions
+Admins can assign roles to employees for the Enterprise Mode Site List Portal, allowing the employees to perform specific actions, as described in this table.
+
+|Role assignment |Available actions |
+|----------------|------------------|
+|Requester |- Create a change request
- Validate changes in the pre-production environment
- Rollback pre-production and production changes in case of failure
- Send approval requests
- View own requests
- Sign off and close own requests
|
+|Approver
(includes the App Manager and Group Head roles) |- All of the Requester actions, plus:
- Approve requests
|
+|Administrator |- All of the Requester and Approver actions, plus:
- Add employees to the portal
- Assign employee roles
- Approve registrations to the portal
- Configure portal settings (for example, determine the freeze schedule, determine the pre-production and production XML paths, and determine the attachment upload location)
- Use the standalone Enterprise Mode Site List Manager page
- View reports
|
+
+## Enterprise Mode Site List Portal workflow by employee role
+The following workflow describes how to use the Enterprise Mode Site List Portal.
+
+1. [The Requester submits a change request for an app](create-change-request-enterprise-mode-portal.md)
+
+2. [The Requester tests the change request info, verifying its accuracy](verify-changes-preprod-enterprise-mode-portal.md)
+
+3. [The Approver(s) group accepts the change request](approve-change-request-enterprise-mode-portal.md)
+
+4. [The Requester schedules the change for the production environment](schedule-production-change-enterprise-mode-portal.md)
+
+5. [The change is verified against the production site list and signed off](verify-changes-production-enterprise-mode-portal.md)
+
+
+## Related topics
+- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md)
+
+- [Workflow-based processes for employees using the Enterprise Mode Site List Portal](workflow-processes-enterprise-mode-portal.md)
+
+- [How to use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)
+
+- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
+
+- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
new file mode 100644
index 0000000000..ad7ff7fb3e
--- /dev/null
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
@@ -0,0 +1,66 @@
+---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal.
+author: eross-msft
+ms.prod: ie11
+title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+---
+
+# Verify your changes using the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+>[!Important]
+>This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
+
+The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including:
+
+- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
+
+- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment.
+
+- **EMIE_Reset**. A batch file that when run, reverts the changes made to the pre-production registry.
+
+## Verify and send the change request to Approvers
+The Requester tests the changes and then goes back into the Enterprise Mode Site List Portal, **Pre-production verification** page to verify whether the testing was successful.
+
+**To verify changes and send to the Approver(s)**
+1. On the **Pre-production verification** page, the Requester clicks **Successful** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results.
+
+2. The Requester reviews the pre-defined Approver(s), and then clicks **Send for approval**.
+
+ The Requester, the Approver group, and the Administrator group all get an email, stating that the change request is waiting for approval.
+
+
+**To rollback your pre-production changes**
+1. On the **Pre-production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results.
+
+2. Add a description about the issue into the **Issue description** box, and then click **Send failure details**.
+
+ The change request and issue info are sent to the Administrators.
+
+3. The Requester clicks **Roll back** to roll back the changes in the pre-production environment.
+
+ After the Requester rolls back the changes, the request can be updated and re-submitted.
+
+
+## View rolled back change requests
+The original Requester and the Administrator(s) group can view the rolled back change requests.
+
+**To view the rolled back change request**
+
+- In the Enterprise Mode Site List Portal, click **Rolled back** from the left pane.
+
+ All rolled back change requests appear, with role assignment determining which ones are visible.
+
+## Next steps
+If the change request is certified as successful, the Requester must next send it to the Approvers for approval. For the Approver-related steps, see the [Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md) topic.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
new file mode 100644
index 0000000000..9b17b1c55d
--- /dev/null
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
@@ -0,0 +1,41 @@
+---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal.
+author: eross-msft
+ms.prod: ie11
+title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+---
+
+# Verify the change request update in the production environment using the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+## Verify and sign off on the update in the production environment
+The Requester tests the changes in the production environment and then goes back into the Enterprise Mode Site List Portal, **Production verification** page to verify whether the testing was successful.
+
+**To verify the changes and sign off**
+- On the **Production verification** page, the Requester clicks **Successful**, optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results, optionally includes a description of the change, and then clicks **Sign off**.
+
+ The Requester, Approver group, and Administrator group all get an email, stating that the change request has been signed off.
+
+
+**To rollback production changes**
+1. On the **Production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results.
+
+2. Add a description about the issue into the **Change description** box, and then click **Send failure details**.
+
+ The info is sent to the Administrators.
+
+3. The Requester clicks **Roll back** to roll back the changes in the production environment.
+
+ After the Requester rolls back the changes, the request is automatically handled in the production and pre-production environment site lists.
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
new file mode 100644
index 0000000000..90be9b01af
--- /dev/null
+++ b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
@@ -0,0 +1,37 @@
+---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal.
+author: eross-msft
+ms.prod: ie11
+title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+---
+
+# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Any employee with access to the Enterprise Mode Site List Portal can view the apps included in the current Enterprise Mode Site List.
+
+**To view the active Enterprise Mode Site List**
+1. Open the Enterprise Mode Site List Portal and click the **Production sites list** icon in the upper-right area of the page.
+
+ The **Production sites list** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site.
+
+2. Click any URL to view the actual site, using the compatibility mode and opening in the correct browser.
+
+
+**To export the active Enterprise Mode Site List**
+1. On the **Production sites list** page, click **Export**.
+
+2. Save the ProductionSiteList.xlsx file.
+
+ The Excel file includes all apps in the current Enterprise Mode Site List, including URL, compatibility mode, and assigned browser.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
new file mode 100644
index 0000000000..39742890ba
--- /dev/null
+++ b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
@@ -0,0 +1,49 @@
+---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how an Administrator can view the available Enterprise Mode reports from the Enterprise Mode Site List Portal.
+author: eross-msft
+ms.prod: ie11
+title: View the available Enterprise Mode reports from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+---
+
+# View the available Enterprise Mode reports from the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Administrators can view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal.
+
+**To view the reports**
+1. Open the Enterprise Mode Site List Portal and click the **Enterprise Mode reports** icon in the upper-right area of the page.
+
+ The **Enterprise Mode reports** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site.
+
+2. Use the calendars to provide the **From date** and **To date**, determining the span of time the report covers.
+
+3. Click **Apply**.
+
+ The reports all change to reflect the appropriate timeframe and group, including:
+
+ - **Total number of websites in the site list.** A box at the top of the reports page that tells you the total number of websites included in the Enterprise Mode Sit List.
+
+ - **All websites by docmode.** Shows how many change requests exist, based on the different doc modes included in the **App best viewed in** field.
+
+ - **All websites by browser.** Shows how many apps require which browser, including **IE11**, **MSEdge**, or **None**.
+
+ - **All requests by status.** Shows how many change requests exist, based on each status.
+
+ - **All requests by change type.** Shows how many change requests exist, based on the **Requested change** field.
+
+ - **Request status by group.** Shows how many change requests exist, based on both group and status.
+
+ - **Reasons for request.** Shows how many change request reasons exist, based on the **Reason for request** field.
+
+ - **Requested changes by app name.** Shows what specific apps were **Added to site list**, **Deleted from site list**, or **Updated from site list**.
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index 44cf261391..f803185980 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -6,12 +6,12 @@ description: Info about the features included in Enterprise Mode with Internet E
author: eross-msft
ms.prod: ie11
ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa
-title: What is Enterprise Mode (Internet Explorer 11 for IT Pros)
+title: Enterprise Mode and the Enterprise Mode Site List (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
-# What is Enterprise Mode?
+# Enterprise Mode and the Enterprise Mode Site List
**Applies to:**
@@ -21,28 +21,146 @@ ms.sitesec: library
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
-Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 8.1 Update and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
-Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to the latest version of IE. In particular, IE11 lets customers benefit from modern web standards, increased performance, improved security, and better reliability.
+## Available dual-browser experiences
+Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment:
-## Enterprise Mode features
+- Use Microsoft Edge as your primary browser.
+- Use Microsoft Edge as your primary browser and use Enterprise Mode to open sites in Internet Explorer 11 (IE11) that use IE proprietary technologies.
+
+- Use Microsoft Edge as your primary browser and open all intranet sites in IE11.
+
+- Use IE11 as your primary browser and use Enterprise Mode to open sites in Microsoft Edge that use modern web technologies.
+
+For more info about when to use which option, and which option is best for you, see the [Continuing to make it easier for Enterprise customers to upgrade to Internet Explorer 11 — and Windows 10](https://blogs.windows.com/msedgedev/2015/11/23/windows-10-1511-enterprise-improvements) blog.
+
+## What is Enterprise Mode?
+Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+
+Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability.
+
+### Enterprise Mode features
Enterprise Mode includes the following features:
-- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting a number of site patterns that aren’t currently supported by existing document modes.
+- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes.
-- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode.
+- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode.
Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378), based on your operating system and schema.
-- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the **Tools** menu and to decide whether the Enterprise browser profile appears on the **Emulation** tab of the F12 developer tools.
**Important**
All centrally-made decisions override any locally-made choices.
+- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools.
-- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
+ >[!Important]
+ >All centrally-made decisions override any locally-made choices.
-- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list.
+- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
-
+- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list.
-
+## Enterprise Mode and the Enterprise Mode Site List XML file
+The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11.
+Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge.
+### Site list xml file
+This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
+```xml
+
+
+
+ EnterpriseSiteListManager
+ 10586
+ 20150728.135021
+
+
+
+ IE8Enterprise
+ IE11
+
+
+ default
+ IE11
+
+
+ IE7Enterprise
+ IE11
+
+
+
+
+ IE8Enterprise"
+ IE11
+
+
+ IE7
+ IE11
+
+
+ IE7
+ IE11
+
+
+
+```
+
+## Enterprise Mode Site List Manager and the Enterprise Mode Site List Portal tools
+You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, we’ve also provided a couple tools that can make that process even easier.
+
+### Enterprise Mode Site List Manager
+This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the Use the [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
+
+There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10:
+
+- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema.
+
+ We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
+
+- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema.
+
+ If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+
+If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal.
+
+### Enterprise Mode Site List Portal
+The [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management.
+
+In addition to all the functionality of the Enterprise Mode Site List Manager tool, the Enterprise Mode Site List Portal helps you:
+
+- Manage site lists from any device supporting Windows 7 or greater.
+
+- Submit change requests.
+
+- Operate offline through an on-premise solution.
+
+- Provide role-based governance.
+
+- Test configuration settings before releasing to a live environment.
+
+Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.
+
+Because the tool is open-source, the source code is readily available for examination and experimentation. We encourage you to [fork the code, submit pull requests, and send us your feedback](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)! For more info about the Enterprise Mode Site List Portal, see the [Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) topics.
+
+## Related topics
+
+- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
+
+- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie)
+
+- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501)
+
+- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974)
+
+- [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
+
+- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)
+
+- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx)
+
+- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx)
+
+- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
new file mode 100644
index 0000000000..6c23ee0748
--- /dev/null
+++ b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
@@ -0,0 +1,42 @@
+---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Use the topics in this section to learn how to perform all of the workflow-related processes in the Enterprise Mode Site List Portal.
+author: eross-msft
+ms.prod: ie11
+title: Workflow-based processes for employees using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+---
+
+
+# Workflow-based processes for employees using the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Use the topics in this section to learn how to perform the available Enterprise Mode Site List Portal processes, based on workflow.
+
+## In this section
+|Topic |Description |
+|---------------------------------------------------------------|-----------------------------------------------------------------------------------|
+|[Create a change request using the Enterprise Mode Site List Portal](create-change-request-enterprise-mode-portal.md)|Details about how the Requester creates a change request in the Enterprise Mode Site List Portal.|
+|[Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md)|Details about how the Requester tests a change request in the pre-production environment of the Enterprise Mode Site List Portal.|
+|[Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md)|Details about how the Approver(s) approve a change request in the Enterprise Mode Site List Portal.|
+|[Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md)|Details about how the Requester schedules the approved change request update in the Enterprise Mode Site List Portal.|
+|[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md)|Details about how the Requester tests an update in the production environment of the Enterprise Mode Site List Portal.|
+|[View the apps currently on the Enterprise Mode Site List](view-apps-enterprise-mode-site-list.md)|Details about how anyone with access to the portal can review the apps already on the active Enterprise Mode Site List.|
+|[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](view-enterprise-mode-reports-for-portal.md) |Details about how the Administrator can view the view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. |
+
+
+## Related topics
+- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md)
+
+- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
+
+- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
\ No newline at end of file
diff --git a/windows/access-protection/credential-guard/credential-guard-considerations.md b/windows/access-protection/credential-guard/credential-guard-considerations.md
index 0adc21dd7f..1663325a24 100644
--- a/windows/access-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/access-protection/credential-guard/credential-guard-considerations.md
@@ -28,9 +28,9 @@ in the Deep Dive into Credential Guard video series.
- You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
- Credential Guard uses hardware security so some features, such as Windows To Go, are not supported.
-## NTLM and CHAP Considerations
+## Wi-fi and VPN Considerations
+When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
-When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections.
## Kerberos Considerations
diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json
index 627724bbe5..22574d09a4 100644
--- a/windows/access-protection/docfx.json
+++ b/windows/access-protection/docfx.json
@@ -32,7 +32,8 @@
"externalReference": [],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+ "ms.technology": "windows"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/access-protection/enterprise-certificate-pinning.md b/windows/access-protection/enterprise-certificate-pinning.md
index 26876a7fac..c1713b7bac 100644
--- a/windows/access-protection/enterprise-certificate-pinning.md
+++ b/windows/access-protection/enterprise-certificate-pinning.md
@@ -6,7 +6,7 @@ author: MikeStephens-MS
description: Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name.
manager: alanth
ms.prod: w10
-ms.technology: security
+ms.technology: windows
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
index a0c06828be..cc2687ac6a 100644
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@@ -32,7 +32,8 @@
"externalReference": [],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+ "ms.technology": "windows"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json
index 107c56cde2..b42d904675 100644
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@@ -32,7 +32,8 @@
"externalReference": [],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+ "ms.technology": "windows"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 07ca5a5dc2..9e4397cd87 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -32,7 +32,8 @@
"externalReference": [],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+ "ms.technology": "windows"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json
index 652028bf85..3c58607382 100644
--- a/windows/deployment/docfx.json
+++ b/windows/deployment/docfx.json
@@ -32,7 +32,8 @@
"externalReference": [],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+ "ms.technology": "windows"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/device-security/change-history-for-device-security.md b/windows/device-security/change-history-for-device-security.md
index 20d4edb47f..f5c4e6001a 100644
--- a/windows/device-security/change-history-for-device-security.md
+++ b/windows/device-security/change-history-for-device-security.md
@@ -15,6 +15,7 @@ This topic lists new and updated topics in the [Device security](index.md) docum
|New or changed topic |Description |
|---------------------|------------|
| [BitLocker Group Policy settings](bitlocker/bitlocker-group-policy-settings.md) | Changed startup PIN minimun length from 4 to 6. |
+| [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) | New security policy setting. |
## March 2017
|New or changed topic |Description |
diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json
index b0f818ea94..c0e36621af 100644
--- a/windows/device-security/docfx.json
+++ b/windows/device-security/docfx.json
@@ -32,7 +32,8 @@
"externalReference": [],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+ "ms.technology": "windows"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index f28eab1191..6d55050b6b 100644
--- a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
-author: brianlic-msft
+author: justinha
---
# Network access: Restrict clients allowed to make remote calls to SAM
@@ -23,23 +23,33 @@ author: brianlic-msft
- Windows Server 2008 R2 with [KB 4012218](https://support.microsoft.com/en-us/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed
-The **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database. The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems by installing updates from the the KB articles listed in **Applies to** section of this topic.
+The **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory.
+The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems by installing updates from the the KB articles listed in **Applies to** section of this topic.
-This topic describes the default values for this security policy setting in different versions of Windows, related events, and how to enable audit mode before constraining the security principals that are allowed to remotely enumerate users and groups in the SAM so that your environment remains secure without adversely impacting application compatibility.
+This topic describes the default values for this security policy setting in different versions of Windows.
+By default, computers beginning with Windows 10 version 1607 and Windows Server 2016 are more restrictive than earlier versions of Windows.
+This means that if you have a mix of computers, such as servers that run both Windows Server 2016 and Windows Server 2012 R2, the servers that run Windows Server 2016 may fail to enumerate accounts by default where the servers that run Windows Server 2012 R2 succeed.
+
+This topic also covers related events, and how to enable audit mode before constraining the security principals that are allowed to remotely enumerate users and groups so that your environment remains secure without impacting application compatibility.
## Reference
-The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data. For example, a user can use SAMRPC to enumerate users, including privileged accounts such as local or domain administrators, or to enumerate groups and group memberships from the local SAM and Active Directory. This information can provide important context and serve as a starting point for an attacker to compromise a domain or networking environment.
+The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data.
+For example, a user can use SAMRPC to enumerate users, including privileged accounts such as local or domain administrators, or to enumerate groups and group memberships from the local SAM and Active Directory.
+This information can provide important context and serve as a starting point for an attacker to compromise a domain or networking environment.
-To mitigate this risk, you can configure the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting to force the security accounts manager (SAM) to do an access check against remote calls. The access check allows or denies remote RPC connections to SAM and Active Directory for users and groups that you define.
+To mitigate this risk, you can configure the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting to force the security accounts manager (SAM) to do an access check against remote calls.
+The access check allows or denies remote RPC connections to SAM and Active Directory for users and groups that you define.
-By default, the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting is not defined. If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to the SAM. If the policy setting is left blank after the policy is defined, the policy is not enforced.
+By default, the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting is not defined.
+If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to the SAM.
+If the policy setting is left blank after the policy is defined, the policy is not enforced.
-The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers, and allows Everyone access on domain controllers. You can edit the default security descriptor to allow or deny other users and groups, including the built-in Administrators.
+The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers, and allows Everyone access on domain controllers.
+You can edit the default security descriptor to allow or deny other users and groups, including the built-in Administrators.
-The default security descriptor on computers that run earlier versions of Windows does not restrict any remote calls to SAM, but an administrator can edit the security descriptor to enforce restrictions. This less restrictive default allows for testing the impact of enabling restrictions on existing applications.
-
-This means that if you have a mix of computers, such as servers that run both Windows Server 2016 and Windows Server 2012 R2, the servers that run Windows Server 2016 may fail to enumerate accounts by default where the servers that run Windows Server 2012 R2 succeed.
+The default security descriptor on computers that run earlier versions of Windows does not restrict any remote calls to SAM, but an administrator can edit the security descriptor to enforce restrictions.
+This less restrictive default allows for testing the impact of enabling restrictions on existing applications.
## Possible values
- Not defined
@@ -47,36 +57,39 @@ This means that if you have a mix of computers, such as servers that run both Wi
## Location
+On computers that run Windows Server 2016 and Windows 10, version 1607 and later, you can edit this security policy setting in the following location in the Group Policy Management Console:
+
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
This policy setting controls a string that will contain the SDDL of the security descriptor to be deployed to the following registry setting:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSam
+On computers that run earlier versions of Windows, you need to edit the registry setting directly or use Group Policy Preferences.
+To avoid setting it manually in this case, you can configure the GPO itself on a computer that runs Windows Server 2016 or Windows 10, version 1607 or later and have it apply to all computers within the scope of the GPO because the same registry key exists on every computer after the corresponding KB is installed.
+
> [!NOTE]
This policy is implemented similarly to other Network access policies in that there is a single policy element at the registry path listed. There is no notion of a local policy versus an enterprise policy; there is just one policy setting and whichever writes last wins. For example, suppose a local administrator configures this setting as part of a local policy using the Local Security Policy snap-in (Secpol.msc), which edits that same registry path. If an enterprise administrator configures this setting as part of an enterprise GPO, that enterprise GPO will overwrite the same registry path.
## Default values
-Beginning with Windows 10, version 1607 and Windows Server 2016, computers have hard-coded and more restrictive default values than earlier versions of Windows. The different default values help strike a balance where recent Windows versions are more secure by default and older versions don’t undergo any disruptive behavior changes. Computers that run earlier versions of Windows do not perform any access check by default. That includes domain controllers and non-domain controllers. This allows administrators to test whether applying the same restriction (that is, granting READ_CONTROL access only to members of the local Administrators group) will cause compatibility problems for existing applications before implementing this security policy setting in a production environment.
+Beginning with Windows 10, version 1607 and Windows Server 2016, computers have hard-coded and more restrictive default values than earlier versions of Windows.
+The different default values help strike a balance where recent Windows versions are more secure by default and older versions don’t undergo any disruptive behavior changes.
+Administrators can test whether applying the same restriction earlier versions of Windows will cause compatibility problems for existing applications before implementing this security policy setting in a production environment.
In other words, the hotfix in each KB article provides the necessary code and functionality, but you need to configure the restriction after you install the hotfix—no restrictions are enabled by default after the hotfix is installed on earlier versions of Windows.
-### Default values beginning with Windows 10 version 1607 and Windows Server 2016
-The following default values apply to computers beginning with Windows Server 2016 and Windows 10, version 1607. The default security descriptor for non-domain controllers grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group.
-
-
| |Default SDDL |Translated SDDL| Comments
|---|---|---|---|
-|Domain controller (reading Active Directory|“”|-|Everyone has read permissions to preserve compatibility.
-|Non-domain controller|(O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
DACL:
• Revision: 0x02
• Size: 0x0020
• Ace Count: 0x001
• Ace[00]------------------------- AceType:0x00
(ACCESS_ALLOWED_ACE_TYPE)
AceSize:0x0018
InheritFlags:0x00
Access Mask:0x00020000
AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544)
SACL: Not present |Only members of the local (built-in) Administrators group get access.|
-
-### Default values for earlier versions of Windows
-
-The following sections explain how to enable audit only mode to test the restriction while using applications you plan to run.
+|Windows Server 2016 domain controller (reading Active Directory)|“”|-|Everyone has read permissions to preserve compatibility.|
+|Earlier domain controller |-|-|No access check is performed by default.|
+|Windows 10, version 1607 non-domain controller|(O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
DACL:
• Revision: 0x02
• Size: 0x0020
• Ace Count: 0x001
• Ace[00]-------------------------
AceType:0x00
(ACCESS_ALLOWED_ACE_TYPE)
AceSize:0x0018
InheritFlags:0x00
Access Mask:0x00020000
AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544)
SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. |
+|Earlier non-domain controller |-|-|No access check is performed by default.|
## Policy management
-This section explains how to configure audit-only mode, how to analyze related events that are logged when the Network access: Restrict clients allowed to make remote calls to SAM security policy setting is enabled, and how to configure event throttling to prevent flooding the event log.
+This section explains how to configure audit-only mode, how to analyze related events that are logged when the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting is enabled, and how to configure event throttling to prevent flooding the event log.
+
+
### Audit only mode
@@ -95,9 +108,7 @@ Audit only mode configures the SAM interface to do the access check against the
There are corresponding events that indicate when remote calls to the SAM are restricted, what accounts attempted to read from the SAM database, and more. The following workflow is recommended to identify applications that may be affected by restricting remote calls to SAM:
1. Dump event logs to a common share.
2. Parse them with the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script.
-3. Look for the following events:
-• For domain controllers, events are logged in the Directory Services log in Event Viewer with event source Directory-Service-SAM (from Event ID 16962 to 16969, as listed in the following table).
-• For non-domain controllers, the same event IDs are logged in the System log with event source Directory-Service-SAM.
+3. Review Event IDs 16962 to 16969, as listed in the following table, in the System log with event source Directory-Service-SAM.
4. Identify which security contexts are enumerating users or groups in the SAM database.
5. Prioritize the callers, determine if they should be allowed or not, then include the allowed callers in the SDDL string.
diff --git a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
index 27fa6ec7db..8203714148 100644
--- a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -21,29 +21,14 @@ The TPM Services Group Policy settings are located at:
**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
-| Setting | Windows 10, version 1607 and Windows Server 2016 | Windows 10, version 1511 and Windows 10, version 1507 |
-|-----------------|--------------------------------------------------|-------------------------------------------------------|
-| [Turn on TPM backup to Active Directory Domain Services](#turn-on-tpm-backup-to-active-directory-domain-services) | | X |
-| [Configure the list of blocked TPM commands](#configure-the-list-of-blocked-tpm-commands) | X | X |
-| [Ignore the default list of blocked TPM commands](#ignore-the-default-list-of-blocked-tpm-commands) | X | X |
-| [Ignore the local list of blocked TPM commands](#ignore-the-local-list-of-blocked-tpm-commands) | X | X |
-| [Configure the level of TPM owner authorization information available to the operating system](#configure-the-level-of-tpm-owner-authorization-information-available-to-the-operating-system) | X | X |
-| [Standard User Lockout Duration](#standard-user-lockout-duration) | X | X |
-| [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold) | X | X |
-| [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold) | X | X |
+### Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0
-### Turn on TPM backup to Active Directory Domain Services
+Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if: a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607, and b) the System has a TPM 2.0.
-This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of TPM owner information.
+Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to:
+a) disable it from group policy and b) clear the TPM on the system.
-TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can be run only by the TPM owner. This hash authorizes the TPM to run these commands.
-
-> [!IMPORTANT]
-> The **Turn on TPM backup to Active Directory Domain Services** is not available in the Windows 10, version 1607 and Windows Server 2016 and later versions of the ADMX files.
-
-If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password. When this policy setting is enabled, a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds.
-
-If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS.
+**The following Group Policy settings were introduced in Window 10:**
### Configure the list of blocked TPM commands
@@ -164,6 +149,13 @@ An administrator with the TPM owner password can fully reset the TPM's hardware
If you do not configure this policy setting, a default value of 9 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
+> [!IMPORTANT]
+> The **Turn on TPM backup to Active Directory Domain Services** is not available in the Windows 10, version 1607 and Windows Server 2016 and later versions of the ADMX files.
+
+If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password. When this policy setting is enabled, a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds.
+
+If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS.
+
## Related topics
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index 863fc12d71..e134b0e320 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -34,7 +34,8 @@
"externalReference": [],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+ "ms.technology": "windows"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json
index 5614b0a94c..1078120934 100644
--- a/windows/threat-protection/docfx.json
+++ b/windows/threat-protection/docfx.json
@@ -32,7 +32,8 @@
"externalReference": [],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+ "ms.technology": "windows"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 8406829b2f..cb875edc71 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -26,6 +26,9 @@ localizationpriority: high
## Configure endpoints using System Center Configuration Manager (current branch) version 1606
System Center Configuration Manager (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
+>[!NOTE]
+> If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version.
+
## Configure endpoints using System Center Configuration Manager earlier versions
You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index f2cd5d5e8b..3c9739ce2e 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -32,7 +32,8 @@
"externalReference": [],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+ "ms.technology": "windows"
},
"fileMetadata": {},
"template": [],